| Summary: | proftpd new security issue CVE-2016-3125 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lists.jjorge, marja11, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/680795/ | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | proftpd-1.3.5-5.1.mga5.src.rpm | CVE: | CVE-2016-3125 |
| Status comment: | |||
|
Description
David Walser
2016-03-11 20:44:43 CET
Fedora has issued an advisory for this on March 20: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html
David Walser
2016-03-21 18:50:58 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/680795/ Assigning to all packagers collectively, since there is no maintainer for this package. CC:
(none) =>
marja11 I agree the update to 1.3.5b . David, I can do that if you want... Status:
NEW =>
ASSIGNED (In reply to José Jorge from comment #3) > I agree the update to 1.3.5b . David, I can do that if you want... Please do. Thanks. I have uploaded a 1.3.5b package for Mageia 5. You can test this by connecting by ftp to localhost ;-) Suggested advisory: ======================== Updated proftpd packages fix security vulnerabilities: a CVE has been assigned for a security issue in proftpd's mod_tls . This update also brings as bonus other bugfixes of 1.3.5b version : + SSH RSA hostkeys smaller than 2048 bits now work properly. + MLSD response lines are now properly CRLF terminated. + Fixed selection of DH groups from TLSDHParamFile. References: http://openwall.com/lists/oss-security/2016/03/11/14 http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b ======================== Updated packages in {core,tainted}/updates_testing: ======================== proftpd-1.3.5b-1.mga5 proftpd-mod{*}1.3.5b-1.mga5 proftpd-devel-1.3.5b-1.mga5 Source RPMs: proftpd-1.3.5b-1.mga5
José Jorge
2016-03-30 18:13:23 CEST
Assignee:
pkg-bugs =>
qa-bugs
José Jorge
2016-03-30 18:13:54 CEST
CVE:
(none) =>
CVE-2016-3125 Thanks Jóse! Suggested advisory: ======================== Updated proftpd packages fix security vulnerability: A bug with security implications was found in the mod_tls module in ProFTPD before 1.3.5b. This module has a configuration option TLSDHParamFile to specify user-defined Diffie Hellman parameters. The software would ignore the user-defined parameters and use Diffie Hellman key exchanges with 1024 bits (CVE-2016-3125). The proftpd package has been updated to version 1.3.5b, which fixes this issue and other bugs, including: - SSH RSA hostkeys smaller than 2048 bits now work properly. - MLSD response lines are now properly CRLF terminated. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125 http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html
Dave Hodgins
2016-03-31 19:20:19 CEST
CC:
(none) =>
davidwhodgins In VirtualBox, M5, KDE, 32-bit default install of proftpd [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.1.mga5.i586 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works install proftpd from updates_testing [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5b-1.mga5.i586 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works CC:
(none) =>
wilcal.int In VirtualBox, M5, KDE, 64-bit default install of proftpd [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.1.mga5.x86_64 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works install proftpd from updates_testing [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5b-1.mga5.x86_64 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works Whiteboard:
advisory MGA5-32-OK =>
advisory MGA5-32-OK MGA5-64-OK This looks good to go. What you say David? Yes, thanks William. This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0128.html Status:
ASSIGNED =>
RESOLVED |