Bug 29449

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => mageia, marja11, mrambo, smelror

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Memory disclosure to RADIUS servers by mod_radius.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/
https://bugzilla.redhat.com/show_bug.cgi?id=2001690
========================

Updated packages in core/updates_testing:
========================
proftpd-mod_sql-1.3.7a-3.1.mga8
proftpd-mod_tls-1.3.7a-3.1.mga8
proftpd-mod_quotatab-1.3.7a-3.1.mga8
proftpd-mod_radius-1.3.7a-3.1.mga8
proftpd-mod_ldap-1.3.7a-3.1.mga8
proftpd-mod_ban-1.3.7a-3.1.mga8
proftpd-mod_rewrite-1.3.7a-3.1.mga8
proftpd-mod_wrap-1.3.7a-3.1.mga8
proftpd-mod_shaper-1.3.7a-3.1.mga8
proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8
proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8
proftpd-mod_sftp-1.3.7a-3.1.mga8
proftpd-mod_vroot-1.3.7a-3.1.mga8
proftpd-mod_tls_memcache-1.3.7a-3.1.mga8
proftpd-mod_ifsession-1.3.7a-3.1.mga8
proftpd-mod_site_misc-1.3.7a-3.1.mga8
proftpd-mod_sql_passwd-1.3.7a-3.1.mga8
proftpd-mod_ratio-1.3.7a-3.1.mga8
proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8
proftpd-mod_sql_mysql-1.3.7a-3.1.mga8
proftpd-mod_sql_postgres-1.3.7a-3.1.mga8
proftpd-mod_autohost-1.3.7a-3.1.mga8
proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_pam-1.3.7a-3.1.mga8
proftpd-mod_case-1.3.7a-3.1.mga8
proftpd-mod_memcache-1.3.7a-3.1.mga8
proftpd-mod_wrap_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_sql-1.3.7a-3.1.mga8
proftpd-mod_wrap_file-1.3.7a-3.1.mga8
proftpd-mod_load-1.3.7a-3.1.mga8
proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8
proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8
proftpd-mod_quotatab_file-1.3.7a-3.1.mga8
proftpd-mod_unique_id-1.3.7a-3.1.mga8
proftpd-devel-1.3.7a-3.1.mga8
proftpd-1.3.7a-3.1.mga8

from SRPM:
proftpd-1.3.7a-3.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 1.3.7c => (none)

Note that proftpd-1.3.7a-3.1.mga8 includes the fix for bug 29438, which has its own advisory and test instruction

Merging the advisories of bug 29438 and this one:
(Please look at bug 29438 for how to reproduce and test that part)

Suggested advisory:
========================

The updated packages fixes a security vulnerability 1)
and also a not rfc compliant feat answer 2)

1) Fixed security vulnerability:

Memory disclosure to RADIUS servers by mod_radius.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/
https://bugzilla.redhat.com/show_bug.cgi?id=2001690


2) Fixed not rfc compliant feat answer:

Ftp clients like filezilla fail to detect locale with in log :
"Status: Server does not support non-ASCII characters."

This comes from proftpd MultilineRFC2228 directive enabled by default.

Without this directive  Filezilla is able to enable utf8 options correctly.

Similar issue was present in another distribution and they fixed it by disabling MultilineRFC2228 directive.

References:
https://github.com/proftpd/proftpd/issues/1085
========================

Updated packages in core/updates_testing:
========================
proftpd-mod_sql-1.3.7a-3.1.mga8
proftpd-mod_tls-1.3.7a-3.1.mga8
proftpd-mod_quotatab-1.3.7a-3.1.mga8
proftpd-mod_radius-1.3.7a-3.1.mga8
proftpd-mod_ldap-1.3.7a-3.1.mga8
proftpd-mod_ban-1.3.7a-3.1.mga8
proftpd-mod_rewrite-1.3.7a-3.1.mga8
proftpd-mod_wrap-1.3.7a-3.1.mga8
proftpd-mod_shaper-1.3.7a-3.1.mga8
proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8
proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8
proftpd-mod_sftp-1.3.7a-3.1.mga8
proftpd-mod_vroot-1.3.7a-3.1.mga8
proftpd-mod_tls_memcache-1.3.7a-3.1.mga8
proftpd-mod_ifsession-1.3.7a-3.1.mga8
proftpd-mod_site_misc-1.3.7a-3.1.mga8
proftpd-mod_sql_passwd-1.3.7a-3.1.mga8
proftpd-mod_ratio-1.3.7a-3.1.mga8
proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8
proftpd-mod_sql_mysql-1.3.7a-3.1.mga8
proftpd-mod_sql_postgres-1.3.7a-3.1.mga8
proftpd-mod_autohost-1.3.7a-3.1.mga8
proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_pam-1.3.7a-3.1.mga8
proftpd-mod_case-1.3.7a-3.1.mga8
proftpd-mod_memcache-1.3.7a-3.1.mga8
proftpd-mod_wrap_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_sql-1.3.7a-3.1.mga8
proftpd-mod_wrap_file-1.3.7a-3.1.mga8
proftpd-mod_load-1.3.7a-3.1.mga8
proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8
proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8
proftpd-mod_quotatab_file-1.3.7a-3.1.mga8
proftpd-mod_unique_id-1.3.7a-3.1.mga8
proftpd-devel-1.3.7a-3.1.mga8
proftpd-1.3.7a-3.1.mga8

from SRPM:
proftpd-1.3.7a-3.1.mga8.src.rpm

MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26251 for testing
# systemctl  start proftpd

# systemctl  -l status proftpd
● proftpd.service - LSB: ProFTPD FTP server
     Loaded: loaded (/etc/rc.d/init.d/proftpd; generated)
     Active: active (running) since Wed 2021-09-15 14:35:19 CEST; 19s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 13951 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 9402)
     Memory: 4.2M
        CPU: 52ms
     CGroup: /system.slice/proftpd.service
             └─13960 proftpd: (accepting connections)

sep 15 14:35:18 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server...
sep 15 14:35:19 mach5.hviaene.thuis proftpd[13951]: Starting proftpd[  OK  ]
sep 15 14:35:19 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server.

Opened port for ftp-server in firewall and used filezilla to transfer some folders, teesting in both directions. All worked OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0434.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED