Bug 20640 - proftpd new security issue CVE-2017-7418
Summary: proftpd new security issue CVE-2017-7418
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-10 01:00 CEST by David Walser
Modified: 2017-04-24 09:28 CEST (History)
6 users (show)

See Also:
Source RPM: proftpd-1.3.5b-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-04-10 01:00:28 CEST
Upstream has released 1.3.5e today (April 9):
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e

A freeze push has been requested for Cauldron.  Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-04-10 06:18:04 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => lists.jjorge
CC: (none) => marja11

Comment 2 Nicolas Lécureuil 2017-04-21 10:57:47 CEST
pushed in updates_testing:

srpms:  proftpd-1.3.5e-1.mga5

CC: (none) => mageia

Nicolas Lécureuil 2017-04-21 10:58:25 CEST

Assignee: lists.jjorge => qa-bugs

Comment 3 David Walser 2017-04-21 12:11:03 CEST
Advisory:
========================

Updated proftpd packages fix security vulnerability:

ProFTPD before 1.3.5e controls whether the home directory of a user could
contain a symbolic link through the AllowChrootSymlinks configuration option,
but checks only the last path component when enforcing AllowChrootSymlinks.
Attackers with local access could bypass the AllowChrootSymlinks control by
replacing a path component (other than the last one) with a symbolic link. The
threat model includes an attacker who is not granted full filesystem access by
a hosting provider, but can reconfigure the home directory of an FTP user
(CVE-2017-7418).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.5e-1.mga5
proftpd-devel-1.3.5e-1.mga5
proftpd-mod_ctrls_admin-1.3.5e-1.mga5
proftpd-mod_ifsession-1.3.5e-1.mga5
proftpd-mod_ldap-1.3.5e-1.mga5
proftpd-mod_quotatab-1.3.5e-1.mga5
proftpd-mod_quotatab_file-1.3.5e-1.mga5
proftpd-mod_quotatab_ldap-1.3.5e-1.mga5
proftpd-mod_quotatab_sql-1.3.5e-1.mga5
proftpd-mod_quotatab_radius-1.3.5e-1.mga5
proftpd-mod_radius-1.3.5e-1.mga5
proftpd-mod_ratio-1.3.5e-1.mga5
proftpd-mod_rewrite-1.3.5e-1.mga5
proftpd-mod_site_misc-1.3.5e-1.mga5
proftpd-mod_sql-1.3.5e-1.mga5
proftpd-mod_sql_mysql-1.3.5e-1.mga5
proftpd-mod_sql_postgres-1.3.5e-1.mga5
proftpd-mod_sql_sqlite-1.3.5e-1.mga5
proftpd-mod_sql_passwd-1.3.5e-1.mga5
proftpd-mod_tls-1.3.5e-1.mga5
proftpd-mod_tls_shmcache-1.3.5e-1.mga5
proftpd-mod_tls_memcache-1.3.5e-1.mga5
proftpd-mod_autohost-1.3.5e-1.mga5
proftpd-mod_case-1.3.5e-1.mga5
proftpd-mod_gss-1.3.5e-1.mga5
proftpd-mod_load-1.3.5e-1.mga5
proftpd-mod_shaper-1.3.5e-1.mga5
proftpd-mod_wrap-1.3.5e-1.mga5
proftpd-mod_wrap_file-1.3.5e-1.mga5
proftpd-mod_wrap_sql-1.3.5e-1.mga5
proftpd-mod_ban-1.3.5e-1.mga5
proftpd-mod_vroot-1.3.5e-1.mga5
proftpd-mod_sftp-1.3.5e-1.mga5
proftpd-mod_sftp_pam-1.3.5e-1.mga5
proftpd-mod_sftp_sql-1.3.5e-1.mga5
proftpd-mod_memcache-1.3.5e-1.mga5

from proftpd-1.3.5e-1.mga5.src.rpm
Comment 4 Herman Viaene 2017-04-21 15:10:35 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues.
Start proftpd at CLI, then I could access localhost using filezilla. After mending the firewall, I could connect this machine from desktop M5 on LAN using filezilla. Looks OK.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 William Kenney 2017-04-21 23:33:46 CEST
In VirtualBox, M5, KDE, 64-bit

default install of proftpd

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.59-desktop-1.mga5 #1 SMP Thu Mar 30 21:28:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5b-1.mga5.x86_64 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

install proftpd from updates_testing

[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5e-1.mga5.x86_64 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

CC: (none) => wilcal.int

William Kenney 2017-04-21 23:34:03 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 6 William Kenney 2017-04-21 23:34:45 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2017-04-24 01:30:12 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2017-04-24 09:28:07 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0115.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.