Bug 20640

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

pushed in updates_testing:

srpms:  proftpd-1.3.5e-1.mga5

CC: (none) => mageia

Advisory:
========================

Updated proftpd packages fix security vulnerability:

ProFTPD before 1.3.5e controls whether the home directory of a user could
contain a symbolic link through the AllowChrootSymlinks configuration option,
but checks only the last path component when enforcing AllowChrootSymlinks.
Attackers with local access could bypass the AllowChrootSymlinks control by
replacing a path component (other than the last one) with a symbolic link. The
threat model includes an attacker who is not granted full filesystem access by
a hosting provider, but can reconfigure the home directory of an FTP user
(CVE-2017-7418).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.5e-1.mga5
proftpd-devel-1.3.5e-1.mga5
proftpd-mod_ctrls_admin-1.3.5e-1.mga5
proftpd-mod_ifsession-1.3.5e-1.mga5
proftpd-mod_ldap-1.3.5e-1.mga5
proftpd-mod_quotatab-1.3.5e-1.mga5
proftpd-mod_quotatab_file-1.3.5e-1.mga5
proftpd-mod_quotatab_ldap-1.3.5e-1.mga5
proftpd-mod_quotatab_sql-1.3.5e-1.mga5
proftpd-mod_quotatab_radius-1.3.5e-1.mga5
proftpd-mod_radius-1.3.5e-1.mga5
proftpd-mod_ratio-1.3.5e-1.mga5
proftpd-mod_rewrite-1.3.5e-1.mga5
proftpd-mod_site_misc-1.3.5e-1.mga5
proftpd-mod_sql-1.3.5e-1.mga5
proftpd-mod_sql_mysql-1.3.5e-1.mga5
proftpd-mod_sql_postgres-1.3.5e-1.mga5
proftpd-mod_sql_sqlite-1.3.5e-1.mga5
proftpd-mod_sql_passwd-1.3.5e-1.mga5
proftpd-mod_tls-1.3.5e-1.mga5
proftpd-mod_tls_shmcache-1.3.5e-1.mga5
proftpd-mod_tls_memcache-1.3.5e-1.mga5
proftpd-mod_autohost-1.3.5e-1.mga5
proftpd-mod_case-1.3.5e-1.mga5
proftpd-mod_gss-1.3.5e-1.mga5
proftpd-mod_load-1.3.5e-1.mga5
proftpd-mod_shaper-1.3.5e-1.mga5
proftpd-mod_wrap-1.3.5e-1.mga5
proftpd-mod_wrap_file-1.3.5e-1.mga5
proftpd-mod_wrap_sql-1.3.5e-1.mga5
proftpd-mod_ban-1.3.5e-1.mga5
proftpd-mod_vroot-1.3.5e-1.mga5
proftpd-mod_sftp-1.3.5e-1.mga5
proftpd-mod_sftp_pam-1.3.5e-1.mga5
proftpd-mod_sftp_sql-1.3.5e-1.mga5
proftpd-mod_memcache-1.3.5e-1.mga5

from proftpd-1.3.5e-1.mga5.src.rpm

MGA-32 on Asus A6000VM Xfce
No installation issues.
Start proftpd at CLI, then I could access localhost using filezilla. After mending the firewall, I could connect this machine from desktop M5 on LAN using filezilla. Looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

In VirtualBox, M5, KDE, 64-bit

default install of proftpd

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.59-desktop-1.mga5 #1 SMP Thu Mar 30 21:28:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5b-1.mga5.x86_64 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

install proftpd from updates_testing

[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5e-1.mga5.x86_64 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

CC: (none) => wilcal.int

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0115.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED