Debian has issued an advisory on August 4: https://www.debian.org/security/2019/dsa-4491 Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
http://proftpd.org/docs/RELEASE_NOTES-1.3.6b https://security-tracker.debian.org/tracker/CVE-2019-18217 https://www.debian.org/lts/security/2019/dla-1974 Patches for both issues are here: http://security.debian.org/debian-security/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.5e+r1.3.5-2+deb8u4.debian.tar.xz
Assignee: lists.jjorge => pkg-bugsSummary: proftpd new security issue CVE-2019-12815 => proftpd new security issues CVE-2019-12815 and CVE-2019-18217
*** Bug 25623 has been marked as a duplicate of this bug. ***
CC: (none) => zombie.ryushu
Mageia 6 is EOL. Cauldron is already v1.3.6b and is not vulnerable. Patched package uploaded for Mageia 7. Advisory: ======================== Updated proftpd package fixes security vulnerabilities: * It was discovered that the mod_copy module of ProFTPD, a FTP/SFTP/FTPS server, performed incomplete permission validation for the CPFR/CPTO commands (CVE-2019-12815). * It was discovered that due to incorrect handling of overly long commands, a remote unauthenticated user could trigger a denial-of-service by reaching an endless loop (CVE-2019-18217). References: https://www.debian.org/security/2019/dsa-4491 https://www.debian.org/lts/security/2019/dla-1974 https://nvd.nist.gov/vuln/detail/CVE-2019-12815 https://nvd.nist.gov/vuln/detail/CVE-2019-18217 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.5e-4.1.mga7 proftpd-devel-1.3.5e-4.1.mga7 proftpd-mod_autohost-1.3.5e-4.1.mga7 proftpd-mod_ban-1.3.5e-4.1.mga7 proftpd-mod_case-1.3.5e-4.1.mga7 proftpd-mod_ctrls_admin-1.3.5e-4.1.mga7 proftpd-mod_gss-1.3.5e-4.1.mga7 proftpd-mod_ifsession-1.3.5e-4.1.mga7 proftpd-mod_ldap-1.3.5e-4.1.mga7 proftpd-mod_load-1.3.5e-4.1.mga7 proftpd-mod_memcache-1.3.5e-4.1.mga7 proftpd-mod_quotatab-1.3.5e-4.1.mga7 proftpd-mod_quotatab_file-1.3.5e-4.1.mga7 proftpd-mod_quotatab_ldap-1.3.5e-4.1.mga7 proftpd-mod_quotatab_radius-1.3.5e-4.1.mga7 proftpd-mod_quotatab_sql-1.3.5e-4.1.mga7 proftpd-mod_radius-1.3.5e-4.1.mga7 proftpd-mod_ratio-1.3.5e-4.1.mga7 proftpd-mod_rewrite-1.3.5e-4.1.mga7 proftpd-mod_sftp-1.3.5e-4.1.mga7 proftpd-mod_sftp_pam-1.3.5e-4.1.mga7 proftpd-mod_sftp_sql-1.3.5e-4.1.mga7 proftpd-mod_shaper-1.3.5e-4.1.mga7 proftpd-mod_site_misc-1.3.5e-4.1.mga7 proftpd-mod_sql-1.3.5e-4.1.mga7 proftpd-mod_sql_mysql-1.3.5e-4.1.mga7 proftpd-mod_sql_passwd-1.3.5e-4.1.mga7 proftpd-mod_sql_postgres-1.3.5e-4.1.mga7 proftpd-mod_sql_sqlite-1.3.5e-4.1.mga7 proftpd-mod_tls-1.3.5e-4.1.mga7 proftpd-mod_tls_memcache-1.3.5e-4.1.mga7 proftpd-mod_tls_shmcache-1.3.5e-4.1.mga7 proftpd-mod_vroot-1.3.5e-4.1.mga7 proftpd-mod_wrap-1.3.5e-4.1.mga7 proftpd-mod_wrap_file-1.3.5e-4.1.mga7 proftpd-mod_wrap_sql-1.3.5e-4.1.mga7 from proftpd-1.3.5e-4.1.mga7.src.rpm Test procedure https://bugs.mageia.org/show_bug.cgi?id=17960#c8
CC: (none) => mramboKeywords: (none) => has_procedureWhiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7Assignee: pkg-bugs => qa-bugs
Mike, Cauldron also has 1.3.5e, so please push the fix there.
MGA7-64 Plasma on Lenovo B50 No installation issues, just installed the server. # systemctl start proftpd # systemctl -l status proftpd ● proftpd.service - LSB: ProFTPD FTP server Loaded: loaded (/etc/rc.d/init.d/proftpd; generated) Active: active (running) since Tue 2019-11-05 10:28:38 CET; 21s ago Docs: man:systemd-sysv-generator(8) Process: 30062 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS) Memory: 3.0M CGroup: /system.slice/proftpd.service └─30073 proftpd: (accepting connections) nov 05 10:28:38 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server... nov 05 10:28:38 mach5.hviaene.thuis proftpd[30062]: Starting proftpd[ OK ] nov 05 10:28:38 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server. After opening the firewall for ftp, I could connect to this laptop from my desktop using the ftp command and running the pwd and ls commands, and put a file to the server. OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
(In reply to David Walser from comment #5) > Mike, Cauldron also has 1.3.5e, so please push the fix there. Cauldron has 1.3.6b (see top of comment 4). zezinho pushed it on Oct 28.
Mike, no either he didn't push it to the buildsystem or it failed to build. 1.3.6b is only in SVN, 1.3.5e is still in the repository.
I guess it failed to build - it wouldn't build locally. Reverted cauldron to 1.3.5e with both CVE patches applied same as mga7.
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0314.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Debian has issued an advisory for CVE-2019-18217 on November 5: https://www.debian.org/security/2019/dsa-4559