Bug 32644

Summary: Proftpd security issue - CVE-2023-48795
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: proftpd CVE: CVE-2023-48795
Status comment:
Bug Depends on:    
Bug Blocks: 32641    
Attachments: Log of the install/update

Description Stig-Ørjan Smelror 2023-12-21 10:38:24 CET 
Upstream have released version 1.3.8b to fix CVE-2023-48795.

https://nvd.nist.gov/vuln/detail/CVE-2023-48795
https://github.com/proftpd/proftpd/blob/1.3.8/RELEASE_NOTES
Nicolas Salguero 2023-12-21 10:39:30 CET

Blocks: (none) => 32641

Comment 1 Stig-Ørjan Smelror 2023-12-21 12:19:47 CET 
Cauldron is current with version 1.3.8b.
Comment 2 Stig-Ørjan Smelror 2023-12-21 12:20:49 CET 
Advisory
========

ProFTPd upstream have released version 1.3.8b to fix CVE-2023-48795.

From the changelog:
- Implemented mitigations for "Terrapin" SSH attack (CVE-2023-48795).

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2023-48795
https://github.com/proftpd/proftpd/blob/1.3.8/RELEASE_NOTES


Files
=====

Uploaded to core/updates_testing

proftpd-mod_vroot-1.3.8b-1.mga9
proftpd-mod_ban-1.3.8b-1.mga9
proftpd-mod_ctrls_admin-1.3.8b-1.mga9
proftpd-mod_wrap-1.3.8b-1.mga9
proftpd-mod_quotatab-1.3.8b-1.mga9
proftpd-mod_shaper-1.3.8b-1.mga9
proftpd-mod_ldap-1.3.8b-1.mga9
proftpd-mod_radius-1.3.8b-1.mga9
proftpd-mod_sql-1.3.8b-1.mga9
proftpd-mod_tls-1.3.8b-1.mga9
proftpd-mod_sql_passwd-1.3.8b-1.mga9
proftpd-mod_sql_postgres-1.3.8b-1.mga9
proftpd-mod_ifsession-1.3.8b-1.mga9
proftpd-mod_site_misc-1.3.8b-1.mga9
proftpd-mod_tls_shmcache-1.3.8b-1.mga9
proftpd-mod_sql_mysql-1.3.8b-1.mga9
proftpd-mod_ratio-1.3.8b-1.mga9
proftpd-mod_rewrite-1.3.8b-1.mga9
proftpd-mod_sql_sqlite-1.3.8b-1.mga9
proftpd-mod_tls_memcache-1.3.8b-1.mga9
proftpd-mod_autohost-1.3.8b-1.mga9
proftpd-mod_quotatab_sql-1.3.8b-1.mga9
proftpd-mod_case-1.3.8b-1.mga9
proftpd-mod_wrap_sql-1.3.8b-1.mga9
proftpd-mod_memcache-1.3.8b-1.mga9
proftpd-mod_sftp_pam-1.3.8b-1.mga9
proftpd-mod_sftp_sql-1.3.8b-1.mga9
proftpd-mod_wrap_file-1.3.8b-1.mga9
proftpd-mod_unique_id-1.3.8b-1.mga9
proftpd-mod_quotatab_ldap-1.3.8b-1.mga9
proftpd-mod_load-1.3.8b-1.mga9
proftpd-mod_quotatab_radius-1.3.8b-1.mga9
proftpd-mod_quotatab_file-1.3.8b-1.mga9
proftpd-mod_sftp-1.3.8b-1.mga9
proftpd-devel-1.3.8b-1.mga9
proftpd-1.3.8b-1.mga9

from proftpd-1.3.8b-1.mga9.src.rpm

Assignee: smelror => qa-bugs

Marja Van Waes 2023-12-21 19:48:22 CET

CC: (none) => marja11
Source RPM: (none) => proftpd
CVE: (none) => CVE-2023-48795

Comment 3 Marja Van Waes 2023-12-21 20:03:52 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 4 katnatek 2023-12-22 04:10:31 CET 
Created attachment 14229 [details]
Log of the install/update

Tested in real hardware Mageia 9 x86_64

Install current versions of packages
Update to testing versions without issues
Setup ftp server with MCC
Connect from my i586 system to my x86_64 system 
Transfer files
Look ok for me
Comment 5 Brian Rockwell 2023-12-24 23:53:05 CET 
MGA9-server

Installed updated version (upgrade).

No issues.

Used it for a little while, no issues.

CC: (none) => brtians1
Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2023-12-26 15:20:51 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2023-12-29 18:17:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0356.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Blocks: 32748 => (none)