[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[SECURITY] Fedora 11 Update: proftpd-1.3.2c-1.fc11



--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-13236
2009-12-16 00:19:59
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 11
Version     : 1.3.2c
Release     : 1.fc11
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behaviour of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update addresses CVE-2009-3555 (SSL/TLS renegotiation vulnerability),
mitigating the problem by refusing all client-initiated SSL/TLS session
renegotiations.    This update to the latest maintenance release also fixes a
number of bugs recorded in the proftpd bug tracker:    - SSL/TLS renegotiation
vulnerability (CVE-2009-3555, bug 3324)  - Failed database transaction can cause
mod_quotatab to loop (bug 3228)  - Segfault in mod_wrap (bug 3332)  -
<Directory> sections can have <Limit> problems (bug 3337)  - mod_wrap2 segfaults
when a valid user retries the USER command (bug 3341)  - mod_auth_file handles
'getgroups' request incorrectly (bug 3347)  - Segfault caused by scrubbing zero-
length portion of memory (bug 3350)    Finally, the behaviour of the MLSD FTP
command (used in many modern FTP clients to list directories) is fixed for the
case when the FTP server's configuration disallows its usage (using a <Limit>
clause) in some but not all places (#544002).
--------------------------------------------------------------------------------
ChangeLog:

* Thu Dec 10 2009 Paul Howarth <paul city-fan org> 1.3.2c-1
- Update to 1.3.2c, addressing the following issues:
  - SSL/TLS renegotiation vulnerability (CVE-2009-3555, bug 3324)
  - Failed database transaction can cause mod_quotatab to loop (bug 3228)
  - Segfault in mod_wrap (bug 3332)
  - <Directory> sections can have <Limit> problems (bug 3337)
  - mod_wrap2 segfaults when a valid user retries the USER command (bug 3341)
  - mod_auth_file handles 'getgroups' request incorrectly (bug 3347)
  - Segfault caused by scrubbing zero-length portion of memory (bug 3350)
- Drop upstreamed segfault patch
* Thu Dec 10 2009 Paul Howarth <paul city-fan org> 1.3.2b-3
- Add patch for upstream bug 3350 - segfault on auth failures
* Wed Dec  9 2009 Paul Howarth <paul city-fan org> 1.3.2b-2
- Reduce the mod_facts patch to the single commit addressing the issue with
  directory names with glob characters (#521634), avoiding introducing a
  further problem with <Limit> (#544002)
* Wed Oct 21 2009 Paul Howarth <paul city-fan org> 1.3.2b-1
- Update to 1.3.2b
  - Fixed regression causing command-line define options not to work (bug 3221)
  - Fixed SSL/TLS cert subjectAltName verification (bug 3275, CVE-2009-3639)
  - Use correct cached user values with "SQLNegativeCache on" (bug 3282)
  - Fix slower transfers of multiple small files (bug 3284)
  - Support MaxTransfersPerHost, MaxTransfersPerUser properly (bug 3287)
  - Handle symlinks to directories with trailing slashes properly (bug 3297)
- Drop upstreamed defines patch (bug 3221)
* Thu Sep 17 2009 Paul Howarth <paul city-fan org> 1.3.2a-7
- Restore backward SRPM compatibility broken by previous change
* Wed Sep 16 2009 Tomas Mraz <tmraz redhat com> 1.3.2a-6
- Use password-auth common PAM configuration instead of system-auth
* Mon Sep  7 2009 Paul Howarth <paul city-fan org> 1.3.2a-5
- Add upstream patch for MLSD with dirnames containing glob chars (#521634)
* Wed Sep  2 2009 Paul Howarth <paul city-fan org> 1.3.2a-4
- New DSO module: mod_exec (#520214)
* Fri Aug 21 2009 Tomas Mraz <tmraz redhat com> 1.3.2a-3.1
- Rebuilt with new openssl
* Wed Aug 19 2009 Paul Howarth <paul city-fan org> 1.3.2a-3
- Use mod_vroot to work around PAM/chroot issues (#477120, #506735)
* Fri Jul 31 2009 Paul Howarth <paul city-fan org> 1.3.2a-2
- Add upstream patch to fix parallel build (http://bugs.proftpd.org/3189)
* Mon Jul 27 2009 Paul Howarth <paul city-fan org> 1.3.2a-1
- Update to 1.3.2a
- Add patch to reinstate support for -DPARAMETER (http://bugs.proftpd.org/3221)
- Retain CAP_AUDIT_WRITE, needed for pam_loginuid (#506735, fixed upstream)
- Remove ScoreboardFile directive from configuration file - default value
  works better with SELinux (#498375)
- Ship mod_quotatab_sql.so in the main package rather than the SQL backend
  subpackages
- New DSO modules:
  - mod_ctrls_admin
  - mod_facl
  - mod_load
  - mod_quotatab_radius
  - mod_radius
  - mod_ratio
  - mod_rewrite
  - mod_site_misc
  - mod_wrap2
  - mod_wrap2_file
  - mod_wrap2_sql
- Enable mod_lang/nls support for RFC 2640 (and buildreq gettext)
- Add /etc/sysconfig/proftpd to set PROFTPD_OPTIONS and update initscript to
  use this value so we can use a define to enable (e.g.) anonymous FTP support
  rather than having a huge commented-out section in the config file
- Rewrite config file to remove most settings that don't change upstream
  defaults, and add brief descriptions for all available loadable modules
- Move Umask and IdentLookups settings from server config to <Global> context
  so that they apply to all servers, including virtual hosts (#509251)
- Ensure mod_ifsession is always the last one specified, which makes sure that
  mod_ifsession's changes are seen properly by other modules
- Drop pam version requirement - all targets have sufficiently recent version
- Drop redundant explicit dependency on pam
- Subpackages don't need to own %{_libexecdir}/proftpd directory
- Drop redundant krb5-devel buildreq
- Make SRPM back-compatible with EPEL-4 (TLS cert dirs, PAM config)
- Don't include README files for non-Linux platforms
- Recode ChangeLog as UTF-8
- Don't ship the prxs tool for building custom DSO's since we don't ship the
  headers either
- Prevent stripping of binaries in a slightly more robust way
- Fix release tag to be ready for future beta/rc versions
- Define RPM macros in global scope
- BuildRequire libcap-devel so that we use the system library rather than the
  bundled one, and eliminate log messages like:
  kernel: warning: `proftpd' uses 32-bit capabilities (legacy support in use)
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng lists fedoraproject org> 1.3.2-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation
        https://bugzilla.redhat.com/show_bug.cgi?id=533125
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]