Fedora EPEL 4 updates-testing report
updates at fedoraproject.org
updates at fedoraproject.org
Fri Apr 8 20:31:43 UTC 2011
The following Fedora EPEL 4 Security updates need testing:
https://admin.fedoraproject.org/updates/proftpd-1.3.3e-1.el4
The following builds have been pushed to Fedora EPEL 4 updates-testing
proftpd-1.3.3e-1.el4
Details about builds:
================================================================================
proftpd-1.3.3e-1.el4 (FEDORA-EPEL-2011-3011)
Flexible, stable and highly-configurable FTP server
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream maintenance release, fixes a large number of bugs (see NEWS for details), and also a couple of security issues:
* Plaintext command injection vulnerability in FTPS implementation (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for details.
* CVE-2011-1137 (badly formed SSH messages cause DoS). See http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
Other highlights include:
* Display messages work properly again.
* Performance improvements, especially during server startup/restarts.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 4 2011 Paul Howarth <paul at city-fan.org> 1.3.3e-1
- Update to 1.3.3e, fixing a large number of bugs reported upstream:
- Process privileges may not handled properly when --enable-autoshadow is
used (bug 3757)
- mod_sftp closes channel too early after scp download (bug 3544)
- mod_sftp_pam may tell client to disable echoing erroneously (bug 3579)
- mod_sftp behaves badly when receiving badly formed SSH messages (bug 3586,
CVE-2011-1137)
- Using "$shell $libtool" in prxs does not work for all shells (bug 3593)
- WrapAllowMsg directive broken due to bug 3423 (bug 3538)
- SocketOptions receive/send buffer size parameters no longer work (bug 3607)
- mod_wrap2 needs to support netmask rules for IPv6 addresses (bug 3606)
- APPE/STOU upload flags erroneously preserved across upload commands
(bug 3612)
- Malicious module can use sreplace() function to overflow buffer (bug 3614)
- Exiting sessions don't seem to die properly (bug 3619)
- mod_delay sometimes logs "unable to load DelayTable into memory" (bug 3622)
- Plaintext command injection in FTPS support (bug 3624)
- mod_ifsession rules using regular expressions do not work (bug 3625)
- Truncated client name saved in ScoreboardFile (bug 3623)
- %w variable populated with non-absolute path in SQLLog statement (bug 3627)
- Unnecessarily verbose "warning: unable to throttle bandwidth: Interrupted
system call" (bug 3628)
- SSH DISCONNECT messages sent by mod_sftp even for FTP connections in some
cases (bug 3630)
- mod_sql should log "unrecoverable database error" at a higher priority
(bug 3632)
- Proftpd is eating CPU when reparsing configuration file on SIGHUP (bug 3610)
- Incorrect generation of DSA signature for SSH sessions (bug 3634)
- Nobody else likes macros for commands
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #681718 - CVE-2011-1137 proftpd: integer overflow in mod_sftp
https://bugzilla.redhat.com/show_bug.cgi?id=681718
--------------------------------------------------------------------------------
More information about the epel-devel-list
mailing list