Source: proftpd-dfsg Version: 1.3.5b-3 Severity: important Tags: upstream patch security Forwarded: http://bugs.proftpd.org/show_bug.cgi?id=4295 Control: found -1 1.3.5-1
Hi, the following vulnerability was published for proftpd-dfsg. CVE-2017-7418[0]: | ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the | home directory of a user could contain a symbolic link through the | AllowChrootSymlinks configuration option, but checks only the last path | component when enforcing AllowChrootSymlinks. Attackers with local | access could bypass the AllowChrootSymlinks control by replacing a path | component (other than the last one) with a symbolic link. The threat | model includes an attacker who is not granted full filesystem access by | a hosting provider, but can reconfigure the home directory of an FTP | user. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7418 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418 [1] http://bugs.proftpd.org/show_bug.cgi?id=4295 Regards, Salvatore