[SECURITY] Fedora 22 Update: proftpd-1.3.5a-5.fc22

updates at fedoraproject.org updates at fedoraproject.org
Sat Dec 12 01:57:30 UTC 2015

Fedora Update Notification
2015-12-11 21:20:33.551627

Name        : proftpd
Product     : Fedora 22
Version     : 1.3.5a
Release     : 5.fc22
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.

Update Information:

Part of the SFTP handshake involves "extensions", which are key/value pairs,
comprised of strings. In SSH, strings are encoded for network transport as a
32-bit length, followed by the bytes. The mod_sftp module currently places no
bounds/length limitations when reading these SFTP extension key/value data from
the network. A malicious attacker might attempt to encode large values, and
allocate more memory than is necessary, causing excessive resource usage or the
FTP daemon to crash.  This update limits the amount of memory allocated to
handle these extensions.

  [ 1 ] Bug #1286977 - proftpd: unbounded SFTP extended attribute key/values

This update can be installed with the "yum" update program. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at https://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list