OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 25-Sep-2003 09:50:56
Branch: HEAD Handle: 2003092508505500
Modified files:
openpkg-web/security 00README OpenPKG-SA-2003.043-proftpd.txt
Log:
final polishing and signing of ProFTPD SA
Summary:
Revision Changes Path
1.13 +3 -4 openpkg-web/security/00README
1.2 +35 -32 openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/00README
============================================================================
$ cvs diff -u -r1.12 -r1.13 00README
--- openpkg-web/security/00README 24 Sep 2003 11:28:49 -0000 1.12
+++ openpkg-web/security/00README 25 Sep 2003 07:50:55 -0000 1.13
@@ -3,8 +3,7 @@
$ mv OpenPKG-SA-2003.00x-xxx.txt.asc OpenPKG-SA-2003.00x-xxx.txt
$ gpg --verify OpenPKG-SA-2003.00x-xxx.txt
$ mutt [EMAIL PROTECTED]
- Subject: [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh)
- Approved: OPENPKG
-$ mutt [EMAIL PROTECTED]
-$ mutt [EMAIL PROTECTED]
+ mutt [EMAIL PROTECTED]
+ mutt [EMAIL PROTECTED]
+ Subject: [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.043-proftpd.txt
--- openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt 24 Sep 2003 08:09:35
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.043-proftpd.txt 25 Sep 2003 07:50:55
-0000 1.2
@@ -1,9 +1,12 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
-OpenPKG-SA-2003.043 24-Sep-2003
+OpenPKG-SA-2003.043 25-Sep-2003
________________________________________________________________________
Package: proftpd
@@ -18,37 +21,33 @@
Dependent Packages: none
Description:
- According to a ISS X-Force security advisory [0] a vulnerability
- exists in the ProFTPD server [1]. It can be triggered by remote
- attackers when transferring files from the FTP server in ASCII mode.
- The attacker must have the ability to upload a file to the server, and
- then attempt to download the same file to trigger the vulnerability.
- During ASCII transfer, file data is examined in 1024 byte chunks
- to check for newline characters. The translation of these newline
- characters is not handled correctly, and a buffer overflow can
- manifest if ProFTPD parses a specially crafted file.
-
- Note that the OpenPKG 20030923 version of the proftpd package contains
- the vendor version 1.2.9rc2p, also the trailing 'p' was omitted from
- the package filename.
-
- The Common Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-FIXME [2] to the problem.
-
- Please check whether you are affected by running "<prefix>/bin/rpm
- -q proftpd". If you have the "proftpd" package installed and its version
- is affected (see above), we recommend that you immediately upgrade
- it (see Solution) and it's dependent packages (see above), if any,
- too. [3][4]
+ According to an ISS X-Force security advisory [0], a vulnerability
+ exists in the ProFTPD FTP server [1], versions between 1.2.7 and
+ 1.2.9rc2 (both inclusive). It can be triggered by remote attackers
+ when transferring files from the FTP server in ASCII mode.
+
+ To trigger the vulnerability, the attacker must have the ability to
+ first upload a file to the server (not necessarily via FTP), and then
+ attempt to download the same file via FTP. During ASCII transfer, file
+ data is examined in 1024 byte chunks to check for newline characters.
+ The translation of these newline characters is not handled correctly,
+ and a buffer overflow can manifest if ProFTPD parses a specially
+ crafted file. The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-2003-0831 [2] to the problem.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ proftpd". If you have the "proftpd" package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution). [3][4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the binary
- RPM [4]. For the current release OpenPKG 1.3, perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ from it [3] and update your OpenPKG installation by applying the
+ binary RPM [4]. For the current release OpenPKG 1.3, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -59,15 +58,12 @@
$ <prefix>/bin/rpm --rebuild proftpd-1.2.8-1.3.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/proftpd-1.2.8-1.3.1.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________
References:
[0] http://xforce.iss.net/xforce/alerts/id/154
- [1] http://www.proftpd.net/
- [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-FIXME
+ [1] http://www.proftpd.org/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0831
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/1.2/UPD/proftpd-1.2.7-1.2.1.src.rpm
@@ -84,3 +80,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/cp2RgHWT4GPEy58RAkMpAJ44rts7A+xnFwvAYfaeOw7A/RlP7ACg41l0
+HI21gWgPtilljTqbNfadgAw=
+=HdGn
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
