Fedora has issued an advisory today (September 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/ The issue is fixed upstream in 1.3.7c: https://bugzilla.redhat.com/show_bug.cgi?id=2001690
Status comment: (none) => Fixed upstream in 1.3.7c
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => mageia, marja11, mrambo, smelror
Suggested advisory: ======================== The updated packages fix a security vulnerability: Memory disclosure to RADIUS servers by mod_radius. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/ https://bugzilla.redhat.com/show_bug.cgi?id=2001690 ======================== Updated packages in core/updates_testing: ======================== proftpd-mod_sql-1.3.7a-3.1.mga8 proftpd-mod_tls-1.3.7a-3.1.mga8 proftpd-mod_quotatab-1.3.7a-3.1.mga8 proftpd-mod_radius-1.3.7a-3.1.mga8 proftpd-mod_ldap-1.3.7a-3.1.mga8 proftpd-mod_ban-1.3.7a-3.1.mga8 proftpd-mod_rewrite-1.3.7a-3.1.mga8 proftpd-mod_wrap-1.3.7a-3.1.mga8 proftpd-mod_shaper-1.3.7a-3.1.mga8 proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8 proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8 proftpd-mod_sftp-1.3.7a-3.1.mga8 proftpd-mod_vroot-1.3.7a-3.1.mga8 proftpd-mod_tls_memcache-1.3.7a-3.1.mga8 proftpd-mod_ifsession-1.3.7a-3.1.mga8 proftpd-mod_site_misc-1.3.7a-3.1.mga8 proftpd-mod_sql_passwd-1.3.7a-3.1.mga8 proftpd-mod_ratio-1.3.7a-3.1.mga8 proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8 proftpd-mod_sql_mysql-1.3.7a-3.1.mga8 proftpd-mod_sql_postgres-1.3.7a-3.1.mga8 proftpd-mod_autohost-1.3.7a-3.1.mga8 proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8 proftpd-mod_sftp_pam-1.3.7a-3.1.mga8 proftpd-mod_case-1.3.7a-3.1.mga8 proftpd-mod_memcache-1.3.7a-3.1.mga8 proftpd-mod_wrap_sql-1.3.7a-3.1.mga8 proftpd-mod_sftp_sql-1.3.7a-3.1.mga8 proftpd-mod_wrap_file-1.3.7a-3.1.mga8 proftpd-mod_load-1.3.7a-3.1.mga8 proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8 proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8 proftpd-mod_quotatab_file-1.3.7a-3.1.mga8 proftpd-mod_unique_id-1.3.7a-3.1.mga8 proftpd-devel-1.3.7a-3.1.mga8 proftpd-1.3.7a-3.1.mga8 from SRPM: proftpd-1.3.7a-3.1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 1.3.7c => (none)
Blocks: (none) => 29438
Note that proftpd-1.3.7a-3.1.mga8 includes the fix for bug 29438, which has its own advisory and test instruction
Merging the advisories of bug 29438 and this one: (Please look at bug 29438 for how to reproduce and test that part) Suggested advisory: ======================== The updated packages fixes a security vulnerability 1) and also a not rfc compliant feat answer 2) 1) Fixed security vulnerability: Memory disclosure to RADIUS servers by mod_radius. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/ https://bugzilla.redhat.com/show_bug.cgi?id=2001690 2) Fixed not rfc compliant feat answer: Ftp clients like filezilla fail to detect locale with in log : "Status: Server does not support non-ASCII characters." This comes from proftpd MultilineRFC2228 directive enabled by default. Without this directive Filezilla is able to enable utf8 options correctly. Similar issue was present in another distribution and they fixed it by disabling MultilineRFC2228 directive. References: https://github.com/proftpd/proftpd/issues/1085 ======================== Updated packages in core/updates_testing: ======================== proftpd-mod_sql-1.3.7a-3.1.mga8 proftpd-mod_tls-1.3.7a-3.1.mga8 proftpd-mod_quotatab-1.3.7a-3.1.mga8 proftpd-mod_radius-1.3.7a-3.1.mga8 proftpd-mod_ldap-1.3.7a-3.1.mga8 proftpd-mod_ban-1.3.7a-3.1.mga8 proftpd-mod_rewrite-1.3.7a-3.1.mga8 proftpd-mod_wrap-1.3.7a-3.1.mga8 proftpd-mod_shaper-1.3.7a-3.1.mga8 proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8 proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8 proftpd-mod_sftp-1.3.7a-3.1.mga8 proftpd-mod_vroot-1.3.7a-3.1.mga8 proftpd-mod_tls_memcache-1.3.7a-3.1.mga8 proftpd-mod_ifsession-1.3.7a-3.1.mga8 proftpd-mod_site_misc-1.3.7a-3.1.mga8 proftpd-mod_sql_passwd-1.3.7a-3.1.mga8 proftpd-mod_ratio-1.3.7a-3.1.mga8 proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8 proftpd-mod_sql_mysql-1.3.7a-3.1.mga8 proftpd-mod_sql_postgres-1.3.7a-3.1.mga8 proftpd-mod_autohost-1.3.7a-3.1.mga8 proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8 proftpd-mod_sftp_pam-1.3.7a-3.1.mga8 proftpd-mod_case-1.3.7a-3.1.mga8 proftpd-mod_memcache-1.3.7a-3.1.mga8 proftpd-mod_wrap_sql-1.3.7a-3.1.mga8 proftpd-mod_sftp_sql-1.3.7a-3.1.mga8 proftpd-mod_wrap_file-1.3.7a-3.1.mga8 proftpd-mod_load-1.3.7a-3.1.mga8 proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8 proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8 proftpd-mod_quotatab_file-1.3.7a-3.1.mga8 proftpd-mod_unique_id-1.3.7a-3.1.mga8 proftpd-devel-1.3.7a-3.1.mga8 proftpd-1.3.7a-3.1.mga8 from SRPM: proftpd-1.3.7a-3.1.mga8.src.rpm
MGA8-64 Plasma on Lenovo B50 No installation issues. Ref bug 26251 for testing # systemctl start proftpd # systemctl -l status proftpd ● proftpd.service - LSB: ProFTPD FTP server Loaded: loaded (/etc/rc.d/init.d/proftpd; generated) Active: active (running) since Wed 2021-09-15 14:35:19 CEST; 19s ago Docs: man:systemd-sysv-generator(8) Process: 13951 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 9402) Memory: 4.2M CPU: 52ms CGroup: /system.slice/proftpd.service └─13960 proftpd: (accepting connections) sep 15 14:35:18 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server... sep 15 14:35:19 mach5.hviaene.thuis proftpd[13951]: Starting proftpd[ OK ] sep 15 14:35:19 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server. Opened port for ftp-server in firewall and used filezilla to transfer some folders, teesting in both directions. All worked OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0434.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED