[SECURITY] Fedora EPEL 4 Update: proftpd-1.3.2d-1.el4
updates at fedoraproject.org
updates at fedoraproject.org
Fri Mar 12 00:04:22 UTC 2010
--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2010-2293
2010-02-22 22:00:45
--------------------------------------------------------------------------------
Name : proftpd
Product : Fedora EPEL 4
Version : 1.3.2d
Release : 1.el4
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behaviour of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
--------------------------------------------------------------------------------
Update Information:
This update addresses CVE-2009-3555 (SSL/TLS renegotiation vulnerability),
mitigating the problem by refusing all client-initiated SSL/TLS session
renegotiations. This update to the latest maintenance release also fixes a
number of bugs recorded in the proftpd bug tracker: * SSL/TLS renegotiation
vulnerability (CVE-2009-3555, bug 3324) * Failed database transaction can cause
mod_quotatab to loop (bug 3228) * Segfault in mod_wrap (bug 3332) *
<Directory> sections can have <Limit> problems (bug 3337) * mod_wrap2 segfaults
when a valid user retries the USER command (bug 3341) * modauthfile handles
'getgroups' request incorrectly (bug 3347) * Segfault caused by scrubbing zero-
length portion of memory (bug 3350) * Lack of PID protection in ScoreboardFile
(bug 3370) * Crash when retrying a failed login with mod_radius being used
(bug 3372) * RADIUS authentication broken on 64-bit platforms (bug 3381) *
SIGHUP eventually causes certain DSO modules to segfault (bug 3387) Finally,
the behaviour of the MLSD FTP command (used in many modern FTP clients to list
directories) is fixed for the case when the FTP server's configuration disallows
its usage (using a <Limit> clause) in some but not all places (#544002).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation
https://bugzilla.redhat.com/show_bug.cgi?id=533125
--------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the epel-package-announce
mailing list