Fedora EPEL 4 updates-testing report

updates at fedoraproject.org updates at fedoraproject.org
Fri Apr 8 20:31:43 UTC 2011 

The following Fedora EPEL 4 Security updates need testing:

    https://admin.fedoraproject.org/updates/proftpd-1.3.3e-1.el4


The following builds have been pushed to Fedora EPEL 4 updates-testing

    proftpd-1.3.3e-1.el4

Details about builds:


================================================================================
 proftpd-1.3.3e-1.el4 (FEDORA-EPEL-2011-3011)
 Flexible, stable and highly-configurable FTP server
--------------------------------------------------------------------------------
Update Information:

This update, to the current upstream maintenance release, fixes a large number of bugs (see NEWS for details), and also a couple of security issues:

* Plaintext command injection vulnerability in FTPS implementation (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for details.

* CVE-2011-1137 (badly formed SSH messages cause DoS). See http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.

Other highlights include:

* Display messages work properly again.

* Performance improvements, especially during server startup/restarts.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr  4 2011 Paul Howarth <paul at city-fan.org> 1.3.3e-1
- Update to 1.3.3e, fixing a large number of bugs reported upstream:
  - Process privileges may not handled properly when --enable-autoshadow is
    used (bug 3757)
  - mod_sftp closes channel too early after scp download (bug 3544)
  - mod_sftp_pam may tell client to disable echoing erroneously (bug 3579)
  - mod_sftp behaves badly when receiving badly formed SSH messages (bug 3586,
    CVE-2011-1137)
  - Using "$shell $libtool" in prxs does not work for all shells (bug 3593)
  - WrapAllowMsg directive broken due to bug 3423 (bug 3538)
  - SocketOptions receive/send buffer size parameters no longer work (bug 3607)
  - mod_wrap2 needs to support netmask rules for IPv6 addresses (bug 3606)
  - APPE/STOU upload flags erroneously preserved across upload commands
    (bug 3612)
  - Malicious module can use sreplace() function to overflow buffer (bug 3614)
  - Exiting sessions don't seem to die properly (bug 3619)
  - mod_delay sometimes logs "unable to load DelayTable into memory" (bug 3622)
  - Plaintext command injection in FTPS support (bug 3624)
  - mod_ifsession rules using regular expressions do not work (bug 3625)
  - Truncated client name saved in ScoreboardFile (bug 3623)
  - %w variable populated with non-absolute path in SQLLog statement (bug 3627)
  - Unnecessarily verbose "warning: unable to throttle bandwidth: Interrupted
    system call" (bug 3628)
  - SSH DISCONNECT messages sent by mod_sftp even for FTP connections in some
    cases (bug 3630)
  - mod_sql should log "unrecoverable database error" at a higher priority
    (bug 3632)
  - Proftpd is eating CPU when reparsing configuration file on SIGHUP (bug 3610)
  - Incorrect generation of DSA signature for SSH sessions (bug 3634)
- Nobody else likes macros for commands
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #681718 - CVE-2011-1137 proftpd: integer overflow in mod_sftp
        https://bugzilla.redhat.com/show_bug.cgi?id=681718
--------------------------------------------------------------------------------

More information about the epel-devel-list mailing list