Описание
Security update for proftpd
This update for proftpd fixes the following issues:
- GeoIP has been discontinued by Maxmind (boo#1156210) This update removes module build for geoip see https://support.maxmind.com/geolite-legacy-discontinuation-notice/
- CVE-2019-19269: Fixed a NULL pointer dereference may occur when validating the certificate of a client connecting to the server (boo#1157803)
- CVE-2019-19270: Fixed a Failure to check for the appropriate field of a CRL entry prevents some valid CRLs from being taken into account (boo#1157798)
- CVE-2019-18217: Fixed remote unauthenticated denial-of-service due to incorrect handling of overly long commands (boo#1154600 gh#846)
Update to 1.3.6b
- Fixed pre-authentication remote denial-of-service issue (Issue #846).
- Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).
Update to 1.3.6a:
- Fixed symlink navigation (Bug#4332).
- Fixed building of mod_sftp using OpenSSL 1.1.x releases (Issue#674).
- Fixed SITE COPY honoring of restrictions (Bug#4372).
- Fixed segfault on login when using mod_sftp + mod_sftp_pam (Issue#656).
- Fixed restarts when using mod_facl as a static module
- Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed (boo#1155834)
- Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed (boo#1155834)
- Use pam_keyinit.so (boo#1144056)
- Reduce hard dependency on systemd to only that which is necessary for building and installation.
update to 1.3.6:
- Support for using Redis for caching, logging; see the doc/howto/Redis.html documentation.
- Fixed mod_sql_postgres SSL support (Issue #415).
- Support building against LibreSSL instead of OpenSSL (Issue #361).
- Better support on AIX for login restraictions (Bug #4285).
- TimeoutLogin (and other timeouts) were not working properly for SFTP connections (Bug#4299).
- Handling of the SIGILL and SIGINT signals, by the daemon process, now causes the child processes to be terminated as well (Issue #461).
- RPM .spec file naming changed to conform to Fedora guidelines.
- Fix for 'AllowChrootSymlinks off' checking each component for symlinks (CVE-2017-7418).
New Modules:
- mod_redis, mod_tls_redis, mod_wrap2_redis With Redis now supported as a caching mechanism, similar to Memcache, there are now Redis-using modules: mod_redis (for configuring the Redis connection information), mod_tls_redis (for caching SSL sessions and OCSP information using Redis), and mod_wrap2_redis (for using ACLs stored in Redis).
Changed Modules:
- mod_ban: The mod_ban module's BanCache directive can now use Redis-based caching; see doc/contrib/mod_ban.html#BanCache.
-New Configuration Directives
-
SQLPasswordArgon2, SQLPasswordScrypt
The key lengths for Argon2 and Scrypt-based passwords are now configurable via these new directives; previously, the key length had been hardcoded to be 32 bytes, which is not interoperable with all other implementations (Issue #454).
Changed Configuration Directives
- AllowChrootSymlinks When 'AllowChrootSymlinks off' was used, only the last portion of the DefaultRoot path would be checked to see if it was a symlink. Now, each component of the DefaultRoot path will be checked to see if it is a symlink when 'AllowChrootSymlinks off' is used.
- Include
The Include directive can now be used within a section, e.g.:
Include /path/to/allowed.txt
DenyAll
API Changes
- A new JSON API has been added, for use by third-party modules.
Список пакетов
SUSE Package Hub 15
SUSE Package Hub 15 SP1
openSUSE Leap 15.1
Ссылки
- E-Mail link for openSUSE-SU-2020:0031-1
- SUSE Security Ratings
- SUSE Bug 1113041
- SUSE Bug 1144056
- SUSE Bug 1154600
- SUSE Bug 1155834
- SUSE Bug 1156210
- SUSE Bug 1157798
- SUSE Bug 1157803
- SUSE CVE CVE-2017-7418 page
- SUSE CVE CVE-2019-12815 page
- SUSE CVE CVE-2019-18217 page
- SUSE CVE CVE-2019-19269 page
- SUSE CVE CVE-2019-19270 page
Описание
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
Затронутые продукты
Ссылки
- CVE-2017-7418
- SUSE Bug 1032443
Описание
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
Затронутые продукты
Ссылки
- CVE-2019-12815
- SUSE Bug 1142281
Описание
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
Затронутые продукты
Ссылки
- CVE-2019-18217
- SUSE Bug 1154600
Описание
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Затронутые продукты
Ссылки
- CVE-2019-19269
- SUSE Bug 1157803
Описание
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
Затронутые продукты
Ссылки
- CVE-2019-19270
- SUSE Bug 1157798