Fedora has issued an advisory on September 15: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/116668.html Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated proftpd packages fix security vulnerability: A bug in ProFTPd's mod_sftp and mod_sftp_pam modulescan be used to trigger a large heap allocation and exhaust all available system memory of the underlying operating system (CVE-2013-4359). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4359 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/116668.html ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.3g-1.3.mga2 proftpd-devel-1.3.3g-1.3.mga2 proftpd-mod_ctrls_admin-1.3.3g-1.3.mga2 proftpd-mod_ifsession-1.3.3g-1.3.mga2 proftpd-mod_ldap-1.3.3g-1.3.mga2 proftpd-mod_quotatab-1.3.3g-1.3.mga2 proftpd-mod_quotatab_file-1.3.3g-1.3.mga2 proftpd-mod_quotatab_ldap-1.3.3g-1.3.mga2 proftpd-mod_quotatab_sql-1.3.3g-1.3.mga2 proftpd-mod_quotatab_radius-1.3.3g-1.3.mga2 proftpd-mod_radius-1.3.3g-1.3.mga2 proftpd-mod_ratio-1.3.3g-1.3.mga2 proftpd-mod_rewrite-1.3.3g-1.3.mga2 proftpd-mod_site_misc-1.3.3g-1.3.mga2 proftpd-mod_sql-1.3.3g-1.3.mga2 proftpd-mod_sql_mysql-1.3.3g-1.3.mga2 proftpd-mod_sql_postgres-1.3.3g-1.3.mga2 proftpd-mod_sql_passwd-1.3.3g-1.3.mga2 proftpd-mod_tls-1.3.3g-1.3.mga2 proftpd-mod_autohost-1.3.3g-1.3.mga2 proftpd-mod_case-1.3.3g-1.3.mga2 proftpd-mod_gss-1.3.3g-1.3.mga2 proftpd-mod_load-1.3.3g-1.3.mga2 proftpd-mod_shaper-1.3.3g-1.3.mga2 proftpd-mod_time-1.3.3g-1.3.mga2 proftpd-mod_wrap-1.3.3g-1.3.mga2 proftpd-mod_wrap_file-1.3.3g-1.3.mga2 proftpd-mod_wrap_sql-1.3.3g-1.3.mga2 proftpd-mod_ban-1.3.3g-1.3.mga2 proftpd-mod_vroot-1.3.3g-1.3.mga2 proftpd-mod_sftp-1.3.3g-1.3.mga2 proftpd-1.3.4c-2.1.mga3 proftpd-devel-1.3.4c-2.1.mga3 proftpd-mod_ctrls_admin-1.3.4c-2.1.mga3 proftpd-mod_ifsession-1.3.4c-2.1.mga3 proftpd-mod_ldap-1.3.4c-2.1.mga3 proftpd-mod_quotatab-1.3.4c-2.1.mga3 proftpd-mod_quotatab_file-1.3.4c-2.1.mga3 proftpd-mod_quotatab_ldap-1.3.4c-2.1.mga3 proftpd-mod_quotatab_sql-1.3.4c-2.1.mga3 proftpd-mod_quotatab_radius-1.3.4c-2.1.mga3 proftpd-mod_radius-1.3.4c-2.1.mga3 proftpd-mod_ratio-1.3.4c-2.1.mga3 proftpd-mod_rewrite-1.3.4c-2.1.mga3 proftpd-mod_site_misc-1.3.4c-2.1.mga3 proftpd-mod_sql-1.3.4c-2.1.mga3 proftpd-mod_sql_mysql-1.3.4c-2.1.mga3 proftpd-mod_sql_postgres-1.3.4c-2.1.mga3 proftpd-mod_sql_sqlite-1.3.4c-2.1.mga3 proftpd-mod_sql_passwd-1.3.4c-2.1.mga3 proftpd-mod_tls-1.3.4c-2.1.mga3 proftpd-mod_tls_shmcache-1.3.4c-2.1.mga3 proftpd-mod_tls_memcache-1.3.4c-2.1.mga3 proftpd-mod_autohost-1.3.4c-2.1.mga3 proftpd-mod_case-1.3.4c-2.1.mga3 proftpd-mod_gss-1.3.4c-2.1.mga3 proftpd-mod_load-1.3.4c-2.1.mga3 proftpd-mod_shaper-1.3.4c-2.1.mga3 proftpd-mod_time-1.3.4c-2.1.mga3 proftpd-mod_wrap-1.3.4c-2.1.mga3 proftpd-mod_wrap_file-1.3.4c-2.1.mga3 proftpd-mod_wrap_sql-1.3.4c-2.1.mga3 proftpd-mod_ban-1.3.4c-2.1.mga3 proftpd-mod_vroot-1.3.4c-2.1.mga3 proftpd-mod_sftp-1.3.4c-2.1.mga3 proftpd-mod_sftp_pam-1.3.4c-2.1.mga3 proftpd-mod_sftp_sql-1.3.4c-2.1.mga3 proftpd-mod_memcache-1.3.4c-2.1.mga3 from SRPMS: proftpd-1.3.3g-1.3.mga2.src.rpm proftpd-1.3.4c-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Advisory 11282.adv committed to svn and mga2too added to whiteboard.
CC: (none) => davidwhodginsWhiteboard: (none) => mga2too
No poc, so just testing that the server is working. Testing complete both releases, both arches. Someone from the sysadmin team please push 11282.adv to updates.
Keywords: (none) => validated_updateWhiteboard: mga2too => mga2too MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0295.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED