Debian has issued an advisory for this on February 26:
https://www.debian.org/security/2020/dsa-4635

This is fixed upstream in 1.3.6c.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: proftpd-1.3.6c-2.mga8.src.rpm => proftpd-1.3.5e-4.2.mga7.src.rpm

Done for mga7!

CC: (none) => geiger.david68210

Advisory:
========================

Updated proftpd packages fix security vulnerability:

Antonio Morales discovered an use-after-free flaw in the memory pool allocator
in ProFTPD. Interrupting current data transfers can corrupt the ProFTPD memory
pool, leading to denial of service, or potentially the execution of arbitrary
code (CVE-2020-9273).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9273
https://www.debian.org/security/2020/dsa-4635
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.5e-4.3.mga7
proftpd-devel-1.3.5e-4.3.mga7
proftpd-mod_ctrls_admin-1.3.5e-4.3.mga7
proftpd-mod_ifsession-1.3.5e-4.3.mga7
proftpd-mod_ldap-1.3.5e-4.3.mga7
proftpd-mod_quotatab-1.3.5e-4.3.mga7
proftpd-mod_quotatab_file-1.3.5e-4.3.mga7
proftpd-mod_quotatab_ldap-1.3.5e-4.3.mga7
proftpd-mod_quotatab_sql-1.3.5e-4.3.mga7
proftpd-mod_quotatab_radius-1.3.5e-4.3.mga7
proftpd-mod_radius-1.3.5e-4.3.mga7
proftpd-mod_ratio-1.3.5e-4.3.mga7
proftpd-mod_rewrite-1.3.5e-4.3.mga7
proftpd-mod_site_misc-1.3.5e-4.3.mga7
proftpd-mod_sql-1.3.5e-4.3.mga7
proftpd-mod_sql_mysql-1.3.5e-4.3.mga7
proftpd-mod_sql_postgres-1.3.5e-4.3.mga7
proftpd-mod_sql_sqlite-1.3.5e-4.3.mga7
proftpd-mod_sql_passwd-1.3.5e-4.3.mga7
proftpd-mod_tls-1.3.5e-4.3.mga7
proftpd-mod_tls_shmcache-1.3.5e-4.3.mga7
proftpd-mod_tls_memcache-1.3.5e-4.3.mga7
proftpd-mod_autohost-1.3.5e-4.3.mga7
proftpd-mod_case-1.3.5e-4.3.mga7
proftpd-mod_gss-1.3.5e-4.3.mga7
proftpd-mod_load-1.3.5e-4.3.mga7
proftpd-mod_shaper-1.3.5e-4.3.mga7
proftpd-mod_wrap-1.3.5e-4.3.mga7
proftpd-mod_wrap_file-1.3.5e-4.3.mga7
proftpd-mod_wrap_sql-1.3.5e-4.3.mga7
proftpd-mod_ban-1.3.5e-4.3.mga7
proftpd-mod_vroot-1.3.5e-4.3.mga7
proftpd-mod_sftp-1.3.5e-4.3.mga7
proftpd-mod_sftp_pam-1.3.5e-4.3.mga7
proftpd-mod_sftp_sql-1.3.5e-4.3.mga7
proftpd-mod_memcache-1.3.5e-4.3.mga7

from proftpd-1.3.5e-4.3.mga7.src.rpm

Assignee: mrambo => qa-bugs
Status comment: Patches available from upstream and Debian => (none)

MGA7-64 Plasma on Lenovo B50
No installation issues
# systemctl  start proftpd
# systemctl -l status proftpd
● proftpd.service - LSB: ProFTPD FTP server
   Loaded: loaded (/etc/rc.d/init.d/proftpd; generated)
   Active: active (running) since Sat 2020-02-29 11:11:47 CET; 2s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 15656 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS)
   Memory: 4.3M
   CGroup: /system.slice/proftpd.service
           └─15668 proftpd: (accepting connections)

Feb 29 11:11:47 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server...
Feb 29 11:11:47 mach5.hviaene.thuis proftpd[15656]: Starting proftpd[  OK  ]
Feb 29 11:11:47 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server.

Then connected from desktop PC on my LAN to the laptop and did transfer in borh directions.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

openSUSE has issued an advisory for this on March 1:
https://lists.opensuse.org/opensuse-updates/2020-03/msg00010.html

I don't *think* we're vulnerable to CVE-2020-9272, because it looks from the SPEC like we link to the system libcap library (but it'd be nice if someone can confirm that), which should make us OK according to:
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9272.html

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0120.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED