dcsimg
Linux Today: Linux News On Internet Time.




Current Newswire:

More on LinuxToday

Conectiva Linux Security Announcement - proftpd

Feb 09, 2001, 06:28 (0 Talkback[s])

Date: Thu, 8 Feb 2001 19:41:09 -0200
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [CLA-2001:380] Conectiva Linux Security Announcement - proftpd

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE   : proftpd
SUMMARY   : Denial of Service
DATE      : 2001-02-08 19:17:00
ID        : CLA-2001:380
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0

DESCRIPTION
"proftpd" is a very popular ftp server. Wojciech Purczynski reported two memory leak problems that could be used in a DoS attack:
1) A memoy leak will happen everytime a SIZE command is given, provided that the scoreboard file is not writable. The default installation is *not* vulnerable to this problem;
2) A similar problem existed with the USER command. Every USER command would cause the server to use more memory.

Additionally, Przemyslaw Frasunek reported some format string vulnerabilities which have been fixed.

SOLUTION
It is recommended that all ProFTPd users upgrade to the latest packages.

DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades:
- add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

 - run:                 apt-get update
 - after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en