proftpd mod_copy issue (CVE-2015-3306)
Bug #1462311 reported by
ft
This bug affects 20 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Proftpd Dfsg |
Fix Released
|
Critical
|
|||
proftpd-dfsg (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
The CVE-2015-3306 problem is arround for some time now and is not fixed in 12.04 and 14.04 LTS versions.
http://
I also tested it with telnet.
I can copy files without any authentication if mod_copy is enabled (mod_copy is per default enabled!)
The module is very usefull. I would be happy if I can re enable it on my servers.
Debian and other distributions have already fix this in their systems.
http://
https:/
https:/
Is there a special reason why this still not fixed on the LTS versions of Ubuntu?
CVE References
no longer affects: | proftpd-dfsg |
Changed in proftpd-dfsg: | |
importance: | Unknown → Critical |
status: | Unknown → Fix Released |
description: | updated |
Changed in proftpd-dfsg (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in proftpd-dfsg (Ubuntu): | |
importance: | Undecided → Medium |
tags: | removed: cve-2015-3306 |
tags: | added: precise trusty |
Changed in proftpd-dfsg (Ubuntu Precise): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in proftpd-dfsg (Ubuntu Trusty): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in proftpd-dfsg (Ubuntu Precise): | |
status: | In Progress → Confirmed |
Changed in proftpd-dfsg (Ubuntu Trusty): | |
status: | In Progress → Confirmed |
Changed in proftpd-dfsg (Ubuntu Precise): | |
assignee: | Tyler Hicks (tyhicks) → nobody |
Changed in proftpd-dfsg (Ubuntu Trusty): | |
assignee: | Tyler Hicks (tyhicks) → nobody |
Changed in proftpd-dfsg (Ubuntu): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res