Bug 11282 - proftpd new security issue CVE-2013-4359
: proftpd new security issue CVE-2013-4359
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/568126/
: mga2too MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-24 19:06 CEST by David Walser
Modified: 2013-10-05 20:04 CEST (History)
3 users (show)

See Also:
Source RPM: proftpd-1.3.4c-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-24 19:06:38 CEST
Fedora has issued an advisory on September 15:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/116668.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated proftpd packages fix security vulnerability:

A bug in ProFTPd's mod_sftp and mod_sftp_pam modulescan be used to trigger
a large heap allocation and exhaust all available system memory of the
underlying operating system (CVE-2013-4359).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4359
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/116668.html
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.3g-1.3.mga2
proftpd-devel-1.3.3g-1.3.mga2
proftpd-mod_ctrls_admin-1.3.3g-1.3.mga2
proftpd-mod_ifsession-1.3.3g-1.3.mga2
proftpd-mod_ldap-1.3.3g-1.3.mga2
proftpd-mod_quotatab-1.3.3g-1.3.mga2
proftpd-mod_quotatab_file-1.3.3g-1.3.mga2
proftpd-mod_quotatab_ldap-1.3.3g-1.3.mga2
proftpd-mod_quotatab_sql-1.3.3g-1.3.mga2
proftpd-mod_quotatab_radius-1.3.3g-1.3.mga2
proftpd-mod_radius-1.3.3g-1.3.mga2
proftpd-mod_ratio-1.3.3g-1.3.mga2
proftpd-mod_rewrite-1.3.3g-1.3.mga2
proftpd-mod_site_misc-1.3.3g-1.3.mga2
proftpd-mod_sql-1.3.3g-1.3.mga2
proftpd-mod_sql_mysql-1.3.3g-1.3.mga2
proftpd-mod_sql_postgres-1.3.3g-1.3.mga2
proftpd-mod_sql_passwd-1.3.3g-1.3.mga2
proftpd-mod_tls-1.3.3g-1.3.mga2
proftpd-mod_autohost-1.3.3g-1.3.mga2
proftpd-mod_case-1.3.3g-1.3.mga2
proftpd-mod_gss-1.3.3g-1.3.mga2
proftpd-mod_load-1.3.3g-1.3.mga2
proftpd-mod_shaper-1.3.3g-1.3.mga2
proftpd-mod_time-1.3.3g-1.3.mga2
proftpd-mod_wrap-1.3.3g-1.3.mga2
proftpd-mod_wrap_file-1.3.3g-1.3.mga2
proftpd-mod_wrap_sql-1.3.3g-1.3.mga2
proftpd-mod_ban-1.3.3g-1.3.mga2
proftpd-mod_vroot-1.3.3g-1.3.mga2
proftpd-mod_sftp-1.3.3g-1.3.mga2
proftpd-1.3.4c-2.1.mga3
proftpd-devel-1.3.4c-2.1.mga3
proftpd-mod_ctrls_admin-1.3.4c-2.1.mga3
proftpd-mod_ifsession-1.3.4c-2.1.mga3
proftpd-mod_ldap-1.3.4c-2.1.mga3
proftpd-mod_quotatab-1.3.4c-2.1.mga3
proftpd-mod_quotatab_file-1.3.4c-2.1.mga3
proftpd-mod_quotatab_ldap-1.3.4c-2.1.mga3
proftpd-mod_quotatab_sql-1.3.4c-2.1.mga3
proftpd-mod_quotatab_radius-1.3.4c-2.1.mga3
proftpd-mod_radius-1.3.4c-2.1.mga3
proftpd-mod_ratio-1.3.4c-2.1.mga3
proftpd-mod_rewrite-1.3.4c-2.1.mga3
proftpd-mod_site_misc-1.3.4c-2.1.mga3
proftpd-mod_sql-1.3.4c-2.1.mga3
proftpd-mod_sql_mysql-1.3.4c-2.1.mga3
proftpd-mod_sql_postgres-1.3.4c-2.1.mga3
proftpd-mod_sql_sqlite-1.3.4c-2.1.mga3
proftpd-mod_sql_passwd-1.3.4c-2.1.mga3
proftpd-mod_tls-1.3.4c-2.1.mga3
proftpd-mod_tls_shmcache-1.3.4c-2.1.mga3
proftpd-mod_tls_memcache-1.3.4c-2.1.mga3
proftpd-mod_autohost-1.3.4c-2.1.mga3
proftpd-mod_case-1.3.4c-2.1.mga3
proftpd-mod_gss-1.3.4c-2.1.mga3
proftpd-mod_load-1.3.4c-2.1.mga3
proftpd-mod_shaper-1.3.4c-2.1.mga3
proftpd-mod_time-1.3.4c-2.1.mga3
proftpd-mod_wrap-1.3.4c-2.1.mga3
proftpd-mod_wrap_file-1.3.4c-2.1.mga3
proftpd-mod_wrap_sql-1.3.4c-2.1.mga3
proftpd-mod_ban-1.3.4c-2.1.mga3
proftpd-mod_vroot-1.3.4c-2.1.mga3
proftpd-mod_sftp-1.3.4c-2.1.mga3
proftpd-mod_sftp_pam-1.3.4c-2.1.mga3
proftpd-mod_sftp_sql-1.3.4c-2.1.mga3
proftpd-mod_memcache-1.3.4c-2.1.mga3

from SRPMS:
proftpd-1.3.3g-1.3.mga2.src.rpm
proftpd-1.3.4c-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-24 20:53:03 CEST
Advisory 11282.adv committed to svn and mga2too added to whiteboard.
Comment 2 Dave Hodgins 2013-09-24 23:56:09 CEST
No poc, so just testing that the server is working.
Testing complete both releases, both arches.

Someone from the sysadmin team please push 11282.adv to updates.
Comment 3 Thomas Backlund 2013-10-05 20:04:10 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0295.html

Note You need to log in before you can comment on or make changes to this bug.