** Changed in: proftpd-dfsg (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue (CVE-2015-3306)
To manage
This bug was fixed in the package proftpd-dfsg - 1.3.4a-1ubuntu0.1
---
proftpd-dfsg (1.3.4a-1ubuntu0.1) precise-security; urgency=low
* SECURITY UPDATE: The mod_copy module in ProFTPD 1.3.4a allows remote
attackers to read and write to arbitrary files via the site cpfr and
This bug was fixed in the package proftpd-dfsg - 1.3.5~rc3-2.1ubuntu2.1
---
proftpd-dfsg (1.3.5~rc3-2.1ubuntu2.1) trusty-security; urgency=low
* SECURITY UPDATE: The mod_copy module in ProFTPD 1.3.5 allows remote
attackers to read and write to arbitrary files via the site cpfr
** Changed in: proftpd-dfsg (Ubuntu Precise)
Status: In Progress => Confirmed
** Changed in: proftpd-dfsg (Ubuntu Trusty)
Status: In Progress => Confirmed
** Changed in: proftpd-dfsg (Ubuntu Precise)
Assignee: Tyler Hicks (tyhicks) => (unassigned)
** Changed in: proftpd-dfsg
Hi Brian - Thanks for the debdiffs and your work to improve the security
of Ubuntu. :)
During my review of the debdiffs, I noticed a few minor issues:
1) I had to run the debdiffs through dos2unix to make the patch utility happy
2) I had to add a single newline to the end of the debdiffs to make
** Also affects: proftpd-dfsg (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: proftpd-dfsg (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: proftpd-dfsg (Ubuntu Precise)
Status: New => In Progress
** Changed in: proftpd-dfsg (Ubuntu
** Changed in: proftpd-dfsg (Ubuntu)
Importance: Undecided => Medium
** Tags removed: cve-2015-3306
** Tags added: precise trusty
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Adding reworked patch for trusty that fixes an API issue with returning
the error code/message and is more minimal and appropriate for a
backported fix.
** Patch removed: "Debdiff of upstream patch for precise"
Adding reworked patch for precise that fixes an API issue with returning
the error code/message and is more minimal and appropriate for a
backported fix.
** Patch added: "Debdiff of upstream patch for precise"
The attachment "Upstream patch applied for trusty" seems to be a
debdiff. The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff. If the
attachment isn't a patch, please remove the "patch" flag from the
attachment, remove the
Attaching debdiff of upstream patch for precise. Tested in same manner
as trusty.
** Patch added: "Debdiff of upstream patch for precise"
https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311/+attachment/4787127/+files/proftpd-dfsg_1.3.4a-2.debdiff
--
You received this bug
Attaching debdiff of upstream patch for trusty package. Precise is also
vulnerable, so I will mark that as well while I work on that next.
My primary test before/after patch:
220 ProFTPD 1.3.5rc3 Server (Debian) [:::10.129.53.2]
USER bmorton
331 Password required for bmorton
PASS ***
230
I think backporting a package from 16.04 should be enough?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue (CVE-2015-3306)
To manage notifications about
Thomasz, are you able to provide updates? See
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for some
information on preparing updates.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
** Changed in: proftpd-dfsg (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue (CVE-2015-3306)
To manage
Any update on these? I'm seeing ubuntu 14.04 servers hacked regularly
because of this vulnerability.
Upstream released the fix a year ago or so already!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
** Description changed:
The CVE-2015-3306 problem is arround for some time now and is not fixed in
12.04 and 14.04 LTS versions.
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3306.html
I also tested it with telnet.
I can copy files without any authentication if
Need help on this one?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue (CVE-2015-3306)
To manage notifications about this bug go to:
Anton, are you able to provide updates? See
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for some
information on preparing updates.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
This has not been fixed in 14.04 LTS. Came here after discovering
hacking attempts. Sadly.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue
Has this been released to 14.04 LTS?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue (CVE-2015-3306)
To manage notifications about this bug go to:
** Bug watch added: ProFTPD Bugzilla #4169
http://bugs.proftpd.org/show_bug.cgi?id=4169
** Also affects: proftpd-dfsg via
http://bugs.proftpd.org/show_bug.cgi?id=4169
Importance: Unknown
Status: Unknown
** No longer affects: proftpd-dfsg
** Also affects: proftpd-dfsg via
** Changed in: proftpd-dfsg
Status: Unknown = Fix Released
** Changed in: proftpd-dfsg
Importance: Unknown = Critical
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
Hi ft - unfortunately, there are no usable debdiffs in the tar file that
you uploaded. Instructions on the security update packaging process can
be found here:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
--
You received this bug notification because you are a member of
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-3306
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1462311
Title:
proftpd mod_copy issue (CVE-2015-3306)
To manage
This is a little bit high for me.
I downloaded the debian/ubuntu pakages and created debdiffs (debdiff debian
ubuntu)
I hope this helps somehow.
The pakages and the diffs are in the attachment.
** Attachment added: proftpd-basic_debdiff.tar.gz
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is
27 matches
Mail list logo
