Debian-LTS has issued an advisory on November 30: https://www.debian.org/lts/security/2019/dla-2018 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No registered or obvious maintainer, so assigning globally; CC'ing Mike & José as having commited this recently.
Assignee: bugsquad => pkg-bugsCC: (none) => lists.jjorge, mrambo
Patched package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated proftpd package fixes security vulnerability: An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup (CVE-2019-19269). References: https://www.debian.org/lts/security/2019/dla-2018 https://nvd.nist.gov/vuln/detail/CVE-2019-19269 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.5e-4.1.mga7.x86_64.rpm proftpd-1.3.5e-4.2.mga7.x86_64.rpm proftpd-devel-1.3.5e-4.1.mga7.x86_64.rpm proftpd-devel-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_autohost-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_autohost-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_ban-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_ban-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_case-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_case-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_ctrls_admin-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_ctrls_admin-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_gss-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_gss-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_ifsession-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_ifsession-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_ldap-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_ldap-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_load-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_load-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_memcache-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_memcache-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_quotatab-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_quotatab-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_quotatab_file-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_quotatab_file-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_quotatab_ldap-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_quotatab_ldap-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_quotatab_radius-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_quotatab_radius-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_quotatab_sql-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_quotatab_sql-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_radius-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_radius-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_ratio-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_ratio-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_rewrite-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_rewrite-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sftp-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sftp-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sftp_pam-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sftp_pam-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sftp_sql-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sftp_sql-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_shaper-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_shaper-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_site_misc-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_site_misc-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sql-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sql-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sql_mysql-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sql_mysql-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sql_passwd-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sql_passwd-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sql_postgres-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sql_postgres-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_sql_sqlite-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_sql_sqlite-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_tls-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_tls-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_tls_memcache-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_tls_memcache-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_tls_shmcache-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_tls_shmcache-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_vroot-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_vroot-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_wrap-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_wrap-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_wrap_file-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_wrap_file-1.3.5e-4.2.mga7.x86_64.rpm proftpd-mod_wrap_sql-1.3.5e-4.1.mga7.x86_64.rpm proftpd-mod_wrap_sql-1.3.5e-4.2.mga7.x86_64.rpm from proftpd-1.3.5e-4.2.mga7.src.rpm Test procedure https://bugs.mageia.org/show_bug.cgi?id=17960#c8
Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)
ok - this list of modules is showing 4.1 and 4.2. 4.1 is already installed on my system. Do you have a duplicate list? Moving ahead with 4.2. The following 45 packages are going to be installed: - cyrus-sasl-2.1.27-1.mga7.x86_64 - lib64event6-2.1.8-3.mga7.x86_64 - lib64memcached11-1.0.18-5.mga7.x86_64 - lib64pq5-11.5-1.mga7.x86_64 - lib64sasl2-plug-anonymous-2.1.27-1.mga7.x86_64 - lib64sasl2-plug-crammd5-2.1.27-1.mga7.x86_64 - lib64sasl2-plug-login-2.1.27-1.mga7.x86_64 - lib64sasl2-plug-plain-2.1.27-1.mga7.x86_64 - memcached-1.5.16-1.mga7.x86_64 - proftpd-1.3.5e-4.2.mga7.x86_64 - proftpd-devel-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_autohost-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_ban-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_case-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_ctrls_admin-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_gss-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_ifsession-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_ldap-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_load-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_memcache-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_quotatab-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_quotatab_file-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_quotatab_ldap-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_quotatab_radius-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_quotatab_sql-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_radius-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_ratio-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_rewrite-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sftp-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sftp_pam-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sftp_sql-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_shaper-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_site_misc-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sql-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sql_mysql-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sql_passwd-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sql_postgres-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_sql_sqlite-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_tls-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_tls_memcache-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_tls_shmcache-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_vroot-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_wrap-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_wrap_file-1.3.5e-4.2.mga7.x86_64 - proftpd-mod_wrap_sql-1.3.5e-4.2.mga7.x86_64 13MB of additional disk space will be used. 5.4MB of packages will be retrieved. Able to connect locally, will continue to bang around on it.
CC: (none) => brtians1
Tested file transfers - working as designed.
Whiteboard: (none) => MGA7-64-OK
Sorry about the bogus list. 4.2 is correct. I just failed to clean up my work area from the last time I worked on this.
Validating. Advisory in Comment 2, but the rpm list needs to be cleaned up.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
proftpd-1.3.5e-4.2.mga7 proftpd-devel-1.3.5e-4.2.mga7 proftpd-mod_ctrls_admin-1.3.5e-4.2.mga7 proftpd-mod_ifsession-1.3.5e-4.2.mga7 proftpd-mod_ldap-1.3.5e-4.2.mga7 proftpd-mod_quotatab-1.3.5e-4.2.mga7 proftpd-mod_quotatab_file-1.3.5e-4.2.mga7 proftpd-mod_quotatab_ldap-1.3.5e-4.2.mga7 proftpd-mod_quotatab_sql-1.3.5e-4.2.mga7 proftpd-mod_quotatab_radius-1.3.5e-4.2.mga7 proftpd-mod_radius-1.3.5e-4.2.mga7 proftpd-mod_ratio-1.3.5e-4.2.mga7 proftpd-mod_rewrite-1.3.5e-4.2.mga7 proftpd-mod_site_misc-1.3.5e-4.2.mga7 proftpd-mod_sql-1.3.5e-4.2.mga7 proftpd-mod_sql_mysql-1.3.5e-4.2.mga7 proftpd-mod_sql_postgres-1.3.5e-4.2.mga7 proftpd-mod_sql_sqlite-1.3.5e-4.2.mga7 proftpd-mod_sql_passwd-1.3.5e-4.2.mga7 proftpd-mod_tls-1.3.5e-4.2.mga7 proftpd-mod_tls_shmcache-1.3.5e-4.2.mga7 proftpd-mod_tls_memcache-1.3.5e-4.2.mga7 proftpd-mod_autohost-1.3.5e-4.2.mga7 proftpd-mod_case-1.3.5e-4.2.mga7 proftpd-mod_gss-1.3.5e-4.2.mga7 proftpd-mod_load-1.3.5e-4.2.mga7 proftpd-mod_shaper-1.3.5e-4.2.mga7 proftpd-mod_wrap-1.3.5e-4.2.mga7 proftpd-mod_wrap_file-1.3.5e-4.2.mga7 proftpd-mod_wrap_sql-1.3.5e-4.2.mga7 proftpd-mod_ban-1.3.5e-4.2.mga7 proftpd-mod_vroot-1.3.5e-4.2.mga7 proftpd-mod_sftp-1.3.5e-4.2.mga7 proftpd-mod_sftp_pam-1.3.5e-4.2.mga7 proftpd-mod_sftp_sql-1.3.5e-4.2.mga7 proftpd-mod_memcache-1.3.5e-4.2.mga7 from proftpd-1.3.5e-4.2.mga7.src.rpm
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0385.html
Status: NEW => RESOLVEDResolution: (none) => FIXED