Bug 25844 - proftpd new security issue CVE-2019-19269
Summary: proftpd new security issue CVE-2019-19269
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-07 23:01 CET by David Walser
Modified: 2019-12-13 19:27 CET (History)
5 users (show)

See Also:
Source RPM: proftpd-1.3.5e-5.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-07 23:01:58 CET 
Debian-LTS has issued an advisory on November 30:
https://www.debian.org/lts/security/2019/dla-2018

Mageia 7 is also affected.
David Walser 2019-12-07 23:02:05 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-08 12:35:08 CET 
No registered or obvious maintainer, so assigning globally; CC'ing Mike & José as having commited this recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => lists.jjorge, mrambo

Comment 2 Mike Rambo 2019-12-11 15:43:23 CET 
Patched package uploaded for cauldron and Mageia 7.

Advisory:
========================

Updated proftpd package fixes security vulnerability:

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup (CVE-2019-19269).


References:
https://www.debian.org/lts/security/2019/dla-2018
https://nvd.nist.gov/vuln/detail/CVE-2019-19269
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-devel-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-devel-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_autohost-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_autohost-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_ban-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_ban-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_case-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_case-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_ctrls_admin-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_ctrls_admin-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_gss-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_gss-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_ifsession-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_ifsession-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_ldap-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_ldap-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_load-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_load-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_memcache-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_memcache-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_quotatab-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_quotatab-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_quotatab_file-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_quotatab_file-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_quotatab_ldap-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_quotatab_ldap-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_quotatab_radius-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_quotatab_radius-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_quotatab_sql-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_quotatab_sql-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_radius-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_radius-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_ratio-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_ratio-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_rewrite-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_rewrite-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sftp-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sftp-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sftp_pam-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sftp_pam-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sftp_sql-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sftp_sql-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_shaper-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_shaper-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_site_misc-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_site_misc-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sql-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sql-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sql_mysql-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sql_mysql-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sql_passwd-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sql_passwd-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sql_postgres-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sql_postgres-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_sql_sqlite-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_sql_sqlite-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_tls-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_tls-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_tls_memcache-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_tls_memcache-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_tls_shmcache-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_tls_shmcache-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_vroot-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_vroot-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_wrap-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_wrap-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_wrap_file-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_wrap_file-1.3.5e-4.2.mga7.x86_64.rpm
proftpd-mod_wrap_sql-1.3.5e-4.1.mga7.x86_64.rpm
proftpd-mod_wrap_sql-1.3.5e-4.2.mga7.x86_64.rpm

from proftpd-1.3.5e-4.2.mga7.src.rpm


Test procedure https://bugs.mageia.org/show_bug.cgi?id=17960#c8

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 Brian Rockwell 2019-12-12 20:15:50 CET 
ok - this list of modules is showing 4.1 and 4.2.  4.1 is already installed on my system.  Do you have a duplicate list?

Moving ahead with 4.2.

The following 45 packages are going to be installed:

- cyrus-sasl-2.1.27-1.mga7.x86_64
- lib64event6-2.1.8-3.mga7.x86_64
- lib64memcached11-1.0.18-5.mga7.x86_64
- lib64pq5-11.5-1.mga7.x86_64
- lib64sasl2-plug-anonymous-2.1.27-1.mga7.x86_64
- lib64sasl2-plug-crammd5-2.1.27-1.mga7.x86_64
- lib64sasl2-plug-login-2.1.27-1.mga7.x86_64
- lib64sasl2-plug-plain-2.1.27-1.mga7.x86_64
- memcached-1.5.16-1.mga7.x86_64
- proftpd-1.3.5e-4.2.mga7.x86_64
- proftpd-devel-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_autohost-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_ban-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_case-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_ctrls_admin-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_gss-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_ifsession-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_ldap-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_load-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_memcache-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_quotatab-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_quotatab_file-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_quotatab_ldap-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_quotatab_radius-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_quotatab_sql-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_radius-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_ratio-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_rewrite-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sftp-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sftp_pam-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sftp_sql-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_shaper-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_site_misc-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sql-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sql_mysql-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sql_passwd-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sql_postgres-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_sql_sqlite-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_tls-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_tls_memcache-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_tls_shmcache-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_vroot-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_wrap-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_wrap_file-1.3.5e-4.2.mga7.x86_64
- proftpd-mod_wrap_sql-1.3.5e-4.2.mga7.x86_64

13MB of additional disk space will be used.

5.4MB of packages will be retrieved.


Able to connect locally, will continue to bang around on it.

CC: (none) => brtians1

Comment 4 Brian Rockwell 2019-12-12 20:31:34 CET 
Tested file transfers - working as designed.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Mike Rambo 2019-12-12 21:19:09 CET 
Sorry about the bogus list. 4.2 is correct. I just failed to clean up my work area from the last time I worked on this.
Comment 6 Thomas Andrews 2019-12-12 22:02:08 CET 
Validating. Advisory in Comment 2, but the rpm list needs to be cleaned up.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 David Walser 2019-12-12 22:57:14 CET 
proftpd-1.3.5e-4.2.mga7
proftpd-devel-1.3.5e-4.2.mga7
proftpd-mod_ctrls_admin-1.3.5e-4.2.mga7
proftpd-mod_ifsession-1.3.5e-4.2.mga7
proftpd-mod_ldap-1.3.5e-4.2.mga7
proftpd-mod_quotatab-1.3.5e-4.2.mga7
proftpd-mod_quotatab_file-1.3.5e-4.2.mga7
proftpd-mod_quotatab_ldap-1.3.5e-4.2.mga7
proftpd-mod_quotatab_sql-1.3.5e-4.2.mga7
proftpd-mod_quotatab_radius-1.3.5e-4.2.mga7
proftpd-mod_radius-1.3.5e-4.2.mga7
proftpd-mod_ratio-1.3.5e-4.2.mga7
proftpd-mod_rewrite-1.3.5e-4.2.mga7
proftpd-mod_site_misc-1.3.5e-4.2.mga7
proftpd-mod_sql-1.3.5e-4.2.mga7
proftpd-mod_sql_mysql-1.3.5e-4.2.mga7
proftpd-mod_sql_postgres-1.3.5e-4.2.mga7
proftpd-mod_sql_sqlite-1.3.5e-4.2.mga7
proftpd-mod_sql_passwd-1.3.5e-4.2.mga7
proftpd-mod_tls-1.3.5e-4.2.mga7
proftpd-mod_tls_shmcache-1.3.5e-4.2.mga7
proftpd-mod_tls_memcache-1.3.5e-4.2.mga7
proftpd-mod_autohost-1.3.5e-4.2.mga7
proftpd-mod_case-1.3.5e-4.2.mga7
proftpd-mod_gss-1.3.5e-4.2.mga7
proftpd-mod_load-1.3.5e-4.2.mga7
proftpd-mod_shaper-1.3.5e-4.2.mga7
proftpd-mod_wrap-1.3.5e-4.2.mga7
proftpd-mod_wrap_file-1.3.5e-4.2.mga7
proftpd-mod_wrap_sql-1.3.5e-4.2.mga7
proftpd-mod_ban-1.3.5e-4.2.mga7
proftpd-mod_vroot-1.3.5e-4.2.mga7
proftpd-mod_sftp-1.3.5e-4.2.mga7
proftpd-mod_sftp_pam-1.3.5e-4.2.mga7
proftpd-mod_sftp_sql-1.3.5e-4.2.mga7
proftpd-mod_memcache-1.3.5e-4.2.mga7

from proftpd-1.3.5e-4.2.mga7.src.rpm
Comment 8 Rémi Verschelde 2019-12-13 17:05:04 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 9 Mageia Robot 2019-12-13 19:27:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0385.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.