Bug 25623 - proftpd new security issue CVE-2019-18217
Summary: proftpd new security issue CVE-2019-18217
Status: RESOLVED DUPLICATE of bug 25287
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact:
URL: http://proftpd.org/docs/RELEASE_NOTES...
Whiteboard: MGA7TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-27 23:42 CET by Zombie Ryushu
Modified: 2019-10-29 03:23 CET (History)
1 user (show)

See Also:
Source RPM: proftpd-1.3.5e-4.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2019-10-27 23:42:07 CET 
This file contains a description of the major changes to ProFTPD for the
1.3.6 release cycle, from the 1.3.6rc1 release to the 1.3.6 maintenance
releases.  More information on these changes can be found in the NEWS and
ChangeLog files.

1.3.6b
---------
  + Fixed pre-authentication remote denial-of-service issue (Issue #846).
  + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).

1.3.6a
---------
  + Fixed symlink navigation (Bug#4332).
  + Fixed building of mod_sftp using OpenSSL 1.1.x releases (Issue#674).
  + Fixed SITE COPY honoring of <Limit> restrictions (Bug#4372).
  + Fixed segfault on login when using mod_sftp + mod_sftp_pam (Issue#656).
  + Fixed restarts when using mod_facl as a static module.
Comment 1 Lewis Smith 2019-10-28 20:16:10 CET 
Thank you for the notification.
Our package is currently 1.3.5e-4, so I do not know whether this applies.
Assigning to the package maintainer José, CC DavidW.

Source RPM: proftpd => proftpd-1.3.5e-4.mga7.src.rpm
Assignee: bugsquad => lists.jjorge
CC: (none) => luigiwalser

Comment 2 David Walser 2019-10-28 20:48:04 CET 
Zombie, please give URL references so we know where you're getting this information from.

Lewis, you don't need to CC me.

I believe he was getting it from Debian as usual:
https://security-tracker.debian.org/tracker/CVE-2019-18217
https://www.debian.org/lts/security/2019/dla-1974

So 1.3.5 is apparently affected.

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

David Walser 2019-10-28 20:48:23 CET

Summary: proftpd security update (CVE-2019-18217) => proftpd new security issue CVE-2019-18217

Comment 3 Zombie Ryushu 2019-10-28 22:28:38 CET 
The actual version to update too is 1.3.6b
Comment 4 David Walser 2019-10-28 22:48:55 CET 
We can borrow the patch from Debian.
Comment 5 José Jorge 2019-10-28 23:02:03 CET 
(In reply to David Walser from comment #4)
> We can borrow the patch from Debian.

Well I do not use proftpd enough to continue maintaining this package.
So I have assigned it to nobody.

Anyone interested, feel free to take maintainership. Zombie Ryushu?

Assignee: lists.jjorge => pkg-bugs

Comment 6 Zombie Ryushu 2019-10-28 23:06:44 CET 
I do not have the resources to do packages for Mageia the way Mageia does it. I farm my builds out to third parties.
Comment 7 David Walser 2019-10-29 03:23:21 CET 
Turns out we already had a security bug open for proftpd.

*** This bug has been marked as a duplicate of bug 25287 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE
Note You need to log in before you can comment on or make changes to this bug.