Login
Newsletter
Werbung
Sicherheit: Ausführen beliebiger Kommandos in ProFTPD
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in ProFTPD
ID: FEDORA-2012-3733
Distribution: Fedora
Plattformen: Fedora 15
Datum: Sa, 24. März 2012, 13:48
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130
Applikationen: ProFTPD

Originalnachricht

 
Name        : proftpd
Product     : Fedora 15
Version     : 1.3.4a
Release     : 7.fc15
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based
 directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

-------------------------------------------------------------------------------
-
Update Information:

This update fixes an issue where each reload of the server configuration (e.g.
 when the logs are rotated) would use up a file descriptor, eventually resulting in running out of file descriptors.
-------------------------------------------------------------------------------
-
ChangeLog:

* Mon Mar 12 2012 Paul Howarth <paul@city-fan.org> 1.3.4a-7
- Tweak logrotate script for systemd compatibility (#802178)
- Fix leaked file descriptors for log files (as per bug 3751)
* Sat Mar  3 2012 Paul Howarth <paul@city-fan.org> 1.3.4a-6
- Rebuild for new libmemcached in Rawhide
* Tue Feb 28 2012 Paul Howarth <paul@city-fan.org> 1.3.4a-5
- Document SELinux configuration for ProFTPD in proftpd.conf (#785443)
- Add support for basic and administrative controls actions using ftpdctl by
  default (#786623)
- Add trace logging directives in proftpd.conf but disable them by default as
  they impair performance
- Fix ftpwho/ftptop not showing command arguments (bug 3714)
- Fix MLSD/MLST fail with "DirFakeUser off" or "DirFakeGroup
 off" (bug 3715)
- Fix proftpd fails to run with "Abort trap" error message (bug 3717)
- Fix LIST -R can loop endlessly if bad directory symlink exists (bug 3719)
- Fix overly restrictive module logfile permissions (bug 3720)
- Fix mod_memcache segfault on server restart (bug 3723)
- Fix unloading mod_quotatab causes segfault (#757311, bug 3724)
- Fix mod_exec does not always capture stdout/stderr output from executed
  command (bug 3726)
- Fix mod_wrap2 causes unexpected LogFormat %u expansion for SFTP connections
  (bug 3727)
- Fix mod_ldap segfault when LDAPUsers is used with no optional filters
  (bug 3729)
- Fix DirFakeUser/DirFakeGroup off with name causes SIGSEGV for MLSD/MLST
  commands (bug 3734)
- Fix improper handling of self-signed certificate in client-sent cert list
  when "TLSVerifyClient on" is used (bug 3742)
- Fix random stalls/segfaults seen when transferring large files via SFTP
  (bug 3743)
- Support ls(1) -1 option for LIST command (bug 3744)
- Reject PASV command if no IPv4 address available (bug 3745)
- Support applying ListOptions only to NLST or to LIST commands (bug 3746)
- Support option for displaying symlinks via MLSD using syntax preferred by
  FileZilla (bug 3747)
- Fix mod_ban not closing and reopening the BanLog/BanTable file descriptors
  on restart, causing a file descriptor leak (bug 3751)
- Fix mod_ctrls no longer listening on ControlsSocket after restart (bug 3756)
* Thu Feb  9 2012 Paul Howarth <paul@city-fan.org> 1.3.4a-4
- Rebuild for new libpcre in Rawhide
* Mon Jan 16 2012 Paul Howarth <paul@city-fan.org> 1.3.4a-3
- Add -utils subpackage for support tools, which means the main package
  no longer requires perl
* Tue Jan 10 2012 Paul Howarth <paul@city-fan.org> 1.3.4a-2
- Make mod_vroot a DSO, loaded by default (#772354)
- VRootAlias for /etc/security/pam_env.conf is redundant, so remove it
- Add BanMessage (#772354)
- Add -devel subpackage for building third-party modules
* Fri Nov 11 2011 Paul Howarth <paul@city-fan.org> 1.3.4a-1
- Update to 1.3.4a:
  - Fixed mod_load/mod_wrap2 build issues
- Drop now-redundant workaround for building mod_load and mod_wrap2
- Drop upstreamed patch for xinetd config typo
* Thu Nov 10 2011 Paul Howarth <paul@city-fan.org> 1.3.4-1
- Update to 1.3.4, addressing the following bugs since 1.3.4rc3:
  - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD (bug
 3702)
  - mod_sql_mysql.so: undefined symbol: make_scrambled_password with MySQL 5.5
    on Fedora (bug 3669)
  - PQescapeStringConn() needs a better check (bug 3192)
  - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704);
    to disable this countermeasure, which may cause interoperability issues
    with some clients, use the NoEmptyFragments TLSOption
  - Support SFTPOption for ignoring requests to modify timestamps (bug 3706)
  - RPM build on CentOS 5.5 (64bit): "File not found by glob" (bug
 3640)
  - Response pool use-after-free memory corruption error
    (bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130)
- Drop upstream patch for make_scrambled_password_323
- Use upstream SysV initscript rather than our own
- Use upstream systemd service file rather than our own
- Use upstream PAM configuration rather than our own
- Use upstream logrotate configuration rather than our own
- Use upstream tempfiles configuration rather than our own
- Use upstream xinetd configuration rather than our own
* Thu Oct  6 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.15.rc3
- Add upstream patch to not try make_scrambled_password_323 if the MySQL
  library doesn't export it (#718327, upstream bug 3669); this removes
 support
  for password hashes generated on MySQL prior to 4.1
* Thu Sep 29 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.14.rc3
- Update to 1.3.4rc3 (see NEWS and RELEASE_NOTES for full details)
  - The mod_ldap configuration directives have changed to a simplified version;
    please read the "Changes" section in README.LDAP for details
  - Support for using RADIUS for authentication SSH2 logins, and for supporting
    the NAS-IPv6-Address RADIUS attribute
  - Automatically disable sendfile support on AIX systems
  - <Limit WRITE> now prevents renaming/moving a file out of the limited
    directory
  - ExtendedLog entries now written for data transfers that time out
- Drop upstreamed patches
- Use new --disable-strip option to retain debugging symbols
- Use upstream LDAP quota table schema rather than our own copy
- Add patch for broken MySQL auth (#718327, upstream bug 3669)
- Remove spurious exec permissions on systemd unit file
* Tue Sep 27 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.13.rc2
- Restore back-compatibility with older releases and EPEL, broken by -11 update
- Use /run rather than /var/run if using systemd init
- Avoid the use of triggers in SysV-to-systemd migration
* Sat Sep 17 2011 Remi Collet <remi@fedoraproject.org> 1.3.4-0.12.rc2
- Rebuild against libmemcached.so.8
* Mon Sep 12 2011 Tom Callaway <spot@fedoraproject.org> 1.3.4-0.11.rc2
- Convert to systemd
* Fri Jun  3 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.10.rc2
- Rebuild for new libmemcached in Rawhide
* Tue May 17 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.9.rc2
- Add a number of fixes for bugs reported upstream:
  - Avoid spinning proftpd process if read(2) returns EAGAIN (bug 3639)
  - SITE CPFR/CPTO does not update quota tally (bug 3641)
  - Segfault in mod_sql_mysql if "SQLAuthenticate groupsetfast" used
 (bug 3642)
  - Disable signal handling for exiting session processes (bug 3644)
  - Ensure that SQLNamedConnectInfos with PERSESSION connection policies are
    opened before chroot (bug 3645)
  - MaxStoreFileSize can be bypassed using REST/APPE (bug 3649)
  - Fix TCPAccessSyslogLevel directive (bug 3652)
  - Segfault with "DefaultServer off" and no matching server for
 incoming IP
    address (bug 3653)
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung