Re: [arch] [security] Warning on proftpd

Sat, 03 Mar 2007 07:17:46 -0800 

Am Mittwoch, 14. Februar 2007 schrieb JJDaNiMoTh:
> ------------------------------------------------------------
> Arch Linux Security Warning        ALSW 2007-#7
> ------------------------------------------------------------
>
> Name:      proftpd
> Date:      2007-02-14
> Severity:  High
> Warning #: 2007-#7
>
> ------------------------------------------------------------
>
> Product Background
> ===================
>
> ProFTPD is a powerful, configurable, and free FTP daemon.
>
> Problem Background
> ===================
>
> A flaw exists in the mod_ctrls module of ProFTPD, normally used to
> allow FTP server administrators to configure the daemon at runtime.
>
> Impact
> ======
>
> An FTP server administrator permitted to interact with mod_ctrls could
> potentially compromise the ProFTPD process and execute arbitrary code
> with the privileges of the FTP Daemon, which is normally the root user.
>
> Problem Packages
> ===================
> ------------------------------------------------------------------
> Package       |   Repo    |   Group    |   Unsafe   |    Safe    |
> ------------------------------------------------------------------
>  proftpd        current      daemons     < 1.3.1rc1   >= 1.3.1rc1
>
> Package Fix
> ===================
> Upgrade to proftpd 1.3.1rc1. Recently ( 12 January ) they have
> released proftpd 1.3.1rc2. I know that is a rc ( release-candidate )
> but CVE is clear: <<Stack-based buffer overflow in the
> pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in
> ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code
> via a large reqarglen length value>>.
> If you don't want upgrade package, there is a workaround: Disable
> mod_ctrls, or ensure only trusted users can access this feature.
>
> Reference(s)
> ===================
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6563
>
> Contact
> ===================
> JJDaNiMoTh (jjdanimoth AT gmail DOT com)
>
>
> _______________________________________________
> arch mailing list
> [email protected]
> http://www.archlinux.org/mailman/listinfo/arch

fixed updated to 1.3.1rc2

-- 
Tobias Powalowski
Archlinux Developer & Package Maintainer (tpowa)
http://www.archlinux.org
[EMAIL PROTECTED]

Attachment: pgpiHlZxMBq4V.pgp
Description: PGP signature

_______________________________________________
arch mailing list
[email protected]
http://www.archlinux.org/mailman/listinfo/arch

Reply via email to