Upstream has released 1.3.5e today (April 9): http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e A freeze push has been requested for Cauldron. Mageia 5 is also affected.
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
pushed in updates_testing: srpms: proftpd-1.3.5e-1.mga5
CC: (none) => mageia
Assignee: lists.jjorge => qa-bugs
Advisory: ======================== Updated proftpd packages fix security vulnerability: ProFTPD before 1.3.5e controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user (CVE-2017-7418). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418 http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.5e-1.mga5 proftpd-devel-1.3.5e-1.mga5 proftpd-mod_ctrls_admin-1.3.5e-1.mga5 proftpd-mod_ifsession-1.3.5e-1.mga5 proftpd-mod_ldap-1.3.5e-1.mga5 proftpd-mod_quotatab-1.3.5e-1.mga5 proftpd-mod_quotatab_file-1.3.5e-1.mga5 proftpd-mod_quotatab_ldap-1.3.5e-1.mga5 proftpd-mod_quotatab_sql-1.3.5e-1.mga5 proftpd-mod_quotatab_radius-1.3.5e-1.mga5 proftpd-mod_radius-1.3.5e-1.mga5 proftpd-mod_ratio-1.3.5e-1.mga5 proftpd-mod_rewrite-1.3.5e-1.mga5 proftpd-mod_site_misc-1.3.5e-1.mga5 proftpd-mod_sql-1.3.5e-1.mga5 proftpd-mod_sql_mysql-1.3.5e-1.mga5 proftpd-mod_sql_postgres-1.3.5e-1.mga5 proftpd-mod_sql_sqlite-1.3.5e-1.mga5 proftpd-mod_sql_passwd-1.3.5e-1.mga5 proftpd-mod_tls-1.3.5e-1.mga5 proftpd-mod_tls_shmcache-1.3.5e-1.mga5 proftpd-mod_tls_memcache-1.3.5e-1.mga5 proftpd-mod_autohost-1.3.5e-1.mga5 proftpd-mod_case-1.3.5e-1.mga5 proftpd-mod_gss-1.3.5e-1.mga5 proftpd-mod_load-1.3.5e-1.mga5 proftpd-mod_shaper-1.3.5e-1.mga5 proftpd-mod_wrap-1.3.5e-1.mga5 proftpd-mod_wrap_file-1.3.5e-1.mga5 proftpd-mod_wrap_sql-1.3.5e-1.mga5 proftpd-mod_ban-1.3.5e-1.mga5 proftpd-mod_vroot-1.3.5e-1.mga5 proftpd-mod_sftp-1.3.5e-1.mga5 proftpd-mod_sftp_pam-1.3.5e-1.mga5 proftpd-mod_sftp_sql-1.3.5e-1.mga5 proftpd-mod_memcache-1.3.5e-1.mga5 from proftpd-1.3.5e-1.mga5.src.rpm
MGA-32 on Asus A6000VM Xfce No installation issues. Start proftpd at CLI, then I could access localhost using filezilla. After mending the firewall, I could connect this machine from desktop M5 on LAN using filezilla. Looks OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit default install of proftpd [root@localhost wilcal]# uname -a Linux localhost.localdomain 4.4.59-desktop-1.mga5 #1 SMP Thu Mar 30 21:28:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5b-1.mga5.x86_64 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works install proftpd from updates_testing [root@localhost wilcal]# urpmi proftpd Package proftpd-1.3.5e-1.mga5.x86_64 is already installed accessing localhost using filezilla works accessing Vbox client from another system on the LAN w/filezilla works
CC: (none) => wilcal.int
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0115.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED