Name : proftpd
Product : Fedora 15
Version : 1.3.4
Release : 1.fc15
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based
directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
-------------------------------------------------------------------------------
-
Update Information:
This update, to the current upstream stable release, includes a pair of
security fixes:
* Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (upstream bug
3704); to disable this countermeasure, which may cause interoperability issues with some clients, use the NoEmptyFragments TLSOption
* Response pool use-after-free memory corruption error (upstream bug 3711,
#752812, ZDI-CAN-1420, CVE-2011-4130), in which a remote attacker could provide a specially-crafted request (resulting in a need for the server to handle an exceptional condition), leading to memory corruption and potentially arbitrary code execution, with the privileges of the user running the proftpd server
-------------------------------------------------------------------------------
-
ChangeLog:
* Thu Nov 10 2011 Paul Howarth <paul@city-fan.org> 1.3.4-1
- Update to 1.3.4, addressing the following bugs since 1.3.4rc3:
- ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD (bug
3702)
- mod_sql_mysql.so: undefined symbol: make_scrambled_password with MySQL 5.5
on Fedora (bug 3669)
- PQescapeStringConn() needs a better check (bug 3192)
- Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704);
to disable this countermeasure, which may cause interoperability issues
with some clients, use the NoEmptyFragments TLSOption
- Support SFTPOption for ignoring requests to modify timestamps (bug 3706)
- RPM build on CentOS 5.5 (64bit): "File not found by glob" (bug
3640)
- Response pool use-after-free memory corruption error
(bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130)
- Drop upstream patch for make_scrambled_password_323
- Use upstream SysV initscript rather than our own
- Use upstream systemd service file rather than our own
- Use upstream PAM configuration rather than our own
- Use upstream logrotate configuration rather than our own
- Use upstream tempfiles configuration rather than our own
- Use upstream xinetd configuration rather than our own
* Thu Oct 6 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.15.rc3
- Add upstream patch to not try make_scrambled_password_323 if the MySQL
library doesn't export it (#718327, upstream bug 3669); this removes
support
for password hashes generated on MySQL prior to 4.1
* Thu Sep 29 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.14.rc3
- Update to 1.3.4rc3 (see NEWS and RELEASE_NOTES for full details)
- The mod_ldap configuration directives have changed to a simplified version;
please read the "Changes" section in README.LDAP for details
- Support for using RADIUS for authentication SSH2 logins, and for supporting
the NAS-IPv6-Address RADIUS attribute
- Automatically disable sendfile support on AIX systems
- <Limit WRITE> now prevents renaming/moving a file out of the limited
directory
- ExtendedLog entries now written for data transfers that time out
- Drop upstreamed patches
- Use new --disable-strip option to retain debugging symbols
- Use upstream LDAP quota table schema rather than our own copy
- Add patch for broken MySQL auth (#718327, upstream bug 3669)
- Remove spurious exec permissions on systemd unit file
* Tue Sep 27 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.13.rc2
- Restore back-compatibility with older releases and EPEL, broken by -11 update
- Use /run rather than /var/run if using systemd init
- Avoid the use of triggers in SysV-to-systemd migration
* Sat Sep 17 2011 Remi Collet <remi@fedoraproject.org> 1.3.4-0.12.rc2
- Rebuild against libmemcached.so.8
* Mon Sep 12 2011 Tom Callaway <spot@fedoraproject.org> 1.3.4-0.11.rc2
- Convert to systemd
* Fri Jun 3 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.10.rc2
- Rebuild for new libmemcached in Rawhide
* Tue May 17 2011 Paul Howarth <paul@city-fan.org> 1.3.4-0.9.rc2
- Add a number of fixes for bugs reported upstream:
- Avoid spinning proftpd process if read(2) returns EAGAIN (bug 3639)
- SITE CPFR/CPTO does not update quota tally (bug 3641)
- Segfault in mod_sql_mysql if "SQLAuthenticate groupsetfast" used
(bug 3642)
- Disable signal handling for exiting session processes (bug 3644)
- Ensure that SQLNamedConnectInfos with PERSESSION connection policies are
opened before chroot (bug 3645)
- MaxStoreFileSize can be bypassed using REST/APPE (bug 3649)
- Fix TCPAccessSyslogLevel directive (bug 3652)
- Segfault with "DefaultServer off" and no matching server for
incoming IP
address (bug 3653)
-------------------------------------------------------------------------------
-
References:
[ 1 ] Bug #752812 - CVE-2011-4130 proftpd: Response pool use-after-free flaw
(ZDI-CAN-1420)
https://bugzilla.redhat.com/show_bug.cgi?id=752812
-------------------------------------------------------------------------------
-
This update can be installed with the "yum" update program. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
