——————————————————————————–
Fedora Update Notification
FEDORA-2020-876b1f664e
2020-02-27 17:26:04.898880
——————————————————————————–
Name : proftpd
Product : Fedora 31
Version : 1.3.6c
Release : 1.fc31
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple ‘virtual’ FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.
——————————————————————————–
Update Information:
This update, to the current upstream stable release version, is a cumulative
bug-fix release including a security fix for a use-after-free vulnerability
(CVE-2020-9273): successful exploitation of this vulnerability could allow a
remote attacker to execute arbitrary code on the affected system.
——————————————————————————–
ChangeLog:
* Wed Feb 19 2020 Paul Howarth <paul@city-fan.org> – 1.3.6c-1
– Update to 1.3.6c
– Use-after-free vulnerability in memory pools during data transfer
(https://github.com/proftpd/proftpd/issues/903)
– Fix mod_tls compilation with LibreSSL 2.9.x
(https://github.com/proftpd/proftpd/issues/810)
– MaxClientsPerUser was not enforced for SFTP logins when mod_digest was
enabled (https://github.com/proftpd/proftpd/issues/750)
– mod_sftp now handles an OpenSSH-specific private key format; it detects
such keys, and logs a hint about reformatting them to a supported format
(https://github.com/proftpd/proftpd/issues/793)
– Directory listing was slower compared to previous ProFTPD versions
(https://github.com/proftpd/proftpd/issues/793)
– mod_sftp crashed when using pubkey-auth with DSA keys
(https://github.com/proftpd/proftpd/issues/866)
– Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270,
https://github.com/proftpd/proftpd/issues/859)
– Leaking PAM handler and data in case of unsuccessful authentication
(https://github.com/proftpd/proftpd/issues/870)
– SSH authentication failed for many clients due to receiving of
SSH_MSG_IGNORE packet (http://bugs.proftpd.org/show_bug.cgi?id=4385)
– SFTP publickey authentication failed unexpectedly when user had no shadow
password info. (https://github.com/proftpd/proftpd/issues/890)
– ftpasswd failed to restore password file permissions in some cases
(https://github.com/proftpd/proftpd/issues/898)
– Out-of-bounds read in mod_cap getstateflags() function; this has been
addressed by updating the bundled version of libcap
(https://github.com/proftpd/proftpd/issues/902)
Note that this build of ProFTPD uses the system version of libcap and not
the bundled version
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> – 1.3.6b-4
– Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jan 22 2020 Paul Howarth <paul@city-fan.org> – 1.3.6b-3
– Fix API tests compile failure with GCC 10
https://github.com/proftpd/proftpd/pull/886
– mod_sftp: When handling the ‘keyboard-interactive’ authentication mechanism,
as used for (e.g.) PAM, make sure to properly handle DEBUG, IGNORE,
DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253
(http://bugs.proftpd.org/show_bug.cgi?id=4385)
* Fri Nov 29 2019 Paul Howarth <paul@city-fan.org> – 1.3.6b-2
– Fix handling of CRL lookups by properly using issuer for lookups, and
guarding against null pointers (GH#859, GH#861, CVE-2019-19269,
CVE-2019-19270)
* Sun Oct 20 2019 Paul Howarth <paul@city-fan.org> – 1.3.6b-1
– Update to 1.3.6b
– Fixed pre-authentication remote denial-of-service issue
(CVE-2019-18217, https://github.com/proftpd/proftpd/issues/846)
* Sun Oct 13 2019 Paul Howarth <paul@city-fan.org> – 1.3.6a-1
– Update to 1.3.6a
– Configure script wrongly detected AIX lastlog functions
(http://bugs.proftpd.org/show_bug.cgi?id=4304)
– AllowChrootSymlinks off could cause login failures depending on filesystem
permissions (http://bugs.proftpd.org/show_bug.cgi?id=4306)
– mod_ctrls: error: unable to bind to local socket: Address already in use
(https://github.com/proftpd/proftpd/issues/501)
– Failed to handle multiple %{env:…} variables in single word in
configuration (https://github.com/proftpd/proftpd/issues/507)
– mod_sftp failed to check shadow password information when publickey
authentication used (http://bugs.proftpd.org/show_bug.cgi?id=4308)
– Use of “AllowEmptyPasswords off” broke SFTP/SCP logins
(http://bugs.proftpd.org/show_bug.cgi?id=4309)
– Use of mod_facl as static module caused ProFTPD to die on SIGHUP/restart
(http://bugs.proftpd.org/show_bug.cgi?id=4310)
– Use of curve25519-sha256@libssh.org SSH2 key exchange sometimes failed
(https://github.com/proftpd/proftpd/issues/556)
– Close extra file descriptors at startup
(http://bugs.proftpd.org/show_bug.cgi?id=4312)
– <Anonymous> with AuthAliasOnly in effect did not work as expected
(http://bugs.proftpd.org/show_bug.cgi?id=4314)
– CreateHome NoRootPrivs only worked partially
(https://github.com/proftpd/proftpd/issues/568)
– SFTP OPEN response included attribute flags that are not actually provided
(https://github.com/proftpd/proftpd/issues/578)
– Truncation of file while being downloaded with sendfile enabled caused
timeouts due to infinite loop (http://bugs.proftpd.org/show_bug.cgi?id=4318)
– FTP uploads frequently broke due to “Interrupted system call” error
(http://bugs.proftpd.org/show_bug.cgi?id=4319)
– Site-to-site transfers over TLS failed
(https://github.com/proftpd/proftpd/issues/618)
– Can’t see symlinks using any FTP client when using MLSD
(http://bugs.proftpd.org/show_bug.cgi?id=4322)
– mod_tls 1.3.6 failed to compile using OpenSSL 0.9.8e
(http://bugs.proftpd.org/show_bug.cgi?id=4325)
– Using MaxClientsPerHost 1 in <Anonymous> section denied logins
(http://bugs.proftpd.org/show_bug.cgi?id=4326)
– SQLNamedConnectInfo with different backend database did not work properly
(https://github.com/proftpd/proftpd/issues/642)
– Segfault with mod_sftp+mod_sftp_pam after successful authentication using
keyboard-interactive method (https://github.com/proftpd/proftpd/issues/656)
– autoconf always failed to detect support for FIPS
(https://github.com/proftpd/proftpd/issues/660)
– SFTP connections failed when using “arcfour256” cipher
(https://github.com/proftpd/proftpd/issues/663)
– mod_auth_otp failed to build with OpenSSL 1.1.x
(http://bugs.proftpd.org/show_bug.cgi?id=4335)
– scp broken on FreeBSD 11 (http://bugs.proftpd.org/show_bug.cgi?id=4341)
– Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases
(https://github.com/proftpd/proftpd/issues/674)
– Infinite loop possible in mod_sftp’s set_sftphostkey() function
(http://bugs.proftpd.org/show_bug.cgi?id=4356)
– Some ASCII text files corrupted when downloading
(http://bugs.proftpd.org/show_bug.cgi?id=4352)
– Properly use the –includedir, –libdir configure variables in the
generated proftpd.pc pkgconfig file
(https://github.com/proftpd/proftpd/issues/797)
– Reading invalid SSH key from database resulted in unexpected/unlogged
disconnect failures (http://bugs.proftpd.org/show_bug.cgi?id=4350)
– Symlink navigation broken after 1.3.6 update
(http://bugs.proftpd.org/show_bug.cgi?id=4332)
– Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3
(https://github.com/proftpd/proftpd/issues/795)
– SITE CPFR/CPTO did not honor <Limit> configurations
(http://bugs.proftpd.org/show_bug.cgi?id=4372)
– Using “TLSProtocol SSLv23” did not enable all protocol versions
(https://github.com/proftpd/proftpd/issues/807)
——————————————————————————–
This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-876b1f664e’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
——————————————————————————–
Fedora Update Notification
FEDORA-2020-76c707cff0
2020-02-27 16:43:31.470586
——————————————————————————–
Name : proftpd
Product : Fedora 30
Version : 1.3.6c
Release : 1.fc30
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple ‘virtual’ FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.
——————————————————————————–
Update Information:
This update, to the current upstream stable release version, is a cumulative
bug-fix release including a security fix for a use-after-free vulnerability
(CVE-2020-9273): successful exploitation of this vulnerability could allow a
remote attacker to execute arbitrary code on the affected system.
——————————————————————————–
ChangeLog:
* Wed Feb 19 2020 Paul Howarth <paul@city-fan.org> – 1.3.6c-1
– Update to 1.3.6c
– Use-after-free vulnerability in memory pools during data transfer
(https://github.com/proftpd/proftpd/issues/903)
– Fix mod_tls compilation with LibreSSL 2.9.x
(https://github.com/proftpd/proftpd/issues/810)
– MaxClientsPerUser was not enforced for SFTP logins when mod_digest was
enabled (https://github.com/proftpd/proftpd/issues/750)
– mod_sftp now handles an OpenSSH-specific private key format; it detects
such keys, and logs a hint about reformatting them to a supported format
(https://github.com/proftpd/proftpd/issues/793)
– Directory listing was slower compared to previous ProFTPD versions
(https://github.com/proftpd/proftpd/issues/793)
– mod_sftp crashed when using pubkey-auth with DSA keys
(https://github.com/proftpd/proftpd/issues/866)
– Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270,
https://github.com/proftpd/proftpd/issues/859)
– Leaking PAM handler and data in case of unsuccessful authentication
(https://github.com/proftpd/proftpd/issues/870)
– SSH authentication failed for many clients due to receiving of
SSH_MSG_IGNORE packet (http://bugs.proftpd.org/show_bug.cgi?id=4385)
– SFTP publickey authentication failed unexpectedly when user had no shadow
password info. (https://github.com/proftpd/proftpd/issues/890)
– ftpasswd failed to restore password file permissions in some cases
(https://github.com/proftpd/proftpd/issues/898)
– Out-of-bounds read in mod_cap getstateflags() function; this has been
addressed by updating the bundled version of libcap
(https://github.com/proftpd/proftpd/issues/902)
Note that this build of ProFTPD uses the system version of libcap and not
the bundled version
* Wed Jan 22 2020 Paul Howarth <paul@city-fan.org> – 1.3.6b-3
– Fix API tests compile failure with GCC 10
https://github.com/proftpd/proftpd/pull/886
– mod_sftp: When handling the ‘keyboard-interactive’ authentication mechanism,
as used for (e.g.) PAM, make sure to properly handle DEBUG, IGNORE,
DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253
(http://bugs.proftpd.org/show_bug.cgi?id=4385)
* Fri Nov 29 2019 Paul Howarth <paul@city-fan.org> – 1.3.6b-2
– Fix handling of CRL lookups by properly using issuer for lookups, and
guarding against null pointers (GH#859, GH#861, CVE-2019-19269,
CVE-2019-19270)
* Sun Oct 20 2019 Paul Howarth <paul@city-fan.org> – 1.3.6b-1
– Update to 1.3.6b
– Fixed pre-authentication remote denial-of-service issue
(CVE-2019-18217, https://github.com/proftpd/proftpd/issues/846)
* Sun Oct 13 2019 Paul Howarth <paul@city-fan.org> – 1.3.6a-1
– Update to 1.3.6a
– Configure script wrongly detected AIX lastlog functions
(http://bugs.proftpd.org/show_bug.cgi?id=4304)
– AllowChrootSymlinks off could cause login failures depending on filesystem
permissions (http://bugs.proftpd.org/show_bug.cgi?id=4306)
– mod_ctrls: error: unable to bind to local socket: Address already in use
(https://github.com/proftpd/proftpd/issues/501)
– Failed to handle multiple %{env:…} variables in single word in
configuration (https://github.com/proftpd/proftpd/issues/507)
– mod_sftp failed to check shadow password information when publickey
authentication used (http://bugs.proftpd.org/show_bug.cgi?id=4308)
– Use of “AllowEmptyPasswords off” broke SFTP/SCP logins
(http://bugs.proftpd.org/show_bug.cgi?id=4309)
– Use of mod_facl as static module caused ProFTPD to die on SIGHUP/restart
(http://bugs.proftpd.org/show_bug.cgi?id=4310)
– Use of curve25519-sha256@libssh.org SSH2 key exchange sometimes failed
(https://github.com/proftpd/proftpd/issues/556)
– Close extra file descriptors at startup
(http://bugs.proftpd.org/show_bug.cgi?id=4312)
– <Anonymous> with AuthAliasOnly in effect did not work as expected
(http://bugs.proftpd.org/show_bug.cgi?id=4314)
– CreateHome NoRootPrivs only worked partially
(https://github.com/proftpd/proftpd/issues/568)
– SFTP OPEN response included attribute flags that are not actually provided
(https://github.com/proftpd/proftpd/issues/578)
– Truncation of file while being downloaded with sendfile enabled caused
timeouts due to infinite loop (http://bugs.proftpd.org/show_bug.cgi?id=4318)
– FTP uploads frequently broke due to “Interrupted system call” error
(http://bugs.proftpd.org/show_bug.cgi?id=4319)
– Site-to-site transfers over TLS failed
(https://github.com/proftpd/proftpd/issues/618)
– Can’t see symlinks using any FTP client when using MLSD
(http://bugs.proftpd.org/show_bug.cgi?id=4322)
– mod_tls 1.3.6 failed to compile using OpenSSL 0.9.8e
(http://bugs.proftpd.org/show_bug.cgi?id=4325)
– Using MaxClientsPerHost 1 in <Anonymous> section denied logins
(http://bugs.proftpd.org/show_bug.cgi?id=4326)
– SQLNamedConnectInfo with different backend database did not work properly
(https://github.com/proftpd/proftpd/issues/642)
– Segfault with mod_sftp+mod_sftp_pam after successful authentication using
keyboard-interactive method (https://github.com/proftpd/proftpd/issues/656)
– autoconf always failed to detect support for FIPS
(https://github.com/proftpd/proftpd/issues/660)
– SFTP connections failed when using “arcfour256” cipher
(https://github.com/proftpd/proftpd/issues/663)
– mod_auth_otp failed to build with OpenSSL 1.1.x
(http://bugs.proftpd.org/show_bug.cgi?id=4335)
– scp broken on FreeBSD 11 (http://bugs.proftpd.org/show_bug.cgi?id=4341)
– Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases
(https://github.com/proftpd/proftpd/issues/674)
– Infinite loop possible in mod_sftp’s set_sftphostkey() function
(http://bugs.proftpd.org/show_bug.cgi?id=4356)
– Some ASCII text files corrupted when downloading
(http://bugs.proftpd.org/show_bug.cgi?id=4352)
– Properly use the –includedir, –libdir configure variables in the
generated proftpd.pc pkgconfig file
(https://github.com/proftpd/proftpd/issues/797)
– Reading invalid SSH key from database resulted in unexpected/unlogged
disconnect failures (http://bugs.proftpd.org/show_bug.cgi?id=4350)
– Symlink navigation broken after 1.3.6 update
(http://bugs.proftpd.org/show_bug.cgi?id=4332)
– Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3
(https://github.com/proftpd/proftpd/issues/795)
– SITE CPFR/CPTO did not honor <Limit> configurations
(http://bugs.proftpd.org/show_bug.cgi?id=4372)
– Using “TLSProtocol SSLv23” did not enable all protocol versions
(https://github.com/proftpd/proftpd/issues/807)
* Tue Jul 23 2019 Paul Howarth <paul@city-fan.org> – 1.3.6-21
– An arbitrary file copy vulnerability in mod_copy in ProFTPD allowed for
remote code execution and information disclosure without authentication
(CVE-2019-12815)
http://bugs.proftpd.org/show_bug.cgi?id=4372
https://github.com/proftpd/proftpd/pull/816
——————————————————————————–
This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-76c707cff0’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org