| Summary: | proftpd new security issues CVE-2019-12815 and CVE-2019-18217 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, marja11, mhrambo3501, sysadmin-bugs, tmb, zombie.ryushu |
| Version: | 7 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | proftpd-1.3.5e-4.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-08-12 01:50:16 CEST
David Walser
2019-08-12 01:50:27 CEST
Whiteboard:
(none) =>
MGA7TOO, MGA6TOO Assigning to the registered maintainer. CC:
(none) =>
marja11 http://proftpd.org/docs/RELEASE_NOTES-1.3.6b https://security-tracker.debian.org/tracker/CVE-2019-18217 https://www.debian.org/lts/security/2019/dla-1974 Patches for both issues are here: http://security.debian.org/debian-security/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u4.debian.tar.xz Assignee:
lists.jjorge =>
pkg-bugs Mageia 6 is EOL. Cauldron is already v1.3.6b and is not vulnerable. Patched package uploaded for Mageia 7. Advisory: ======================== Updated proftpd package fixes security vulnerabilities: * It was discovered that the mod_copy module of ProFTPD, a FTP/SFTP/FTPS server, performed incomplete permission validation for the CPFR/CPTO commands (CVE-2019-12815). * It was discovered that due to incorrect handling of overly long commands, a remote unauthenticated user could trigger a denial-of-service by reaching an endless loop (CVE-2019-18217). References: https://www.debian.org/security/2019/dsa-4491 https://www.debian.org/lts/security/2019/dla-1974 https://nvd.nist.gov/vuln/detail/CVE-2019-12815 https://nvd.nist.gov/vuln/detail/CVE-2019-18217 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.5e-4.1.mga7 proftpd-devel-1.3.5e-4.1.mga7 proftpd-mod_autohost-1.3.5e-4.1.mga7 proftpd-mod_ban-1.3.5e-4.1.mga7 proftpd-mod_case-1.3.5e-4.1.mga7 proftpd-mod_ctrls_admin-1.3.5e-4.1.mga7 proftpd-mod_gss-1.3.5e-4.1.mga7 proftpd-mod_ifsession-1.3.5e-4.1.mga7 proftpd-mod_ldap-1.3.5e-4.1.mga7 proftpd-mod_load-1.3.5e-4.1.mga7 proftpd-mod_memcache-1.3.5e-4.1.mga7 proftpd-mod_quotatab-1.3.5e-4.1.mga7 proftpd-mod_quotatab_file-1.3.5e-4.1.mga7 proftpd-mod_quotatab_ldap-1.3.5e-4.1.mga7 proftpd-mod_quotatab_radius-1.3.5e-4.1.mga7 proftpd-mod_quotatab_sql-1.3.5e-4.1.mga7 proftpd-mod_radius-1.3.5e-4.1.mga7 proftpd-mod_ratio-1.3.5e-4.1.mga7 proftpd-mod_rewrite-1.3.5e-4.1.mga7 proftpd-mod_sftp-1.3.5e-4.1.mga7 proftpd-mod_sftp_pam-1.3.5e-4.1.mga7 proftpd-mod_sftp_sql-1.3.5e-4.1.mga7 proftpd-mod_shaper-1.3.5e-4.1.mga7 proftpd-mod_site_misc-1.3.5e-4.1.mga7 proftpd-mod_sql-1.3.5e-4.1.mga7 proftpd-mod_sql_mysql-1.3.5e-4.1.mga7 proftpd-mod_sql_passwd-1.3.5e-4.1.mga7 proftpd-mod_sql_postgres-1.3.5e-4.1.mga7 proftpd-mod_sql_sqlite-1.3.5e-4.1.mga7 proftpd-mod_tls-1.3.5e-4.1.mga7 proftpd-mod_tls_memcache-1.3.5e-4.1.mga7 proftpd-mod_tls_shmcache-1.3.5e-4.1.mga7 proftpd-mod_vroot-1.3.5e-4.1.mga7 proftpd-mod_wrap-1.3.5e-4.1.mga7 proftpd-mod_wrap_file-1.3.5e-4.1.mga7 proftpd-mod_wrap_sql-1.3.5e-4.1.mga7 from proftpd-1.3.5e-4.1.mga7.src.rpm Test procedure https://bugs.mageia.org/show_bug.cgi?id=17960#c8 CC:
(none) =>
mrambo Mike, Cauldron also has 1.3.5e, so please push the fix there. MGA7-64 Plasma on Lenovo B50
No installation issues, just installed the server.
# systemctl start proftpd
# systemctl -l status proftpd
● proftpd.service - LSB: ProFTPD FTP server
Loaded: loaded (/etc/rc.d/init.d/proftpd; generated)
Active: active (running) since Tue 2019-11-05 10:28:38 CET; 21s ago
Docs: man:systemd-sysv-generator(8)
Process: 30062 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS)
Memory: 3.0M
CGroup: /system.slice/proftpd.service
└─30073 proftpd: (accepting connections)
nov 05 10:28:38 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server...
nov 05 10:28:38 mach5.hviaene.thuis proftpd[30062]: Starting proftpd[ OK ]
nov 05 10:28:38 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server.
After opening the firewall for ftp, I could connect to this laptop from my desktop using the ftp command and running the pwd and ls commands, and put a file to the server.
OK for me.Whiteboard:
(none) =>
MGA7-64-OK (In reply to David Walser from comment #5) > Mike, Cauldron also has 1.3.5e, so please push the fix there. Cauldron has 1.3.6b (see top of comment 4). zezinho pushed it on Oct 28. Mike, no either he didn't push it to the buildsystem or it failed to build. 1.3.6b is only in SVN, 1.3.5e is still in the repository. I guess it failed to build - it wouldn't build locally. Reverted cauldron to 1.3.5e with both CVE patches applied same as mga7. Validating. Advisory in Comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2019-11-07 22:04:41 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0314.html Status:
NEW =>
RESOLVED Debian has issued an advisory for CVE-2019-18217 on November 5: https://www.debian.org/security/2019/dsa-4559 |