Fedora has issued an advisory on December 11: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173656.html Fedora also fixed a crash in mod_lang on November 8: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171090.html Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated proftpd packages fix security vulnerability: Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes. The mod_sftp module currently places no bounds/length limitations when reading these SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, and allocate more memory than is necessary, causing excessive resource usage or the FTP daemon to crash (proftpd#4210). This update also includes a fix for a crash in mod_lang (proftpd#4206). References: http://bugs.proftpd.org/show_bug.cgi?id=4206 http://bugs.proftpd.org/show_bug.cgi?id=4210 https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171090.html https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173656.html ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.5-5.1.mga5 proftpd-devel-1.3.5-5.1.mga5 proftpd-mod_ctrls_admin-1.3.5-5.1.mga5 proftpd-mod_ifsession-1.3.5-5.1.mga5 proftpd-mod_ldap-1.3.5-5.1.mga5 proftpd-mod_quotatab-1.3.5-5.1.mga5 proftpd-mod_quotatab_file-1.3.5-5.1.mga5 proftpd-mod_quotatab_ldap-1.3.5-5.1.mga5 proftpd-mod_quotatab_sql-1.3.5-5.1.mga5 proftpd-mod_quotatab_radius-1.3.5-5.1.mga5 proftpd-mod_radius-1.3.5-5.1.mga5 proftpd-mod_ratio-1.3.5-5.1.mga5 proftpd-mod_rewrite-1.3.5-5.1.mga5 proftpd-mod_site_misc-1.3.5-5.1.mga5 proftpd-mod_sql-1.3.5-5.1.mga5 proftpd-mod_sql_mysql-1.3.5-5.1.mga5 proftpd-mod_sql_postgres-1.3.5-5.1.mga5 proftpd-mod_sql_sqlite-1.3.5-5.1.mga5 proftpd-mod_sql_passwd-1.3.5-5.1.mga5 proftpd-mod_tls-1.3.5-5.1.mga5 proftpd-mod_tls_shmcache-1.3.5-5.1.mga5 proftpd-mod_tls_memcache-1.3.5-5.1.mga5 proftpd-mod_autohost-1.3.5-5.1.mga5 proftpd-mod_case-1.3.5-5.1.mga5 proftpd-mod_gss-1.3.5-5.1.mga5 proftpd-mod_load-1.3.5-5.1.mga5 proftpd-mod_shaper-1.3.5-5.1.mga5 proftpd-mod_wrap-1.3.5-5.1.mga5 proftpd-mod_wrap_file-1.3.5-5.1.mga5 proftpd-mod_wrap_sql-1.3.5-5.1.mga5 proftpd-mod_ban-1.3.5-5.1.mga5 proftpd-mod_vroot-1.3.5-5.1.mga5 proftpd-mod_sftp-1.3.5-5.1.mga5 proftpd-mod_sftp_pam-1.3.5-5.1.mga5 proftpd-mod_sftp_sql-1.3.5-5.1.mga5 proftpd-mod_memcache-1.3.5-5.1.mga5 from proftpd-1.3.5-5.1.mga5.src.rpm Reproducible: Steps to Reproduce:
In VirtualBox, M5, KDE, 32-bit Package(s) under test: proftp proftpd-mod_sftp default install of proftp & proftpd-mod_sftp [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.mga5.i586 is already installed [root@localhost wilcal]# urpmi proftpd-mod_sftp Package proftpd-mod_sftp-1.3.5-5.mga5.i586 is already installed I can use Proftp to send and download files from another M5 system on the LAN. Another M5 system on the LAN can send and download files from the M5 system under test. install proftp & proftpd-mod_sftp from updates_testing Stop then restart proftpd [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi proftpd-mod_sftp Package proftpd-mod_sftp-1.3.5-5.1.mga5.i586 is already installed I can use Proftp to send and download files from another M5 system on the LAN. Another M5 system on the LAN can send and download files from the M5 system under test.
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: proftp proftpd-mod_sftp default install of proftp & proftpd-mod_sftp [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi proftpd-mod_sftp Package proftpd-mod_sftp-1.3.5-5.mga5.x86_64 is already installed I can use Proftp to send and download files from another M5 system on the LAN. Another M5 system on the LAN can send and download files from the M5 system under test. install proftp & proftpd-mod_sftp from updates_testing Stop then restart proftpd [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi proftpd-mod_sftp Package proftpd-mod_sftp-1.3.5-5.1.mga5.x86_64 is already installed I can use Proftp to send and download files from another M5 system on the LAN. Another M5 system on the LAN can send and download files from the M5 system under test.
Good enough to push this along David?
It's not clear how you connected to the server. You should use sftp (or a client using that protocol) to test this update.
(In reply to David Walser from comment #4) > It's not clear how you connected to the server. You should use sftp (or a > client using that protocol) to test this update. Well that was kinda fun. I brought up both Vbox clients at the same time and using sftp was able to "get" & "put" files between the two test clients. sftp wilcal@192.168.1.141 and sftp wilcal@192.168.1.143 Good enough?
Are you sure that you were using proftpd's sftp and not sshd's sftp on the server side?
(In reply to David Walser from comment #6) > Are you sure that you were using proftpd's sftp and not sshd's sftp on the > server side? I donno? How can I be sure one way or the other?
(In reply to William Kenney from comment #7) > (In reply to David Walser from comment #6) > > > Are you sure that you were using proftpd's sftp and not sshd's sftp on the > > server side? > > I donno? How can I be sure one way or the other? One thing you can do is run this on the server: fuser 22/tcp or this: netstat -nltp to check which process is listening on port 22. If it's sshd, that's not what you want in this case. I'd guess mod_sftp in proftpd probably needs to be enabled in the config to actually be used.
You can use FileZilla ftp client for this IINM.
Testing complete mga5 32 From example at http://proftpd.org/docs/contrib/mod_sftp.html Added a virtualhost with lan ip on port 66.. <IfModule mod_sftp.c> <VirtualHost 192.168.0.10> SFTPEngine on SFTPLog /etc/proftpd/sftp/sftp.log # Configure the server to listen on the normal SSH2 port, port 22 Port 66 # Configure the RSA, DSA, and ECDSA host keys, using the same host key # files that OpenSSH uses. # SFTPHostKey /etc/ssh_host_rsa_key # SFTPHostKey /etc/ssh_host_dsa_key # SFTPHostKey /etc/ssh_host_ecdsa_key # Configure the file used for comparing authorized public keys of users. SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys # Enable compression SFTPCompression delayed # Allow the same number of authentication attempts as OpenSSH. # # It is recommended that you explicitly configure MaxLoginAttempts # for your SSH2/SFTP instance to be higher than the normal # MaxLoginAttempts value for FTP, as there are more ways to authenticate # using SSH2. MaxLoginAttempts 6 </VirtualHost> </IfModule> Started with # proftpd -n -d5 and noted.. Config for ProFTPD Default Installation: SFTPEngine SFTPLog SFTPAuthorizedUserKeys SFTPCompression MaxLoginAttempts set core resource limits for daemon ProFTPD 1.3.5 (stable) (built Mon Dec 14 2015 23:21:55 UTC) standalone mode STARTUP killed with ctrl-c started proftpd service & tested with telnet.. # systemctl start proftpd.service $ telnet localhost 66 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [127.0.0.1] ^] telnet> quit Connection closed.
Whiteboard: (none) => has_procedure mga5-32-ok
Validating. Advisory uploaded. Please push to 5 updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-32-ok => has_procedure advisory mga5-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0485.html
Status: NEW => RESOLVEDResolution: (none) => FIXED