29449 – proftpd new memory disclosure issue fixed upstream in 1.3.7c

Bug 29449 - proftpd new memory disclosure issue fixed upstream in 1.3.7c

Summary: proftpd new memory disclosure issue fixed upstream in 1.3.7c

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	29438
	Show dependency tree / graph

Reported:	2021-09-08 22:55 CEST by David Walser
Modified:	2021-09-23 06:52 CEST (History)
CC List:	9 users (show)

See Also:
Source RPM:	proftpd-1.3.7a-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-09-08 22:55:56 CEST

Fedora has issued an advisory today (September 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/

The issue is fixed upstream in 1.3.7c:
https://bugzilla.redhat.com/show_bug.cgi?id=2001690

David Walser 2021-09-08 22:56:15 CEST

Status comment: (none) => Fixed upstream in 1.3.7c

Comment 1 Marja Van Waes 2021-09-09 21:49:39 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => mageia, marja11, mrambo, smelror

Comment 2 Nicolas Salguero 2021-09-10 10:34:57 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Memory disclosure to RADIUS servers by mod_radius.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/
https://bugzilla.redhat.com/show_bug.cgi?id=2001690
========================

Updated packages in core/updates_testing:
========================
proftpd-mod_sql-1.3.7a-3.1.mga8
proftpd-mod_tls-1.3.7a-3.1.mga8
proftpd-mod_quotatab-1.3.7a-3.1.mga8
proftpd-mod_radius-1.3.7a-3.1.mga8
proftpd-mod_ldap-1.3.7a-3.1.mga8
proftpd-mod_ban-1.3.7a-3.1.mga8
proftpd-mod_rewrite-1.3.7a-3.1.mga8
proftpd-mod_wrap-1.3.7a-3.1.mga8
proftpd-mod_shaper-1.3.7a-3.1.mga8
proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8
proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8
proftpd-mod_sftp-1.3.7a-3.1.mga8
proftpd-mod_vroot-1.3.7a-3.1.mga8
proftpd-mod_tls_memcache-1.3.7a-3.1.mga8
proftpd-mod_ifsession-1.3.7a-3.1.mga8
proftpd-mod_site_misc-1.3.7a-3.1.mga8
proftpd-mod_sql_passwd-1.3.7a-3.1.mga8
proftpd-mod_ratio-1.3.7a-3.1.mga8
proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8
proftpd-mod_sql_mysql-1.3.7a-3.1.mga8
proftpd-mod_sql_postgres-1.3.7a-3.1.mga8
proftpd-mod_autohost-1.3.7a-3.1.mga8
proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_pam-1.3.7a-3.1.mga8
proftpd-mod_case-1.3.7a-3.1.mga8
proftpd-mod_memcache-1.3.7a-3.1.mga8
proftpd-mod_wrap_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_sql-1.3.7a-3.1.mga8
proftpd-mod_wrap_file-1.3.7a-3.1.mga8
proftpd-mod_load-1.3.7a-3.1.mga8
proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8
proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8
proftpd-mod_quotatab_file-1.3.7a-3.1.mga8
proftpd-mod_unique_id-1.3.7a-3.1.mga8
proftpd-devel-1.3.7a-3.1.mga8
proftpd-1.3.7a-3.1.mga8

from SRPM:
proftpd-1.3.7a-3.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 1.3.7c => (none)

Thomas Backlund 2021-09-10 13:20:22 CEST

Blocks: (none) => 29438

Comment 3 Marja Van Waes 2021-09-10 15:38:13 CEST

Note that proftpd-1.3.7a-3.1.mga8 includes the fix for bug 29438, which has its own advisory and test instruction

Comment 4 Marja Van Waes 2021-09-10 22:38:37 CEST

Merging the advisories of bug 29438 and this one:
(Please look at bug 29438 for how to reproduce and test that part)

Suggested advisory:
========================

The updated packages fixes a security vulnerability 1)
and also a not rfc compliant feat answer 2)

1) Fixed security vulnerability:

Memory disclosure to RADIUS servers by mod_radius.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K3JL66LCDUIASS4TM7SY6R2D7W2WBXUE/
https://bugzilla.redhat.com/show_bug.cgi?id=2001690


2) Fixed not rfc compliant feat answer:

Ftp clients like filezilla fail to detect locale with in log :
"Status: Server does not support non-ASCII characters."

This comes from proftpd MultilineRFC2228 directive enabled by default.

Without this directive  Filezilla is able to enable utf8 options correctly.

Similar issue was present in another distribution and they fixed it by disabling MultilineRFC2228 directive.

References:
https://github.com/proftpd/proftpd/issues/1085
========================

Updated packages in core/updates_testing:
========================
proftpd-mod_sql-1.3.7a-3.1.mga8
proftpd-mod_tls-1.3.7a-3.1.mga8
proftpd-mod_quotatab-1.3.7a-3.1.mga8
proftpd-mod_radius-1.3.7a-3.1.mga8
proftpd-mod_ldap-1.3.7a-3.1.mga8
proftpd-mod_ban-1.3.7a-3.1.mga8
proftpd-mod_rewrite-1.3.7a-3.1.mga8
proftpd-mod_wrap-1.3.7a-3.1.mga8
proftpd-mod_shaper-1.3.7a-3.1.mga8
proftpd-mod_tls_shmcache-1.3.7a-3.1.mga8
proftpd-mod_ctrls_admin-1.3.7a-3.1.mga8
proftpd-mod_sftp-1.3.7a-3.1.mga8
proftpd-mod_vroot-1.3.7a-3.1.mga8
proftpd-mod_tls_memcache-1.3.7a-3.1.mga8
proftpd-mod_ifsession-1.3.7a-3.1.mga8
proftpd-mod_site_misc-1.3.7a-3.1.mga8
proftpd-mod_sql_passwd-1.3.7a-3.1.mga8
proftpd-mod_ratio-1.3.7a-3.1.mga8
proftpd-mod_sql_sqlite-1.3.7a-3.1.mga8
proftpd-mod_sql_mysql-1.3.7a-3.1.mga8
proftpd-mod_sql_postgres-1.3.7a-3.1.mga8
proftpd-mod_autohost-1.3.7a-3.1.mga8
proftpd-mod_quotatab_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_pam-1.3.7a-3.1.mga8
proftpd-mod_case-1.3.7a-3.1.mga8
proftpd-mod_memcache-1.3.7a-3.1.mga8
proftpd-mod_wrap_sql-1.3.7a-3.1.mga8
proftpd-mod_sftp_sql-1.3.7a-3.1.mga8
proftpd-mod_wrap_file-1.3.7a-3.1.mga8
proftpd-mod_load-1.3.7a-3.1.mga8
proftpd-mod_quotatab_ldap-1.3.7a-3.1.mga8
proftpd-mod_quotatab_radius-1.3.7a-3.1.mga8
proftpd-mod_quotatab_file-1.3.7a-3.1.mga8
proftpd-mod_unique_id-1.3.7a-3.1.mga8
proftpd-devel-1.3.7a-3.1.mga8
proftpd-1.3.7a-3.1.mga8

from SRPM:
proftpd-1.3.7a-3.1.mga8.src.rpm

Comment 5 Herman Viaene 2021-09-15 14:50:08 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26251 for testing
# systemctl  start proftpd

# systemctl  -l status proftpd
● proftpd.service - LSB: ProFTPD FTP server
     Loaded: loaded (/etc/rc.d/init.d/proftpd; generated)
     Active: active (running) since Wed 2021-09-15 14:35:19 CEST; 19s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 13951 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 9402)
     Memory: 4.2M
        CPU: 52ms
     CGroup: /system.slice/proftpd.service
             └─13960 proftpd: (accepting connections)

sep 15 14:35:18 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server...
sep 15 14:35:19 mach5.hviaene.thuis proftpd[13951]: Starting proftpd[  OK  ]
sep 15 14:35:19 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server.

Opened port for ftp-server in firewall and used filezilla to transfer some folders, teesting in both directions. All worked OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2021-09-17 14:05:16 CEST

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-09-22 23:01:06 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2021-09-23 06:52:25 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0434.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.