For mageia 1, an update to version 1.3.3g should be released to fix the error. For cauldron, I think 1.3.4 should be used.
Hi, thanks for the bug report. As there is no maintainer of this package, I add the committers in the CC list.
CC: (none) => ennael1, mageia, misc, pterjan
Ping ?
Mandriva has issued this update: http://lists.mandriva.com/security-announce/2011-12/msg00003.php
CC: (none) => luigiwalser
Please test proftpd-1.3.3g that fixes this CVE
CC: (none) => dmorganecAssignee: bugsquad => qa-bugs
No POC but the vulnerability involved the use of SSL so testing with mod_tls x86_64 To test I installed proftpd and proftpd-mod_tls I largely followed the configuration instructions here substituting some paths:- http://www.howtoforge.com/setting-up-proftpd-tls-on-ubuntu-10.04-lucid-lynx # mkdir /etc/proftpd.d/ssl # openssl req -new -x509 -days 365 -nodes -out /etc/proftpd.d/ssl/proftpd.cert.pem -keyout /etc/proftpd.d/ssl/proftpd.key.pem Enter the requested information, it doesn't have to be real. Edit /etc/proftpd.conf and look for the part below :- <IfModule mod_tls.c> TLSEngine off </IfModule> Change it to.. <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSOptions NoCertRequest AllowClientRenegotiations TLSRSACertificateFile /etc/proftpd.d/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd.d/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on </IfModule> Save it and restart proftpd. If you need to accept non encrypted connections aswell then TLSRequired can be set to off. # service proftpd restart Stopping proftpd [ OK ] Starting proftpd [ OK ] I used FileZilla to connect to localhost with the following settings :- Host: localhost Port: Empty Protocol: FTP Encryption: Require explicit FTP over TLS Logon Type: Normal User: <Linux username> Password: <Linux user password> Connected and was able to access my home directory. When it connects it asks to accept the certificate. No regressions noticed after the update. Testing complete x86_64
Hardware: i586 => All
Testing complete on i586 using same procedure as Comment 5 (Thanks Claire), except running filezilla in a vb mageia 1 guest, with proftpd on the host. Could someone from the sysadmin team push the srpm proftpd-1.3.3g-0.1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This security update for proftpd corrects a use-after-free memory corruption error. See http://www.h-online.com/security/news/item/Critical-bug-in-ProFTPD-closed-1377080.html for more information. https://bugs.mageia.org/show_bug.cgi?id=3311
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED