—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2011-4130 – Schwachstelle in ProFTPD
Der FTP-Daemon ProFTPD nutzt einen Antwort-Pool, dessen allokierter
Speicher unter bestimmten Bedingungen freigegeben wird, worauf trotzdem
noch Zugriffe erfolgen (Use-after-free). Ein entfernter Angreifer kann
dies ausnutzen, um mithilfe einer praeparierten Anfrage eine
Korrumpierung des Speichers zu erreichen und ggf. beliebige Befehle mit
den Rechten des ProFTP-Dienstes auszufuehren
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket proftpd
Fedora 14
Fedora 15
Fedora 16
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Timo Schulz
– —
Timo Schulz, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen: https://www.cert.dfn.de/autowarn
– ——————————————————————————–
Fedora Update Notification
FEDORA-2011-15765
2011-11-11 00:55:13
– ——————————————————————————–
Name : proftpd
Product : Fedora 16
Version : 1.3.4
Release : 1.fc16
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple ‘virtual’ FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
– ——————————————————————————–
Update Information:
This update, to the current upstream stable release, includes a pair of security fixes:
* Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (upstream bug 3704); to disable this countermeasure, which may cause interoperability issues with some clients, use the NoEmptyFragments TLSOption
* Response pool use-after-free memory corruption error (upstream bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130), in which a remote attacker could provide a specially-crafted request (resulting in a need for the server to handle an exceptional condition), leading to memory corruption and potentially arbitrary code execution, with the privileges of the user running the proftpd server
– ——————————————————————————–
ChangeLog:
* Thu Nov 10 2011 Paul Howarth
– – Update to 1.3.4, addressing the following bugs since 1.3.4rc3:
– ProFTPD with mod_sql_mysql dies of “Alarm clock” on FreeBSD (bug 3702)
– mod_sql_mysql.so: undefined symbol: make_scrambled_password with MySQL 5.5
on Fedora (bug 3669)
– PQescapeStringConn() needs a better check (bug 3192)
– Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704);
to disable this countermeasure, which may cause interoperability issues
with some clients, use the NoEmptyFragments TLSOption
– Support SFTPOption for ignoring requests to modify timestamps (bug 3706)
– RPM build on CentOS 5.5 (64bit): “File not found by glob” (bug 3640)
– Response pool use-after-free memory corruption error
(bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130)
– – Drop upstream patch for make_scrambled_password_323
– – Use upstream SysV initscript rather than our own
– – Use upstream systemd service file rather than our own
– – Use upstream PAM configuration rather than our own
– – Use upstream logrotate configuration rather than our own
– – Use upstream tempfiles configuration rather than our own
– – Use upstream xinetd configuration rather than our own
– ——————————————————————————–
References:
[ 1 ] Bug #752812 – CVE-2011-4130 proftpd: Response pool use-after-free flaw (ZDI-CAN-1420)
https://bugzilla.redhat.com/show_bug.cgi?id=752812
– ——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update proftpd’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.16 (GNU/Linux)
iQEcBAEBAgAGBQJOyk0EAAoJEJtyb8U7iGZBwqUH/iw2iJbQ87m81NPSsi+a2z4L
Li8OquZr3ruyOvXjHpbQvqOL2ziwF/9tHi+67K6L87mmL26OS05t9NVUx4ppLyym
sJnrf7AFc7yrjvYw2sGXavojuq0EjXh2Rayf3OeIIvsF2/ysRF/Y+H25sbNfDZkB
aFt0CGcFTngeYPm+2uW2yXAkyxVI2JZwWH8SpH6svio5U23OFJj52fPOB9Ihk9Yn
NwGBkFpUvl7yUgPCtTGwH7ncVuucrojm4s/jsirW45aDUvfbxrK8wv5ULJp184AF
4cN2qqpQky85fNjQj4M7uWo4IMHqiL+Gv3cP4WIIJVSN5ZAxCIJK1Vx7XITGsg8=
=3kt+
—–END PGP SIGNATURE—–
