Mandrake Linux Advisory: proftpd

Mandrake Linux Security Update Advisory

Problem Description:

A vulnerability was discovered by X-Force Research at ISS in
ProFTPD’s handling of ASCII translation. An attacker, by
downloading a carefully crafted file, can remotely exploit this bug
to create a root shell.

The ProFTPD team encourages all users to upgrade to version
1.2.7 or higher. The problematic code first appeared in ProFTPD
1.2.7rc1, and the provided packages are all patched by the ProFTPD
team to protect against this vulnerability.

Update:

The previous update had a bug where the new packages would
terminate with a SIGNAL 11 when the command “NLST -alL” was
performed in certain cases, such as if the size of the output of
the command was greater than 1024 bytes.

These updated packages have a fix applied to prevent this
crash.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0831

http://xforce.iss.net/xforce/alerts/id/154

http://bugs.proftpd.org/show_bug.cgi?id=2194

Updated Packages:

Mandrake Linux 9.1:
986257995c1d51896466b4f7e00845e4
9.1/RPMS/proftpd-1.2.8-1.2.91mdk.i586.rpm
2d5a537ca3e78399de428bb8ecace8de
9.1/RPMS/proftpd-anonymous-1.2.8-1.2.91mdk.i586.rpm
16e30f6aebccc65af15f5a5a306a3796
9.1/SRPMS/proftpd-1.2.8-1.2.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
2b2a2063166a572d4d31cb3e3d056c67
ppc/9.1/RPMS/proftpd-1.2.8-1.2.91mdk.ppc.rpm
9d0ecbc3a8a8c815213503c9e1f01c4d
ppc/9.1/RPMS/proftpd-anonymous-1.2.8-1.2.91mdk.ppc.rpm
16e30f6aebccc65af15f5a5a306a3796
ppc/9.1/SRPMS/proftpd-1.2.8-1.2.91mdk.src.rpm

Mandrake Linux 9.2:
617b0c84327b2afbd6675e6acaa7bbcd
9.2/RPMS/proftpd-1.2.8-5.2.92mdk.i586.rpm
ddabaf53095a796e651a9e01d086233d
9.2/RPMS/proftpd-anonymous-1.2.8-5.2.92mdk.i586.rpm
0b5d0c9796ab76e543870a6d6e6eb9ea
9.2/SRPMS/proftpd-1.2.8-5.2.92mdk.src.rpm

Mandrake Linux 9.2/AMD64:
fa8be3631de1d31611fa2c495300d1b8
amd64/9.2/RPMS/proftpd-1.2.8-5.2.92mdk.amd64.rpm
b9ef046d841cf664bfa6799446f2989d
amd64/9.2/RPMS/proftpd-anonymous-1.2.8-5.2.92mdk.amd64.rpm
0b5d0c9796ab76e543870a6d6e6eb9ea
amd64/9.2/SRPMS/proftpd-1.2.8-5.2.92mdk.src.rpm

To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:

gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98

Please be aware that sometimes it takes the mirrors a few hours
to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com