—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2009-0542 – Schwachstellen in der Datenbankunterstuetzung durch
ProFTPD
Der Code zur Verwendung einer Datenbank in ProFTPD enthaelt eine
Schwachstelle bei der Ausnahmebehandlung von Sonderzeichen. Gibt ein
Angreifer einen Benutzernamen mit einem bestimmten Sonderzeichen an,
so wird daraus bei der Ausnahmebehandlung ein String-Delimiter
generiert, und alle nachfolgenden Zeichen werden als SQL-Statement
interpretiert. Ein Angreifer kann diese Schwachstelle fuer
SQL-Injection Angriffe ausnutzen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket proftpd
Fedora 10
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00775.html
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Detlev O. Matthies
– —
Detlev O. Matthies, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
– ——————————————————————————–
Fedora Update Notification
FEDORA-2009-9386
2009-09-09 00:45:39
– ——————————————————————————–
Name : proftpd
Product : Fedora 10
Version : 1.3.2a
Release : 5.fc10
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple ‘virtual’ FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behaviour of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
– ——————————————————————————–
Update Information:
This update has a large number of changes from previous Fedora packages; the
highlights are as follows: – Update to upstream release 1.3.2a – Fix SQL
injection vulnerability at login (#485125, CVE-2009-0542) – Fix SELinux
compatibility (#498375) – Fix audit logging (#506735) – Fix default
configuration (#509251) – Many new loadable modules including mod_ctrls_admin
and mod_wrap2 – National Language Support (RFC 2640) – Enable/disable common
features in /etc/sysconfig/proftpd
– ——————————————————————————–
ChangeLog:
* Mon Sep 7 2009 Paul Howarth
– – Add upstream patch for MLSD with dirnames containing glob chars (#521634)
* Wed Sep 2 2009 Paul Howarth
– – New DSO module: mod_exec (#520214)
* Fri Aug 21 2009 Tomas Mraz
– – Rebuilt with new openssl
* Wed Aug 19 2009 Paul Howarth
– – Use mod_vroot to work around PAM/chroot issues (#477120, #506735)
* Fri Jul 31 2009 Paul Howarth
– – Add upstream patch to fix parallel build (http://bugs.proftpd.org/3189)
* Mon Jul 27 2009 Paul Howarth
– – Update to 1.3.2a
– – Add patch to reinstate support for -DPARAMETER (http://bugs.proftpd.org/3221)
– – Retain CAP_AUDIT_WRITE, needed for pam_loginuid (#506735, fixed upstream)
– – Remove ScoreboardFile directive from configuration file – default value
works better with SELinux (#498375)
– – Ship mod_quotatab_sql.so in the main package rather than the SQL backend
subpackages
– – New DSO modules:
– mod_ctrls_admin
– mod_facl
– mod_load
– mod_quotatab_radius
– mod_radius
– mod_ratio
– mod_rewrite
– mod_site_misc
– mod_wrap2
– mod_wrap2_file
– mod_wrap2_sql
– – Enable mod_lang/nls support for RFC 2640 (and buildreq gettext)
– – Add /etc/sysconfig/proftpd to set PROFTPD_OPTIONS and update initscript to
use this value so we can use a define to enable (e.g.) anonymous FTP support
rather than having a huge commented-out section in the config file
– – Rewrite config file to remove most settings that don’t change upstream
defaults, and add brief descriptions for all available loadable modules
– – Move Umask and IdentLookups settings from server config to
so that they apply to all servers, including virtual hosts (#509251)
– – Ensure mod_ifsession is always the last one specified, which makes sure that
mod_ifsession’s changes are seen properly by other modules
– – Drop pam version requirement – all targets have sufficiently recent version
– – Drop redundant explicit dependency on pam
– – Subpackages don’t need to own %{_libexecdir}/proftpd directory
– – Drop redundant krb5-devel buildreq
– – Make SRPM back-compatible with EPEL-4 (TLS cert dirs, PAM config)
– – Don’t include README files for non-Linux platforms
– – Recode ChangeLog as UTF-8
– – Don’t ship the prxs tool for building custom DSO’s since we don’t ship the
headers either
– – Prevent stripping of binaries in a slightly more robust way
– – Fix release tag to be ready for future beta/rc versions
– – Define RPM macros in global scope
– – BuildRequire libcap-devel so that we use the system library rather than the
bundled one, and eliminate log messages like:
kernel: warning: `proftpd’ uses 32-bit capabilities (legacy support in use)
* Sun Jul 26 2009 Fedora Release Engineering
– – Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Thu Apr 9 2009 Matthias Saou http://freshrpms.net/ 1.3.2-2.1
– – Update the tcp_wrappers BR to be just /usr/include/tcpd.h instead.
* Thu Apr 9 2009 Matthias Saou http://freshrpms.net/ 1.3.2-2
– – Fix tcp_wrappers-devel BR conditional.
* Mon Apr 6 2009 Matthias Saou http://freshrpms.net/ 1.3.2-1
– – Update to 1.3.2.
– – Include mod_wrap (#479813).
– – Tried to include mod_wrap2* modules but build failed.
* Thu Feb 26 2009 Fedora Release Engineering
– – Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Sat Jan 24 2009 Caolán McNamara 1.3.2-0.3.rc3
– – Rebuild for dependencies
* Fri Jan 2 2009 Matthias Saou http://freshrpms.net/ 1.3.2-0.2.rc3
– – Update default configuration to have a lit of available modules and more
example configuration for them.
* Mon Dec 22 2008 Matthias Saou http://freshrpms.net/ 1.3.2-0.1.rc3
– – Update to 1.3.2rc3 (fixes security issue #464127)
– – Exclude new pkgconfig file, as we already exclude header files (if someone
ever needs to rebuild something against this proftpd, just ask and I’ll split
out a devel package… but it seems pretty useless currently).
– – Remove no longer needed find-umode_t patch.
– ——————————————————————————–
References:
[ 1 ] Bug #485125 – CVE-2009-0542 proftpd: SQL injection during login
https://bugzilla.redhat.com/show_bug.cgi?id=485125
– ——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update proftpd’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFKu3Etk0kIxZMiiQ8RAtojAJ9iBqRs9/nbe5qgx5GypYw6rCoavgCfTNGO
t+MMXXnFxLmqyyDb6QqnsTM=
=1CRg
—–END PGP SIGNATURE—–
