BugTraq
MDKSA-2005:140 - Updated proftpd packages fix format string vulnerabilities Aug 16 2005 02:12AM
Mandriva Security Team (security mandriva com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: proftpd
Advisory ID: MDKSA-2005:140
Date: August 15th, 2005

Affected versions: 10.0, 10.1, 10.2, Corporate 3.0
______________________________________________________________________

Problem Description:

Two format string vulnerabilities were discovered in ProFTPD. The
first exists when displaying a shutdown message containin the name of
the current directory. This could be exploited by a user who creates
a directory containing format specifiers and sets the directory as the
current directory when the shutdown message is being sent.

The second exists when displaying response messages to the cleint using
information retreived from a database using mod_sql. Note that mod_sql
support is not enabled by default, but the contrib source file has been
patched regardless.

The updated packages have been patched to correct these problems.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390
http://secunia.com/advisories/16181
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
9754b8d4357f6843ed9f613d1daeca4e 10.0/RPMS/proftpd-1.2.9-3.3.100mdk.i586.rpm
9009783efdf84c2f92a988e6268f0631 10.0/RPMS/proftpd-anonymous-1.2.9-3.3.100mdk.i586.rpm
cef8ec2cd6a3ec3c1e2b737221cbf97c 10.0/SRPMS/proftpd-1.2.9-3.3.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
23c5bf83875f00ab5f554029c6aa9177 amd64/10.0/RPMS/proftpd-1.2.9-3.3.100mdk.amd64.rpm
80b34a20f86d090c0b1f19972f213af8 amd64/10.0/RPMS/proftpd-anonymous-1.2.9-3.3.100mdk.amd64.rpm
cef8ec2cd6a3ec3c1e2b737221cbf97c amd64/10.0/SRPMS/proftpd-1.2.9-3.3.100mdk.src.rpm

Mandrakelinux 10.1:
68039b1c9e9090856e8e93c11edc3c10 10.1/RPMS/proftpd-1.2.10-2.1.101mdk.i586.rpm
0952d937b0d8432eeb365ea07ba267b9 10.1/RPMS/proftpd-anonymous-1.2.10-2.1.101mdk.i586.rpm
fafda6527589ac244691743278c5fb2f 10.1/SRPMS/proftpd-1.2.10-2.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
1c37bda199475b68dae530c06285222f x86_64/10.1/RPMS/proftpd-1.2.10-2.1.101mdk.x86_64.rpm
4e2c3f72c6bc1710e82f81d919df4a0d x86_64/10.1/RPMS/proftpd-anonymous-1.2.10-2.1.101mdk.x86_64.rpm
fafda6527589ac244691743278c5fb2f x86_64/10.1/SRPMS/proftpd-1.2.10-2.1.101mdk.src.rpm

Mandrakelinux 10.2:
62c9ac6c9f9cefe3ae26d00287430abd 10.2/RPMS/proftpd-1.2.10-9.1.102mdk.i586.rpm
77020ac5c67cf4ed616a4d858cbdca61 10.2/RPMS/proftpd-anonymous-1.2.10-9.1.102mdk.i586.rpm
332bc621d075cce043964146d874eefc 10.2/SRPMS/proftpd-1.2.10-9.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
9077e02a37afaeef184095d5e32d4795 x86_64/10.2/RPMS/proftpd-1.2.10-9.1.102mdk.x86_64.rpm
6f7e7a053d2a8d3872efdd87dcf1227f x86_64/10.2/RPMS/proftpd-anonymous-1.2.10-9.1.102mdk.x86_64.rpm
332bc621d075cce043964146d874eefc x86_64/10.2/SRPMS/proftpd-1.2.10-9.1.102mdk.src.rpm

Corporate 3.0:
ed09c8c53d71e04c21ffaf1d647722c1 corporate/3.0/RPMS/proftpd-1.2.9-3.3.C30mdk.i586.rpm
5885b14d6817c11ef29c03aed76cb61f corporate/3.0/RPMS/proftpd-anonymous-1.2.9-3.3.C30mdk.i586.rpm
b71bb2a58e0ac2d224c2fc332fbccdc7 corporate/3.0/SRPMS/proftpd-1.2.9-3.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
96d72d9503f3b7f86d7b162453f9f25c x86_64/corporate/3.0/RPMS/proftpd-1.2.9-3.3.C30mdk.x86_64.rpm
eff847004e164052d380b9937ec641ee x86_64/corporate/3.0/RPMS/proftpd-anonymous-1.2.9-3.3.C30mdk.x86_64.rpm
b71bb2a58e0ac2d224c2fc332fbccdc7 x86_64/corporate/3.0/SRPMS/proftpd-1.2.9-3.3.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDAUt5mqjQ0CJFipgRAqCQAKDYxGSSDQIrxuL9LnqxWOo5vl/fwgCdFevV
WMVFZhi3wVbAG3ShLkcuKts=
=VlqT
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus