Bug 25623

Summary: proftpd new security issue CVE-2019-18217
Product: Mageia Reporter: Zombie Ryushu <zombie.ryushu>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://proftpd.org/docs/RELEASE_NOTES-1.3.6b
Whiteboard: MGA7TOO
Source RPM: proftpd-1.3.5e-4.mga7.src.rpm CVE:
Status comment:

Description Zombie Ryushu 2019-10-27 23:42:07 CET 
This file contains a description of the major changes to ProFTPD for the
1.3.6 release cycle, from the 1.3.6rc1 release to the 1.3.6 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.6b
---------
  + Fixed pre-authentication remote denial-of-service issue (Issue #846).
  + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).

1.3.6a
---------
  + Fixed symlink navigation (Bug#4332).
  + Fixed building of mod_sftp using OpenSSL 1.1.x releases (Issue#674).
  + Fixed SITE COPY honoring of <Limit> restrictions (Bug#4372).
  + Fixed segfault on login when using mod_sftp + mod_sftp_pam (Issue#656).
  + Fixed restarts when using mod_facl as a static module.
Comment 1 Lewis Smith 2019-10-28 20:16:10 CET 
Thank you for the notification.
Our package is currently 1.3.5e-4, so I do not know whether this applies.
Assigning to the package maintainer José, CC DavidW.

Source RPM: proftpd => proftpd-1.3.5e-4.mga7.src.rpm
Assignee: bugsquad => lists.jjorge
CC: (none) => luigiwalser

Comment 2 David Walser 2019-10-28 20:48:04 CET 
Zombie, please give URL references so we know where you're getting this information from.

Lewis, you don't need to CC me.

I believe he was getting it from Debian as usual:
https://security-tracker.debian.org/tracker/CVE-2019-18217
https://www.debian.org/lts/security/2019/dla-1974

So 1.3.5 is apparently affected.

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

David Walser 2019-10-28 20:48:23 CET

Summary: proftpd security update (CVE-2019-18217) => proftpd new security issue CVE-2019-18217

Comment 3 Zombie Ryushu 2019-10-28 22:28:38 CET 
The actual version to update too is 1.3.6b
Comment 4 David Walser 2019-10-28 22:48:55 CET 
We can borrow the patch from Debian.
Comment 5 José Jorge 2019-10-28 23:02:03 CET 
(In reply to David Walser from comment #4)
> We can borrow the patch from Debian.

Well I do not use proftpd enough to continue maintaining this package.
So I have assigned it to nobody.

Anyone interested, feel free to take maintainership. Zombie Ryushu?

Assignee: lists.jjorge => pkg-bugs

Comment 6 Zombie Ryushu 2019-10-28 23:06:44 CET 
I do not have the resources to do packages for Mageia the way Mageia does it. I farm my builds out to third parties.
Comment 7 David Walser 2019-10-29 03:23:21 CET 
Turns out we already had a security bug open for proftpd.

*** This bug has been marked as a duplicate of bug 25287 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE