Bug 11282

Summary:	proftpd new security issue CVE-2013-4359
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/568126/
Whiteboard:	mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM:	proftpd-1.3.4c-1.mga3.src.rpm	CVE:
Status comment:

Description David Walser 2013-09-24 19:06:38 CEST

Fedora has issued an advisory on September 15:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/116668.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated proftpd packages fix security vulnerability:

A bug in ProFTPd's mod_sftp and mod_sftp_pam modulescan be used to trigger
a large heap allocation and exhaust all available system memory of the
underlying operating system (CVE-2013-4359).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4359
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/116668.html
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.3g-1.3.mga2
proftpd-devel-1.3.3g-1.3.mga2
proftpd-mod_ctrls_admin-1.3.3g-1.3.mga2
proftpd-mod_ifsession-1.3.3g-1.3.mga2
proftpd-mod_ldap-1.3.3g-1.3.mga2
proftpd-mod_quotatab-1.3.3g-1.3.mga2
proftpd-mod_quotatab_file-1.3.3g-1.3.mga2
proftpd-mod_quotatab_ldap-1.3.3g-1.3.mga2
proftpd-mod_quotatab_sql-1.3.3g-1.3.mga2
proftpd-mod_quotatab_radius-1.3.3g-1.3.mga2
proftpd-mod_radius-1.3.3g-1.3.mga2
proftpd-mod_ratio-1.3.3g-1.3.mga2
proftpd-mod_rewrite-1.3.3g-1.3.mga2
proftpd-mod_site_misc-1.3.3g-1.3.mga2
proftpd-mod_sql-1.3.3g-1.3.mga2
proftpd-mod_sql_mysql-1.3.3g-1.3.mga2
proftpd-mod_sql_postgres-1.3.3g-1.3.mga2
proftpd-mod_sql_passwd-1.3.3g-1.3.mga2
proftpd-mod_tls-1.3.3g-1.3.mga2
proftpd-mod_autohost-1.3.3g-1.3.mga2
proftpd-mod_case-1.3.3g-1.3.mga2
proftpd-mod_gss-1.3.3g-1.3.mga2
proftpd-mod_load-1.3.3g-1.3.mga2
proftpd-mod_shaper-1.3.3g-1.3.mga2
proftpd-mod_time-1.3.3g-1.3.mga2
proftpd-mod_wrap-1.3.3g-1.3.mga2
proftpd-mod_wrap_file-1.3.3g-1.3.mga2
proftpd-mod_wrap_sql-1.3.3g-1.3.mga2
proftpd-mod_ban-1.3.3g-1.3.mga2
proftpd-mod_vroot-1.3.3g-1.3.mga2
proftpd-mod_sftp-1.3.3g-1.3.mga2
proftpd-1.3.4c-2.1.mga3
proftpd-devel-1.3.4c-2.1.mga3
proftpd-mod_ctrls_admin-1.3.4c-2.1.mga3
proftpd-mod_ifsession-1.3.4c-2.1.mga3
proftpd-mod_ldap-1.3.4c-2.1.mga3
proftpd-mod_quotatab-1.3.4c-2.1.mga3
proftpd-mod_quotatab_file-1.3.4c-2.1.mga3
proftpd-mod_quotatab_ldap-1.3.4c-2.1.mga3
proftpd-mod_quotatab_sql-1.3.4c-2.1.mga3
proftpd-mod_quotatab_radius-1.3.4c-2.1.mga3
proftpd-mod_radius-1.3.4c-2.1.mga3
proftpd-mod_ratio-1.3.4c-2.1.mga3
proftpd-mod_rewrite-1.3.4c-2.1.mga3
proftpd-mod_site_misc-1.3.4c-2.1.mga3
proftpd-mod_sql-1.3.4c-2.1.mga3
proftpd-mod_sql_mysql-1.3.4c-2.1.mga3
proftpd-mod_sql_postgres-1.3.4c-2.1.mga3
proftpd-mod_sql_sqlite-1.3.4c-2.1.mga3
proftpd-mod_sql_passwd-1.3.4c-2.1.mga3
proftpd-mod_tls-1.3.4c-2.1.mga3
proftpd-mod_tls_shmcache-1.3.4c-2.1.mga3
proftpd-mod_tls_memcache-1.3.4c-2.1.mga3
proftpd-mod_autohost-1.3.4c-2.1.mga3
proftpd-mod_case-1.3.4c-2.1.mga3
proftpd-mod_gss-1.3.4c-2.1.mga3
proftpd-mod_load-1.3.4c-2.1.mga3
proftpd-mod_shaper-1.3.4c-2.1.mga3
proftpd-mod_time-1.3.4c-2.1.mga3
proftpd-mod_wrap-1.3.4c-2.1.mga3
proftpd-mod_wrap_file-1.3.4c-2.1.mga3
proftpd-mod_wrap_sql-1.3.4c-2.1.mga3
proftpd-mod_ban-1.3.4c-2.1.mga3
proftpd-mod_vroot-1.3.4c-2.1.mga3
proftpd-mod_sftp-1.3.4c-2.1.mga3
proftpd-mod_sftp_pam-1.3.4c-2.1.mga3
proftpd-mod_sftp_sql-1.3.4c-2.1.mga3
proftpd-mod_memcache-1.3.4c-2.1.mga3

from SRPMS:
proftpd-1.3.3g-1.3.mga2.src.rpm
proftpd-1.3.4c-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 Dave Hodgins 2013-09-24 20:53:03 CEST

Advisory 11282.adv committed to svn and mga2too added to whiteboard.

CC: (none) => davidwhodgins
Whiteboard: (none) => mga2too

Comment 2 Dave Hodgins 2013-09-24 23:56:09 CEST

No poc, so just testing that the server is working.
Testing complete both releases, both arches.

Someone from the sysadmin team please push 11282.adv to updates.

Keywords: (none) => validated_update
Whiteboard: mga2too => mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 3 Thomas Backlund 2013-10-05 20:04:10 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0295.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED