Debian-LTS has issued an advisory on February 21: https://www.debian.org/lts/security/2020/dla-2115 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patches available from upstream and Debian
Debian has issued an advisory for this on February 26: https://www.debian.org/security/2020/dsa-4635
This is fixed upstream in 1.3.6c.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Source RPM: proftpd-1.3.6c-2.mga8.src.rpm => proftpd-1.3.5e-4.2.mga7.src.rpm
Done for mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated proftpd packages fix security vulnerability: Antonio Morales discovered an use-after-free flaw in the memory pool allocator in ProFTPD. Interrupting current data transfers can corrupt the ProFTPD memory pool, leading to denial of service, or potentially the execution of arbitrary code (CVE-2020-9273). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9273 https://www.debian.org/security/2020/dsa-4635 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.5e-4.3.mga7 proftpd-devel-1.3.5e-4.3.mga7 proftpd-mod_ctrls_admin-1.3.5e-4.3.mga7 proftpd-mod_ifsession-1.3.5e-4.3.mga7 proftpd-mod_ldap-1.3.5e-4.3.mga7 proftpd-mod_quotatab-1.3.5e-4.3.mga7 proftpd-mod_quotatab_file-1.3.5e-4.3.mga7 proftpd-mod_quotatab_ldap-1.3.5e-4.3.mga7 proftpd-mod_quotatab_sql-1.3.5e-4.3.mga7 proftpd-mod_quotatab_radius-1.3.5e-4.3.mga7 proftpd-mod_radius-1.3.5e-4.3.mga7 proftpd-mod_ratio-1.3.5e-4.3.mga7 proftpd-mod_rewrite-1.3.5e-4.3.mga7 proftpd-mod_site_misc-1.3.5e-4.3.mga7 proftpd-mod_sql-1.3.5e-4.3.mga7 proftpd-mod_sql_mysql-1.3.5e-4.3.mga7 proftpd-mod_sql_postgres-1.3.5e-4.3.mga7 proftpd-mod_sql_sqlite-1.3.5e-4.3.mga7 proftpd-mod_sql_passwd-1.3.5e-4.3.mga7 proftpd-mod_tls-1.3.5e-4.3.mga7 proftpd-mod_tls_shmcache-1.3.5e-4.3.mga7 proftpd-mod_tls_memcache-1.3.5e-4.3.mga7 proftpd-mod_autohost-1.3.5e-4.3.mga7 proftpd-mod_case-1.3.5e-4.3.mga7 proftpd-mod_gss-1.3.5e-4.3.mga7 proftpd-mod_load-1.3.5e-4.3.mga7 proftpd-mod_shaper-1.3.5e-4.3.mga7 proftpd-mod_wrap-1.3.5e-4.3.mga7 proftpd-mod_wrap_file-1.3.5e-4.3.mga7 proftpd-mod_wrap_sql-1.3.5e-4.3.mga7 proftpd-mod_ban-1.3.5e-4.3.mga7 proftpd-mod_vroot-1.3.5e-4.3.mga7 proftpd-mod_sftp-1.3.5e-4.3.mga7 proftpd-mod_sftp_pam-1.3.5e-4.3.mga7 proftpd-mod_sftp_sql-1.3.5e-4.3.mga7 proftpd-mod_memcache-1.3.5e-4.3.mga7 from proftpd-1.3.5e-4.3.mga7.src.rpm
Assignee: mrambo => qa-bugsStatus comment: Patches available from upstream and Debian => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues # systemctl start proftpd # systemctl -l status proftpd ● proftpd.service - LSB: ProFTPD FTP server Loaded: loaded (/etc/rc.d/init.d/proftpd; generated) Active: active (running) since Sat 2020-02-29 11:11:47 CET; 2s ago Docs: man:systemd-sysv-generator(8) Process: 15656 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS) Memory: 4.3M CGroup: /system.slice/proftpd.service └─15668 proftpd: (accepting connections) Feb 29 11:11:47 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server... Feb 29 11:11:47 mach5.hviaene.thuis proftpd[15656]: Starting proftpd[ OK ] Feb 29 11:11:47 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server. Then connected from desktop PC on my LAN to the laptop and did transfer in borh directions. All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
openSUSE has issued an advisory for this on March 1: https://lists.opensuse.org/opensuse-updates/2020-03/msg00010.html I don't *think* we're vulnerable to CVE-2020-9272, because it looks from the SPEC like we link to the system libcap library (but it'd be nice if someone can confirm that), which should make us OK according to: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9272.html
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0120.html
Status: NEW => RESOLVEDResolution: (none) => FIXED