A CVE has been assigned for a security issue in proftpd's mod_tls in 1.3.5b: http://openwall.com/lists/oss-security/2016/03/11/14 The upstream patch doesn't apply cleanly to 1.3.5. We'll have to see if someone backports it, or we'll have to update to 1.3.5b (already done in Cauldron).
Fedora has issued an advisory for this on March 20: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html
URL: (none) => http://lwn.net/Vulnerabilities/680795/
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
I agree the update to 1.3.5b . David, I can do that if you want...
Status: NEW => ASSIGNEDCC: (none) => lists.jjorge
(In reply to José Jorge from comment #3) > I agree the update to 1.3.5b . David, I can do that if you want... Please do. Thanks.
I have uploaded a 1.3.5b package for Mageia 5. You can test this by connecting by ftp to localhost ;-) Suggested advisory: ======================== Updated proftpd packages fix security vulnerabilities: a CVE has been assigned for a security issue in proftpd's mod_tls . This update also brings as bonus other bugfixes of 1.3.5b version : + SSH RSA hostkeys smaller than 2048 bits now work properly. + MLSD response lines are now properly CRLF terminated. + Fixed selection of DH groups from TLSDHParamFile. References: http://openwall.com/lists/oss-security/2016/03/11/14 http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b ======================== Updated packages in {core,tainted}/updates_testing: ======================== proftpd-1.3.5b-1.mga5 proftpd-mod{*}1.3.5b-1.mga5 proftpd-devel-1.3.5b-1.mga5 Source RPMs: proftpd-1.3.5b-1.mga5
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2016-3125
Thanks Jóse! Suggested advisory: ======================== Updated proftpd packages fix security vulnerability: A bug with security implications was found in the mod_tls module in ProFTPD before 1.3.5b. This module has a configuration option TLSDHParamFile to specify user-defined Diffie Hellman parameters. The software would ignore the user-defined parameters and use Diffie Hellman key exchanges with 1024 bits (CVE-2016-3125). The proftpd package has been updated to version 1.3.5b, which fixes this issue and other bugs, including: - SSH RSA hostkeys smaller than 2048 bits now work properly. - MLSD response lines are now properly CRLF terminated. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125 http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
In VirtualBox, M5, KDE, 32-bit default install of proftpd [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.1.mga5.i586 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works install proftpd from updates_testing [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5b-1.mga5.i586 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works
CC: (none) => wilcal.intWhiteboard: advisory => advisory MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit default install of proftpd [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5-5.1.mga5.x86_64 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works install proftpd from updates_testing [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5b-1.mga5.x86_64 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
This looks good to go. What you say David?
Yes, thanks William.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0128.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED