Bug 29449 - proftpd new memory disclosure issue fixed upstream in 1.3.7c
Summary: proftpd new memory disclosure issue fixed upstream in 1.3.7c
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks: 29438
  Show dependency treegraph
 
Reported: 2021-09-08 22:55 CEST by David Walser
Modified: 2021-09-17 14:05 CEST (History)
8 users (show)

See Also:
Source RPM: proftpd-1.3.7a-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-09-08 22:55:56 CEST
Fedora has issued an advisory today (September 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/

The issue is fixed upstream in 1.3.7c:
https://bugzilla.redhat.com/show_bug.cgi?id=2001690
David Walser 2021-09-08 22:56:15 CEST

Status comment: (none) => Fixed upstream in 1.3.7c

Comment 1 Marja Van Waes 2021-09-09 21:49:39 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

CC: (none) => mageia, marja11, mrambo, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-09-10 10:34:57 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Memory disclosure to RADIUS servers by mod_radius.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/
https://bugzilla.redhat.com/show_bug.cgi?id=2001690
========================

Updated packages in core/updates_testing:
========================
proftpd-mod_sql-1.3.7a-3.1.mga8
proftpd-mod_tls-1.3.7a-3.1.mga8
proftpd-mod_quotatab-1.3.7a-3.1.mga8
proftpd-mod_radius-1.3.7a-3.1.mga8
proftpd-mod_ldap-1.3.7a-3.1.mga8
proftpd-mod_ban-1.3.7a-3.1.mga8
proftpd-mod_rewrite-1.3.7a-3.1.mga8
proftpd-mod_wrap-1.3.7a-3.1.mga8
proftpd-mod_shaper-1.3.7a-3.1.mga8
proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8
proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8
proftpd-mod_sftp-1.3.7a-3.1.mga8
proftpd-mod_vroot-1.3.7a-3.1.mga8
proftpd-mod_tls_memcache-1.3.7a-3.1.mga8
proftpd-mod_ifsession-1.3.7a-3.1.mga8
proftpd-mod_site_misc-1.3.7a-3.1.mga8
proftpd-mod_sql_passwd-1.3.7a-3.1.mga8
proftpd-mod_ratio-1.3.7a-3.1.mga8
proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8
proftpd-mod_sql_mysql-1.3.7a-3.1.mga8
proftpd-mod_sql_postgres-1.3.7a-3.1.mga8
proftpd-mod_autohost-1.3.7a-3.1.mga8
proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_pam-1.3.7a-3.1.mga8
proftpd-mod_case-1.3.7a-3.1.mga8
proftpd-mod_memcache-1.3.7a-3.1.mga8
proftpd-mod_wrap_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_sql-1.3.7a-3.1.mga8
proftpd-mod_wrap_file-1.3.7a-3.1.mga8
proftpd-mod_load-1.3.7a-3.1.mga8
proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8
proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8
proftpd-mod_quotatab_file-1.3.7a-3.1.mga8
proftpd-mod_unique_id-1.3.7a-3.1.mga8
proftpd-devel-1.3.7a-3.1.mga8
proftpd-1.3.7a-3.1.mga8

from SRPM:
proftpd-1.3.7a-3.1.mga8.src.rpm

Status comment: Fixed upstream in 1.3.7c => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Thomas Backlund 2021-09-10 13:20:22 CEST

Blocks: (none) => 29438

Comment 3 Marja Van Waes 2021-09-10 15:38:13 CEST
Note that proftpd-1.3.7a-3.1.mga8 includes the fix for bug 29438, which has its own advisory and test instruction
Comment 4 Marja Van Waes 2021-09-10 22:38:37 CEST
Merging the advisories of bug 29438 and this one:
(Please look at bug 29438 for how to reproduce and test that part)

Suggested advisory:
========================

The updated packages fixes a security vulnerability 1)
and also a not rfc compliant feat answer 2)

1) Fixed security vulnerability:

Memory disclosure to RADIUS servers by mod_radius.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/
https://bugzilla.redhat.com/show_bug.cgi?id=2001690


2) Fixed not rfc compliant feat answer:

Ftp clients like filezilla fail to detect locale with in log :
"Status: Server does not support non-ASCII characters."

This comes from proftpd MultilineRFC2228 directive enabled by default.

Without this directive  Filezilla is able to enable utf8 options correctly.

Similar issue was present in another distribution and they fixed it by disabling MultilineRFC2228 directive.

References:
https://github.com/proftpd/proftpd/issues/1085
========================

Updated packages in core/updates_testing:
========================
proftpd-mod_sql-1.3.7a-3.1.mga8
proftpd-mod_tls-1.3.7a-3.1.mga8
proftpd-mod_quotatab-1.3.7a-3.1.mga8
proftpd-mod_radius-1.3.7a-3.1.mga8
proftpd-mod_ldap-1.3.7a-3.1.mga8
proftpd-mod_ban-1.3.7a-3.1.mga8
proftpd-mod_rewrite-1.3.7a-3.1.mga8
proftpd-mod_wrap-1.3.7a-3.1.mga8
proftpd-mod_shaper-1.3.7a-3.1.mga8
proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8
proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8
proftpd-mod_sftp-1.3.7a-3.1.mga8
proftpd-mod_vroot-1.3.7a-3.1.mga8
proftpd-mod_tls_memcache-1.3.7a-3.1.mga8
proftpd-mod_ifsession-1.3.7a-3.1.mga8
proftpd-mod_site_misc-1.3.7a-3.1.mga8
proftpd-mod_sql_passwd-1.3.7a-3.1.mga8
proftpd-mod_ratio-1.3.7a-3.1.mga8
proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8
proftpd-mod_sql_mysql-1.3.7a-3.1.mga8
proftpd-mod_sql_postgres-1.3.7a-3.1.mga8
proftpd-mod_autohost-1.3.7a-3.1.mga8
proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_pam-1.3.7a-3.1.mga8
proftpd-mod_case-1.3.7a-3.1.mga8
proftpd-mod_memcache-1.3.7a-3.1.mga8
proftpd-mod_wrap_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_sql-1.3.7a-3.1.mga8
proftpd-mod_wrap_file-1.3.7a-3.1.mga8
proftpd-mod_load-1.3.7a-3.1.mga8
proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8
proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8
proftpd-mod_quotatab_file-1.3.7a-3.1.mga8
proftpd-mod_unique_id-1.3.7a-3.1.mga8
proftpd-devel-1.3.7a-3.1.mga8
proftpd-1.3.7a-3.1.mga8

from SRPM:
proftpd-1.3.7a-3.1.mga8.src.rpm
Comment 5 Herman Viaene 2021-09-15 14:50:08 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26251 for testing
# systemctl  start proftpd

# systemctl  -l status proftpd
● proftpd.service - LSB: ProFTPD FTP server
     Loaded: loaded (/etc/rc.d/init.d/proftpd; generated)
     Active: active (running) since Wed 2021-09-15 14:35:19 CEST; 19s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 13951 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 9402)
     Memory: 4.2M
        CPU: 52ms
     CGroup: /system.slice/proftpd.service
             └─13960 proftpd: (accepting connections)

sep 15 14:35:18 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server...
sep 15 14:35:19 mach5.hviaene.thuis proftpd[13951]: Starting proftpd[  OK  ]
sep 15 14:35:19 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server.

Opened port for ftp-server in firewall and used filezilla to transfer some folders, teesting in both directions. All worked OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2021-09-17 14:05:16 CEST
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.