[SECURITY] Fedora 7 Update: proftpd-1.3.1-2.fc7

updates at fedoraproject.org updates at fedoraproject.org
Mon Nov 5 15:10:56 UTC 2007


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2613
2007-11-05 15:10:51.668203
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 7
Version     : 1.3.1
Release     : 2.fc7
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behaviour of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

The Auth API in ProFTPD before 20070417, when multiple simultaneous
authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 22 2007 Matthias Saou <http://freshrpms.net/> 1.3.1-2
- Include openldap schema file for quota support (Fran Taylor, #291891).
- Include FDS compatible LDIF file for quota support (converted).
- Prefix source welcome.msg for consistency.
* Tue Oct  9 2007 Matthias Saou <http://freshrpms.net/> 1.3.1-1
- Update to 1.3.1 final.
- Remove all patches (upstream).
* Sun Aug 19 2007 Matthias Saou <http://freshrpms.net/> 1.3.1-0.2.rc3
- Update to 1.3.1rc3 (the only version to fix #237533 aka CVE-2007-2165).
- Remove all patches, none are useful anymore.
- Patch sstrncpy.c for config.h not being included (reported upstream #2964).
- Patch mod_sql_mysql.c to fix a typo (already fixed in CVS upstream).
- Exclude new headers, at least until some first 3rd party module shows up.
- Clean up old leftover CVS strings from our extra files.
- LSB-ize the init script (#247033).
- Explicitly pass --enable-openssl since configure tells us "(default=no)".
- Include patch to fix open calls on F8.
* Sun Aug 12 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-8
- Fix logrotate entry to silence error when proftpd isn't running (#246392).
* Mon Aug  6 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-7
- Include patch to fix "open" calls with recent glibc.
* Mon Aug  6 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-6
- Update License field.
* Fri Jun 15 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-5
- Remove _smp_mflags to (hopefully) fix build failure.
* Fri Jun 15 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-4
- Fix PAM entry for F7+ (#244168). Still doesn't work with selinux, though.
* Fri May  4 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-4
- Fix auth bypass vulnerability (#237533, upstream #2922)... not! :-(
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #237533 - CVE-2007-2165: proftpd auth bypass vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=237533
  [ 2 ] CVE-2007-2165
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165
--------------------------------------------------------------------------------
Updated packages:

2d413f5e0afd249ead9f5554c5459f907acaac4f proftpd-debuginfo-1.3.1-2.fc7.ppc64.rpm
b4565e8b12a27aa98178c636087056d89df6fb1a proftpd-ldap-1.3.1-2.fc7.ppc64.rpm
ed4d28ed8bcb09d6e78165bd1e7163ad6db959a7 proftpd-postgresql-1.3.1-2.fc7.ppc64.rpm
88d4c6b380df5571ee87e88302479754756c0616 proftpd-1.3.1-2.fc7.ppc64.rpm
d487f21bd5b44042e262a93c9ea8aecd21f04ffe proftpd-mysql-1.3.1-2.fc7.ppc64.rpm
cf791b055f924aae61be66d79e13955a7ea14f21 proftpd-debuginfo-1.3.1-2.fc7.i386.rpm
3bb1497704f0777ff1129848cb346ad4b57a964f proftpd-ldap-1.3.1-2.fc7.i386.rpm
c08014c3700c1f3bf875baf298a14e0bb6652a08 proftpd-postgresql-1.3.1-2.fc7.i386.rpm
c46d3f9b5def776bfa916ad3c1897069cf450d45 proftpd-1.3.1-2.fc7.i386.rpm
ef29117032441cb25efc4bb59c84aff4cd83e548 proftpd-mysql-1.3.1-2.fc7.i386.rpm
052aa8c9b02c7bd70c05e11ea517a0b3f81bd64a proftpd-1.3.1-2.fc7.x86_64.rpm
6106490d217a25241381dad096bc6e3982fa5612 proftpd-debuginfo-1.3.1-2.fc7.x86_64.rpm
62d759fef3677747b6e210b894744a9fa795c19a proftpd-ldap-1.3.1-2.fc7.x86_64.rpm
53d5fdab013f459d11732f334d7c9911e3f6d043 proftpd-mysql-1.3.1-2.fc7.x86_64.rpm
d081661bba3eedd5c0b3df779a7ef969eb3c24eb proftpd-postgresql-1.3.1-2.fc7.x86_64.rpm
2c9b7a05c8e16ff452ed7469a7b2f52d940317a5 proftpd-postgresql-1.3.1-2.fc7.ppc.rpm
3a4e69d134a6e307efdfac347b259cdf827f92bd proftpd-mysql-1.3.1-2.fc7.ppc.rpm
7c4292cf5c4c6f570ebe1d9c45a7a473cea5dd60 proftpd-debuginfo-1.3.1-2.fc7.ppc.rpm
5b36fd3c6844d4c43325d5640b8daa06c2013e91 proftpd-1.3.1-2.fc7.ppc.rpm
5d787e5225659e681e4469ae136070bcb49681f4 proftpd-ldap-1.3.1-2.fc7.ppc.rpm
71c0569ba6a97d32dce1a22c1fa5c38ea6a83b49 proftpd-1.3.1-2.fc7.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list