| Summary: | proftpd new security issue CVE-2012-6095 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | oe, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/532540/ | ||
| Whiteboard: | has_procedure mga2-64-ok mga2-32-ok | ||
| Source RPM: | proftpd-1.3.3g-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 8884 | ||
|
Description
David Walser
2013-01-15 00:49:33 CET
PoC: http://bugs.proftpd.org/show_bug.cgi?id=3841 Be careful using foo/etc. I'd recommend creating /test with root:root ownership or something to play with instead and MKD foo/test.
claire robinson
2013-01-15 01:32:56 CET
Hardware:
i586 =>
All Does the build run the testsuite David? It's mentioned on the PoC bug report and seems to come with the source. (In reply to comment #2) > Does the build run the testsuite David? > > It's mentioned on the PoC bug report and seems to come with the source. Unfortunately, no. Also, if the fix upstream added a test to the test suite, that wasn't included in the patches backported by Debian that I used. I don't see anything for that in the patches attached to the upstream bug either. This is showing as having a missing signature x86_64 Whiteboard:
has_procedure =>
has_procedure feedback Rebuilt to fix the missing signature. Advisory: ======================== Updated proftpd packages fix security vulnerability: It has been discovered that in ProFTPd, an FTP server, an attacker on the same physical host as the server may be able to perform a symlink attack allowing to elevate privileges in some configurations (CVE-2012-6095). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6095 http://www.debian.org/security/2013/dsa-2606 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.3g-1.2.mga2 proftpd-devel-1.3.3g-1.2.mga2 proftpd-mod_ctrls_admin-1.3.3g-1.2.mga2 proftpd-mod_ifsession-1.3.3g-1.2.mga2 proftpd-mod_ldap-1.3.3g-1.2.mga2 proftpd-mod_quotatab-1.3.3g-1.2.mga2 proftpd-mod_quotatab_file-1.3.3g-1.2.mga2 proftpd-mod_quotatab_ldap-1.3.3g-1.2.mga2 proftpd-mod_quotatab_sql-1.3.3g-1.2.mga2 proftpd-mod_quotatab_radius-1.3.3g-1.2.mga2 proftpd-mod_radius-1.3.3g-1.2.mga2 proftpd-mod_ratio-1.3.3g-1.2.mga2 proftpd-mod_rewrite-1.3.3g-1.2.mga2 proftpd-mod_site_misc-1.3.3g-1.2.mga2 proftpd-mod_sql-1.3.3g-1.2.mga2 proftpd-mod_sql_mysql-1.3.3g-1.2.mga2 proftpd-mod_sql_postgres-1.3.3g-1.2.mga2 proftpd-mod_sql_passwd-1.3.3g-1.2.mga2 proftpd-mod_tls-1.3.3g-1.2.mga2 proftpd-mod_autohost-1.3.3g-1.2.mga2 proftpd-mod_case-1.3.3g-1.2.mga2 proftpd-mod_gss-1.3.3g-1.2.mga2 proftpd-mod_load-1.3.3g-1.2.mga2 proftpd-mod_shaper-1.3.3g-1.2.mga2 proftpd-mod_time-1.3.3g-1.2.mga2 proftpd-mod_wrap-1.3.3g-1.2.mga2 proftpd-mod_wrap_file-1.3.3g-1.2.mga2 proftpd-mod_wrap_sql-1.3.3g-1.2.mga2 proftpd-mod_ban-1.3.3g-1.2.mga2 proftpd-mod_vroot-1.3.3g-1.2.mga2 proftpd-mod_sftp-1.3.3g-1.2.mga2 from proftpd-1.3.3g-1.2.mga2.src.rpm Whiteboard:
has_procedure feedback =>
has_procedure
Manuel Hiebel
2013-01-30 14:46:38 CET
Blocks:
(none) =>
8884 depchecked ok I've not been able to reproduce this so just testing proftpd basics x86_64 Testing complete mga2 64 Just testing I can log in with my user account and access files in my home directory. Bug 8911 created for the testsuite Whiteboard:
has_procedure =>
has_procedure mga2-64-ok Similar testing mga2 32 Validating Advisory & srpm in comment 5 Can sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0024 Status:
NEW =>
RESOLVED |