Debian has issued an advisory on January 13: http://www.debian.org/security/2013/dsa-2606 Patched packages uploaded for Mageia 2 and Cauldron. Patch also checked into Mageia 1 SVN. Advisory: ======================== Updated proftpd packages fix security vulnerability: It has been discovered that in ProFTPd, an FTP server, an attacker on the same physical host as the server may be able to perform a symlink attack allowing to elevate privileges in some configurations (CVE-2012-6095). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6095 http://www.debian.org/security/2013/dsa-2606 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.3g-1.1.mga2 proftpd-devel-1.3.3g-1.1.mga2 proftpd-mod_ctrls_admin-1.3.3g-1.1.mga2 proftpd-mod_ifsession-1.3.3g-1.1.mga2 proftpd-mod_ldap-1.3.3g-1.1.mga2 proftpd-mod_quotatab-1.3.3g-1.1.mga2 proftpd-mod_quotatab_file-1.3.3g-1.1.mga2 proftpd-mod_quotatab_ldap-1.3.3g-1.1.mga2 proftpd-mod_quotatab_sql-1.3.3g-1.1.mga2 proftpd-mod_quotatab_radius-1.3.3g-1.1.mga2 proftpd-mod_radius-1.3.3g-1.1.mga2 proftpd-mod_ratio-1.3.3g-1.1.mga2 proftpd-mod_rewrite-1.3.3g-1.1.mga2 proftpd-mod_site_misc-1.3.3g-1.1.mga2 proftpd-mod_sql-1.3.3g-1.1.mga2 proftpd-mod_sql_mysql-1.3.3g-1.1.mga2 proftpd-mod_sql_postgres-1.3.3g-1.1.mga2 proftpd-mod_sql_passwd-1.3.3g-1.1.mga2 proftpd-mod_tls-1.3.3g-1.1.mga2 proftpd-mod_autohost-1.3.3g-1.1.mga2 proftpd-mod_case-1.3.3g-1.1.mga2 proftpd-mod_gss-1.3.3g-1.1.mga2 proftpd-mod_load-1.3.3g-1.1.mga2 proftpd-mod_shaper-1.3.3g-1.1.mga2 proftpd-mod_time-1.3.3g-1.1.mga2 proftpd-mod_wrap-1.3.3g-1.1.mga2 proftpd-mod_wrap_file-1.3.3g-1.1.mga2 proftpd-mod_wrap_sql-1.3.3g-1.1.mga2 proftpd-mod_ban-1.3.3g-1.1.mga2 proftpd-mod_vroot-1.3.3g-1.1.mga2 proftpd-mod_sftp-1.3.3g-1.1.mga2 from proftpd-1.3.3g-1.1.mga2.src.rpm
PoC: http://bugs.proftpd.org/show_bug.cgi?id=3841 Be careful using foo/etc. I'd recommend creating /test with root:root ownership or something to play with instead and MKD foo/test.
Hardware: i586 => AllWhiteboard: (none) => has_procedure
Does the build run the testsuite David? It's mentioned on the PoC bug report and seems to come with the source.
(In reply to comment #2) > Does the build run the testsuite David? > > It's mentioned on the PoC bug report and seems to come with the source. Unfortunately, no. Also, if the fix upstream added a test to the test suite, that wasn't included in the patches backported by Debian that I used. I don't see anything for that in the patches attached to the upstream bug either.
This is showing as having a missing signature x86_64
Whiteboard: has_procedure => has_procedure feedback
Rebuilt to fix the missing signature. Advisory: ======================== Updated proftpd packages fix security vulnerability: It has been discovered that in ProFTPd, an FTP server, an attacker on the same physical host as the server may be able to perform a symlink attack allowing to elevate privileges in some configurations (CVE-2012-6095). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6095 http://www.debian.org/security/2013/dsa-2606 ======================== Updated packages in core/updates_testing: ======================== proftpd-1.3.3g-1.2.mga2 proftpd-devel-1.3.3g-1.2.mga2 proftpd-mod_ctrls_admin-1.3.3g-1.2.mga2 proftpd-mod_ifsession-1.3.3g-1.2.mga2 proftpd-mod_ldap-1.3.3g-1.2.mga2 proftpd-mod_quotatab-1.3.3g-1.2.mga2 proftpd-mod_quotatab_file-1.3.3g-1.2.mga2 proftpd-mod_quotatab_ldap-1.3.3g-1.2.mga2 proftpd-mod_quotatab_sql-1.3.3g-1.2.mga2 proftpd-mod_quotatab_radius-1.3.3g-1.2.mga2 proftpd-mod_radius-1.3.3g-1.2.mga2 proftpd-mod_ratio-1.3.3g-1.2.mga2 proftpd-mod_rewrite-1.3.3g-1.2.mga2 proftpd-mod_site_misc-1.3.3g-1.2.mga2 proftpd-mod_sql-1.3.3g-1.2.mga2 proftpd-mod_sql_mysql-1.3.3g-1.2.mga2 proftpd-mod_sql_postgres-1.3.3g-1.2.mga2 proftpd-mod_sql_passwd-1.3.3g-1.2.mga2 proftpd-mod_tls-1.3.3g-1.2.mga2 proftpd-mod_autohost-1.3.3g-1.2.mga2 proftpd-mod_case-1.3.3g-1.2.mga2 proftpd-mod_gss-1.3.3g-1.2.mga2 proftpd-mod_load-1.3.3g-1.2.mga2 proftpd-mod_shaper-1.3.3g-1.2.mga2 proftpd-mod_time-1.3.3g-1.2.mga2 proftpd-mod_wrap-1.3.3g-1.2.mga2 proftpd-mod_wrap_file-1.3.3g-1.2.mga2 proftpd-mod_wrap_sql-1.3.3g-1.2.mga2 proftpd-mod_ban-1.3.3g-1.2.mga2 proftpd-mod_vroot-1.3.3g-1.2.mga2 proftpd-mod_sftp-1.3.3g-1.2.mga2 from proftpd-1.3.3g-1.2.mga2.src.rpm
Whiteboard: has_procedure feedback => has_procedure
*** Bug 8654 has been marked as a duplicate of this bug. ***
CC: (none) => oe
Blocks: (none) => 8884
depchecked ok
I've not been able to reproduce this so just testing proftpd basics x86_64
Testing complete mga2 64 Just testing I can log in with my user account and access files in my home directory. Bug 8911 created for the testsuite
Whiteboard: has_procedure => has_procedure mga2-64-ok
Similar testing mga2 32 Validating Advisory & srpm in comment 5 Can sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0024
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED