Ubuntu
proftpd package

Vulnarable version of proftpd

Bug #669862 reported by spacefight
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
proftpd (Ubuntu)
Fix Released
Undecided
Unassigned
proftpd-dfsg (Debian)
Fix Released
Unknown

Bug Description

Binary package hint: proftpd

ProFTPD has been released on 29.10.2010 with version 1.3.3c. The version in use on Ubuntu 10.04 is 1.3.2c and vulnerable.

http://proftpd.org/docs/RELEASE_NOTES-1.3.3c

Please update.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, ProFTPD community. The ProFTPD Project team is pleased to announce
that the third maintenance release for ProFTPD 1.3.3 is now available for
public consumption.

You can download 1.3.3c, including PGP signatures and MD5 sums, from any
of the proftpd mirrors. Mirrors are available via FTP as:

  ftp.<two_letter_iso_country_code>.proftpd.org

(example: ftp.nl.proftpd.org). Not all countries have mirrors; however
you should select one that is geographically close to you.

Alternatively, you can download proftpd from the main site:

  ftp://ftp.proftpd.org/distrib/source

RPMs, once available, will be placed here:

  ftp://ftp.proftpd.org/distrib/packages/RPMS

The 1.3.3c release is a security release. It contains fixes for the
Telnet IAC stack overflow vulnerability (ZDI-CAN-925) and for the
mod_site_misc module directory traversal vulnerability.

The Telnet IAC stack overflow vulnerability (Bug#3521) has no known
workarounds. It affects FTP and FTPS (FTP over SSL/TLS) connections,
but does not affect SFTP/SCP connections.

The mod_site_misc module directory traveral vulnerability (Bug#3519)
applies to sites which use the mod_site_misc module. To prevent
clients from exploiting this vulnerability while a fix is being
deployed, the following can be used in the proftpd.conf file:

  <Limit SITE_MKDIR SITE_RMDIR SITE_SYMLINK SITE_UTIME>
    DenyAll
  </Limit>

Sites are urged to upgrade to proftpd-1.3.3c or later as soon as
possible.

Please read the included NEWS, RELEASE_NOTES, and ChangeLog files for
the full details.

The MD5 sums for the source tarballs are:

  8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
  4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz

The PGP signatures for the source tarballs are:

  proftpd-1.3.3c.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkzLAWYACgkQt46JP6URl2qu3QCcDGXD+fRPOdKMp8fHyHI5d12E
    83gAoPHBrjTFCz4MKYLhH8qqxmGslR2k
    =aLli
    -----END PGP SIGNATURE-----

  proftpd-1.3.3c.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkzLAW0ACgkQt46JP6URl2ojfQCfXy/hWE8G5mhdhdLpaPUZsofK
    pO8Anj+uP0hQcn1E/CEUddI0mezlSCmg
    =e8el
    -----END PGP SIGNATURE-----

My PGP key has been used to sign the source tarballs as well as this
announcement; it is available via MIT's public keyserver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkzLAhMACgkQt46JP6URl2ofSgCgsFD/aXC6TNYWJMsnfdOs8WBU
5VQAoITat0nkFaPHbjkVx8FCwcz93zJ8
=M2BF
-----END PGP SIGNATURE-----

Revision history for this message
Tim Nicholas (tjn) wrote :

Hey... So anyone paying any attention to their bug queue at all? This is a pretty major bug guys.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Revision history for this message
Kees Cook (kees) wrote :

N.B. the stack overflow is caught by the stack protector and FORTIFY_SOURCE, so this is "only" a denial of service on Ubuntu.

Bug Watch Updater (bug-watch-updater)
Changed in proftpd-dfsg (Debian):
status: Unknown → Fix Released
Revision history for this message
Geordi LaForge (develop-ipv7) wrote :

In the meanwhile is it possible to downgrade proftpd using the debian package:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602313

Download this two files for proper architecture::
http://packages.debian.org/lenny/libcap1
http://packages.debian.org/lenny/proftpd-basic

Revision history for this message
spacefight (spacefight) wrote :

Is anyone able to provide that debdiff thing in order to have it fixed on ubuntu itself? This bug is now soon a month old.

Revision history for this message
spacefight (spacefight) wrote :

Nice. Thank you.

http://ch.archive.ubuntu.com/ubuntu/ lucid-updates/universe proftpd-basic 1.3.2c-1ubuntu0.1

Amr Ibrahim (amribrahim1987)
Changed in proftpd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.