Debian Bug report logs -
#859592
proftpd-dfsg: CVE-2017-7418
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#859592; Package src:proftpd-dfsg.
(Wed, 05 Apr 2017 04:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Wed, 05 Apr 2017 04:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Version: 1.3.5b-3
Severity: important
Tags: upstream patch security
Forwarded: http://bugs.proftpd.org/show_bug.cgi?id=4295
Control: found -1 1.3.5-1
Hi,
the following vulnerability was published for proftpd-dfsg.
CVE-2017-7418[0]:
| ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the
| home directory of a user could contain a symbolic link through the
| AllowChrootSymlinks configuration option, but checks only the last path
| component when enforcing AllowChrootSymlinks. Attackers with local
| access could bypass the AllowChrootSymlinks control by replacing a path
| component (other than the last one) with a symbolic link. The threat
| model includes an attacker who is not granted full filesystem access by
| a hosting provider, but can reconfigure the home directory of an FTP
| user.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7418
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418
[1] http://bugs.proftpd.org/show_bug.cgi?id=4295
Regards,
Salvatore
Marked as found in versions proftpd-dfsg/1.3.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 05 Apr 2017 04:24:04 GMT) (full text, mbox, link).
Reply sent
to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility.
(Thu, 06 Apr 2017 10:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Apr 2017 10:36:03 GMT) (full text, mbox, link).
Message #12 received at 859592-close@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Source-Version: 1.3.5b-4
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859592@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Apr 2017 15:57:53 +0200
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip
Architecture: source amd64 all
Version: 1.3.5b-4
Distribution: unstable
Urgency: medium
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 859592
Changes:
proftpd-dfsg (1.3.5b-4) unstable; urgency=medium
.
* Added patch CVE-2017-7418 to add recursive handling of DefalutRoot path.
(closes: #859592)
Checksums-Sha1:
4b12c2325ddc5863b2f2f1be08b72a6538d741fd 2755 proftpd-dfsg_1.3.5b-4.dsc
4636872ae67ff69c3dce003e36be7e0b39848def 74692 proftpd-dfsg_1.3.5b-4.debian.tar.xz
33fb1e28dfae56b0689eecc0df6b1573a5764bd4 2476508 proftpd-basic_1.3.5b-4_amd64.deb
e5d41991048a259d48cdcf2ba019fbef69532e68 983470 proftpd-dev_1.3.5b-4_amd64.deb
6d72ade1174ba74fee05c134170629c0063a11ec 9616 proftpd-dfsg_1.3.5b-4_amd64.buildinfo
6c73320a89d242fa2f1c1a483f01b14905921731 1625668 proftpd-doc_1.3.5b-4_all.deb
9677b67d2c34a5365eb5da12a9ce09fdcb252e12 478278 proftpd-mod-geoip_1.3.5b-4_amd64.deb
175f327dd128d70e6eac82897feb408d5fe1be72 485200 proftpd-mod-ldap_1.3.5b-4_amd64.deb
404c1209a4335c6d8a548281e13f345c0567764b 477580 proftpd-mod-mysql_1.3.5b-4_amd64.deb
2a0ea12b0d9edb37c5384825be8b582b540a7f12 478616 proftpd-mod-odbc_1.3.5b-4_amd64.deb
c641286907702c168637694fce2306be353fe059 477126 proftpd-mod-pgsql_1.3.5b-4_amd64.deb
ad2557608ea31ba8005fcf02789312734e8b1310 476582 proftpd-mod-sqlite_1.3.5b-4_amd64.deb
Checksums-Sha256:
6f205e5219de5e3c36b19fc722dab58b6f16658bfac4ac8d88df9db153eeb88c 2755 proftpd-dfsg_1.3.5b-4.dsc
6074e4191170e4f184f4918d53e930411b33c689ac78f0e1186c033125529ead 74692 proftpd-dfsg_1.3.5b-4.debian.tar.xz
e0173d977c0d79f457b4e911bf4e0ac8960bb6330cc9499ecc022361c8f1c7d6 2476508 proftpd-basic_1.3.5b-4_amd64.deb
c125944ed99ae8fffcd017c8c74d94a83a0fd98a01cb5e870c436c31f4b2f5cb 983470 proftpd-dev_1.3.5b-4_amd64.deb
727921a9301cc61a8e23621452582c6749030c1c8dfcffa31a42d27d0bb782c1 9616 proftpd-dfsg_1.3.5b-4_amd64.buildinfo
0023fdeb4ce11c8f6efde2c8703edd4f74e62db3626ef384b145ba5d8d0f8f81 1625668 proftpd-doc_1.3.5b-4_all.deb
a870fafd7d92d4b51751daeb3917ce98b5ad66c7df37414f31b624dcf2e7d5e9 478278 proftpd-mod-geoip_1.3.5b-4_amd64.deb
f7b4f674d62f341dc34ec31f8c0f1f056ddda13331b1560567e78db5a7aaaae0 485200 proftpd-mod-ldap_1.3.5b-4_amd64.deb
a71b0fe154b6bac2ee27b6f5a9d7b7869bebdeea80a77f9838ab4ab43a3da88b 477580 proftpd-mod-mysql_1.3.5b-4_amd64.deb
f99984c4bb30acac28615e565fe59ff647e2edfe0efb9f4a95daab7bb057dce8 478616 proftpd-mod-odbc_1.3.5b-4_amd64.deb
b29f9ccaf6120d8305b0b1fb1a3bf8964c13efc04b30c1e8a31c0df1a8df299e 477126 proftpd-mod-pgsql_1.3.5b-4_amd64.deb
ae9fe2eaed6dde46d4d230e152e0815f9b98c867e387594b8fa957d5c8ed4428 476582 proftpd-mod-sqlite_1.3.5b-4_amd64.deb
Files:
af0b57d0dc55c0c374dce76ed6fa3f12 2755 net optional proftpd-dfsg_1.3.5b-4.dsc
2ccbfe919a6ed0453baf23c571c11948 74692 net optional proftpd-dfsg_1.3.5b-4.debian.tar.xz
a06906cdf6c2b45aa0a68c496a43c57e 2476508 net optional proftpd-basic_1.3.5b-4_amd64.deb
a5281faef6f1a679b69b84fd9b2a96e7 983470 net optional proftpd-dev_1.3.5b-4_amd64.deb
fb52e1eae7c6214a1e1fac8802fc863f 9616 net optional proftpd-dfsg_1.3.5b-4_amd64.buildinfo
2324f1d484ea4532b51a6c604ef6b74d 1625668 doc optional proftpd-doc_1.3.5b-4_all.deb
907b1a025dbe66cc587dfade90d41d36 478278 net optional proftpd-mod-geoip_1.3.5b-4_amd64.deb
4f9b67173b979b97561d47ad376427ee 485200 net optional proftpd-mod-ldap_1.3.5b-4_amd64.deb
009a3b3651d7f54031dd37ce356b5831 477580 net optional proftpd-mod-mysql_1.3.5b-4_amd64.deb
b18b8e7ded6fc0b004c1df26917f620c 478616 net optional proftpd-mod-odbc_1.3.5b-4_amd64.deb
6fb878a7a4e1441d234c6d3221b8a8ff 477126 net optional proftpd-mod-pgsql_1.3.5b-4_amd64.deb
0386b409787ac845957eaab4b8c3714c 476582 net optional proftpd-mod-sqlite_1.3.5b-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBXmpeiI46/m+Ye0CDwKl4RY2hqQFAljmC9YACgkQDwKl4RY2
hqSeLhAAl0LqdrJB/cmT3xJnNQ4B6QSk4dVQW6b4CDhhkbaBhiHHfLIgROG4jSQM
XvsQz2Bn0GSIS4OvR7i6EImdoZHNE/AwEi0+xNtibUi1xfNFqfPMNV3hUeIRywnu
3YzHiV5IyFIdLzZfNHQI+GjOvAxgTRxn708tUevmxWImqoU3vW4EAjdtVmvTQLtl
jhHlKZ6mbwbIfxi+IYI7zDvxuE9Jx8JpyBfEBOx/K6UpebwNTWzsGark96ymRE19
mLvTPe7dYGGXXBVkozoaqnqIIDRsOZadUIJudJNcJktIR1o2lwoV/wHvA++9gvPR
/HBIsAXyY/TJNigM+43uUu6jOyORpZ33YJmtYjwuDgCvPwS/GmG/nPf0K1MWjueQ
+vViReyy97+RUGr2mv0V5ZHELKdEU7O06iVw4V91bfKz+25ejh5pX01wMVoIDrEg
9Sau8BVLiSlwE2OSaS/6SB/l1X2PiAebNJ0DRsiCcbWoQKjYKNRPU19ATHQhWwYF
/RAYK2jhKrJZSyUnwYLYH8Cuuak/DZRxKc542FTH4TOqxLZy/J5ftwZoWBiQ++w9
cw5y/5L27SIdcxeTcg49uaawoJpRCBfG82c6B9DYUHIcjlmjD0sI+ZXhiF50yOio
llEKnq5PywpL1y1pzkHlrAiLEvR56E3ygrV05VE4fBN5NLSNbJ0=
=979G
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 10 May 2017 07:28:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:18:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon