Fedora has issued an advisory on August 7: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163669.html Fedora fixed it with this patch: http://pkgs.fedoraproject.org/cgit/pure-ftpd.git/plain/pure-ftpd-1.0.36-glob-path-len.patch?h=f22&id=f87fe50f64c4dc3cdbab244048a06a2c2156e5d7 The upstream commit to fix it is linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1233267 Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated pure-ftpd packages fix security vulnerability: It was reported that the process handling a user session could be crashed by trying to match a file pattern longer than the maximum length for a path. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163669.html ======================== Updated packages in core/updates_testing: ======================== pure-ftpd-1.0.36-3.1.mga4 pure-ftpd-anonymous-1.0.36-3.1.mga4 pure-ftpd-anon-upload-1.0.36-3.1.mga4 pure-ftpd-1.0.36-6.1.mga5 pure-ftpd-anonymous-1.0.36-6.1.mga5 pure-ftpd-anon-upload-1.0.36-6.1.mga5 from SRPMS: pure-ftpd-1.0.36-3.1.mga4.src.rpm pure-ftpd-1.0.36-6.1.mga5.src.rpm
Version: Cauldron => 5Assignee: pterjan => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Installed pure-ftpd verified it was only ftp server running on machine. Ran transfers from Windows to box using binary transfer of ISO. Worked fine Used another box to do transfers from new uploads. Worked fine Started automatically upon reboot. Approved for 64-bit
CC: (none) => brtians1Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK
Mageia release 5 (Official) for i586 Ran transfers from Windows to box using binary transfer of ISO. Worked fine Used another box to do transfers from new uploads. Worked fine.
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA5-32-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: pure-ftpd pure-ftpd-anonymous pure-ftpd-anon-upload default install of pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload [root@localhost wilcal]# urpmi pure-ftpd Package pure-ftpd-1.0.36-3.mga4.i586 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anonymous Package pure-ftpd-anonymous-1.0.36-3.mga4.i586 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anon-upload Package pure-ftpd-anon-upload-1.0.36-3.mga4.i586 is already installed I can ftp transfer, using FileZilla, files to and from the local client I can ftp transfer, using FileZilla, files to and from the client under test from a M5 system on the LAN install pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload from updates_testing Stop and restart pure-ftpd [root@localhost wilcal]# urpmi pure-ftpd Package pure-ftpd-1.0.36-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anonymous Package pure-ftpd-anonymous-1.0.36-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anon-upload Package pure-ftpd-anon-upload-1.0.36-3.1.mga4.i586 is already installed I can ftp transfer, using FileZilla, files to and from the local client I can ftp transfer, using FileZilla, files to and from the client under test from a M5 system on the LAN
CC: (none) => wilcal.intWhiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA5-64-OK MGA5-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: pure-ftpd pure-ftpd-anonymous pure-ftpd-anon-upload default install of pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload [root@localhost wilcal]# urpmi pure-ftpd Package pure-ftpd-1.0.36-3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anonymous Package pure-ftpd-anonymous-1.0.36-3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anon-upload Package pure-ftpd-anon-upload-1.0.36-3.mga4.x86_64 is already installed I can ftp transfer, using FileZilla, files to and from the local client I can ftp transfer, using FileZilla, files to and from the client under test from a M5 system on the LAN install pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload from updates_testing Stop and restart pure-ftpd [root@localhost wilcal]# urpmi pure-ftpd Package pure-ftpd-1.0.36-3.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anonymous Package pure-ftpd-anonymous-1.0.36-3.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi pure-ftpd-anon-upload Package pure-ftpd-anon-upload-1.0.36-3.1.mga4.x86_64 is already installed I can ftp transfer, using FileZilla, files to and from the local client I can ftp transfer, using FileZilla, files to and from the client under test from a M5 system on the LAN
Whiteboard: MGA4TOO MGA4-32-OK MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK
This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
You get the honors Brian. Simply put and save "validated_update" in the Keywords field and it's on it's way.
I'll give it a try.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK validated_update
(In reply to Brian Rockwell from comment #8) > I'll give it a try. Nope. It's a keyword, not a whiteboard entry.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK validated_update => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
ok - I'll get it next time
Advisory uploaded.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0355.html
Status: NEW => RESOLVEDResolution: (none) => FIXED