Date: Thu, 8 Feb 2001 19:41:09 -0200
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [CLA-2001:380] Conectiva Linux Security Announcement –
proftpd
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : proftpd SUMMARY : Denial of Service DATE : 2001-02-08 19:17:00 ID : CLA-2001:380 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0
DESCRIPTION
“proftpd” is a very popular ftp server. Wojciech Purczynski
reported two memory leak problems that could be used in a DoS
attack:
1) A memoy leak will happen everytime a SIZE command is given,
provided that the scoreboard file is not writable. The default
installation is *not* vulnerable to this problem;
2) A similar problem existed with the USER command. Every USER
command would cause the server to use more memory.
Additionally, Przemyslaw Frasunek reported some format string
vulnerabilities which have been fixed.
SOLUTION
It is recommended that all ProFTPd users upgrade to the latest
packages.
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd-1.2.0rc3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to
perform upgrades:
– add the following line to /etc/apt/sources.list if it is not
there yet (you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br
6.0/conectiva updates
- run: apt-get update - after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade
examples can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en