[SECURITY] Fedora 23 Update: proftpd-1.3.5a-5.fc23

updates at fedoraproject.org updates at fedoraproject.org
Fri Dec 11 23:59:56 UTC 2015 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-7a89e8db70
2015-12-11 21:22:18.597952
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 23
Version     : 1.3.5a
Release     : 5.fc23
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

--------------------------------------------------------------------------------
Update Information:

Part of the SFTP handshake involves "extensions", which are key/value pairs,
comprised of strings. In SSH, strings are encoded for network transport as a
32-bit length, followed by the bytes. The mod_sftp module currently places no
bounds/length limitations when reading these SFTP extension key/value data from
the network. A malicious attacker might attempt to encode large values, and
allocate more memory than is necessary, causing excessive resource usage or the
FTP daemon to crash.  This update limits the amount of memory allocated to
handle these extensions.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1286977 - proftpd: unbounded SFTP extended attribute key/values
        https://bugzilla.redhat.com/show_bug.cgi?id=1286977
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list