-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#7 - ------------------------------------------------------------
Name: proftpd Date: 2007-02-14 Severity: High Warning #: 2007-#7 - ------------------------------------------------------------ Product Background =================== ProFTPD is a powerful, configurable, and free FTP daemon. Problem Background =================== A flaw exists in the mod_ctrls module of ProFTPD, normally used to allow FTP server administrators to configure the daemon at runtime. Impact ====== An FTP server administrator permitted to interact with mod_ctrls could potentially compromise the ProFTPD process and execute arbitrary code with the privileges of the FTP Daemon, which is normally the root user. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ proftpd current daemons < 1.3.1rc1 >= 1.3.1rc1 Package Fix =================== Upgrade to proftpd 1.3.1rc1. Recently ( 12 January ) they have released proftpd 1.3.1rc2. I know that is a rc ( release-candidate ) but CVE is clear: <<Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value>>. If you don't want upgrade package, there is a workaround: Disable mod_ctrls, or ensure only trusted users can access this feature. Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6563 Contact =================== JJDaNiMoTh (jjdanimoth AT gmail DOT com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF0y6AcJj0HNhER0MRArdnAJ9XOwU2muJkMCVXELyGeIJShwQMOACfTQPz aFFMwHcgkv+eQxhX4/lmwWQ= =yHNM -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
