-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:217 http://www.mandriva.com/security/ _______________________________________________________________________ Package : proftpd Date : November 20, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: As disclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix, a Denial of Service (DoS) vulnerability exists in the FTP server ProFTPD, up to and including version 1.3.0. The flaw is due to both a potential bus error and a definitive buffer overflow in the code which determines the FTP command buffer size limit. The vulnerability can be exploited only if the "CommandBufferSize" directive is explicitly used in the server configuration, which is not the case in the default configuration of ProFTPD. Packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 0053ca9816e0bc25bccfe2f44d908eda 2006.0/i586/proftpd-1.2.10-13.2.20060mdk.i586.rpm b01ed124f81f9f57c3217638f2b248fe 2006.0/i586/proftpd-anonymous-1.2.10-13.2.20060mdk.i586.rpm 0baf0a1757155c41e5a9748f3b5a2977 2006.0/SRPMS/proftpd-1.2.10-13.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 19c1348e2378d8e266543e9f411e7bec 2006.0/x86_64/proftpd-1.2.10-13.2.20060mdk.x86_64.rpm 0c61b1862cea2be964ec7117d3c1fa9e 2006.0/x86_64/proftpd-anonymous-1.2.10-13.2.20060mdk.x86_64.rpm 0baf0a1757155c41e5a9748f3b5a2977 2006.0/SRPMS/proftpd-1.2.10-13.2.20060mdk.src.rpm Mandriva Linux 2007.0: d1b46e09401cff86b5eb3cff5bb5d92d 2007.0/i586/proftpd-1.3.0-4.2mdv2007.0.i586.rpm 50dfa344357ea77649c760086d99efc5 2007.0/i586/proftpd-anonymous-1.3.0-4.2mdv2007.0.i586.rpm ac4ffe2be045a45877c8ef5fca8aff82 2007.0/i586/proftpd-mod_autohost-1.3.0-4.2mdv2007.0.i586.rpm a220594eecdf47d08047592dfc6ed989 2007.0/i586/proftpd-mod_case-1.3.0-4.2mdv2007.0.i586.rpm ac8757c2cfda84be9340518730b2b0a9 2007.0/i586/proftpd-mod_clamav-1.3.0-4.2mdv2007.0.i586.rpm a4e8f9e4399c3455586c0ad5ece2a9ba 2007.0/i586/proftpd-mod_ctrls_admin-1.3.0-4.2mdv2007.0.i586.rpm 6f3d1d596e634cbc725728606a220d74 2007.0/i586/proftpd-mod_facl-1.3.0-4.2mdv2007.0.i586.rpm 093f77c4bf48659600d2255a55d8c66a 2007.0/i586/proftpd-mod_gss-1.3.0-4.2mdv2007.0.i586.rpm 527188db7f7c0b6db43308823c7a245a 2007.0/i586/proftpd-mod_ifsession-1.3.0-4.2mdv2007.0.i586.rpm 3ad7759d27a44aafc84ef531c3ce0d83 2007.0/i586/proftpd-mod_ldap-1.3.0-4.2mdv2007.0.i586.rpm 70db19b073046a2baffe846c2287e00c 2007.0/i586/proftpd-mod_load-1.3.0-4.2mdv2007.0.i586.rpm 70416dbf2150fa2e29c9003cd9db627d 2007.0/i586/proftpd-mod_quotatab-1.3.0-4.2mdv2007.0.i586.rpm 62d8b7d49b89addb5a86962cf0efe210 2007.0/i586/proftpd-mod_quotatab_file-1.3.0-4.2mdv2007.0.i586.rpm 13431e876946f486a83e28d458e58e50 2007.0/i586/proftpd-mod_quotatab_ldap-1.3.0-4.2mdv2007.0.i586.rpm 4b95fe99c77ff967238ebf7c938c7d44 2007.0/i586/proftpd-mod_quotatab_sql-1.3.0-4.2mdv2007.0.i586.rpm 116be0e7b33ed3862408440e61a7827e 2007.0/i586/proftpd-mod_radius-1.3.0-4.2mdv2007.0.i586.rpm 00597f2284411df840d1d76c21d232a7 2007.0/i586/proftpd-mod_ratio-1.3.0-4.2mdv2007.0.i586.rpm c57184424270ab38993930258ae4ef3a 2007.0/i586/proftpd-mod_rewrite-1.3.0-4.2mdv2007.0.i586.rpm dcdabe501922432bfaa13e4520caee54 2007.0/i586/proftpd-mod_shaper-1.3.0-4.2mdv2007.0.i586.rpm 08f8675c360532db8679809c2df0a8bb 2007.0/i586/proftpd-mod_site_misc-1.3.0-4.2mdv2007.0.i586.rpm 5e7503e52019351d1eaef57e1e63ef9e 2007.0/i586/proftpd-mod_sql-1.3.0-4.2mdv2007.0.i586.rpm 6ba4cc9d229111078df98081f0821600 2007.0/i586/proftpd-mod_sql_mysql-1.3.0-4.2mdv2007.0.i586.rpm ec5429aaf01a432eeb4cc6ccfcf9183f 2007.0/i586/proftpd-mod_sql_postgres-1.3.0-4.2mdv2007.0.i586.rpm dde8bc68edac5463601886b53756c402 2007.0/i586/proftpd-mod_time-1.3.0-4.2mdv2007.0.i586.rpm 133560087f64cfa06b765cfda2b24780 2007.0/i586/proftpd-mod_tls-1.3.0-4.2mdv2007.0.i586.rpm eef642bb96557634370d24e040a3e3fd 2007.0/i586/proftpd-mod_wrap-1.3.0-4.2mdv2007.0.i586.rpm 14f19ba95138a85a53c17173e006552f 2007.0/i586/proftpd-mod_wrap_file-1.3.0-4.2mdv2007.0.i586.rpm 7a4ef558e014459382192aeac06a0bf6 2007.0/i586/proftpd-mod_wrap_sql-1.3.0-4.2mdv2007.0.i586.rpm 997d5a11fe5fca5c7f04f5fe425a58b9 2007.0/SRPMS/proftpd-1.3.0-4.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 3b99b5f2a9edd6a5d05ade87a73db307 2007.0/x86_64/proftpd-1.3.0-4.2mdv2007.0.x86_64.rpm 817e2d8131bb3fa9e47d98324ddac5c6 2007.0/x86_64/proftpd-anonymous-1.3.0-4.2mdv2007.0.x86_64.rpm d204a009c383529ed13c7599979c499d 2007.0/x86_64/proftpd-debug-1.3.0-4.2mdv2007.0.x86_64.rpm 299328a3ef758215995bc2b228ec0b3f 2007.0/x86_64/proftpd-mod_autohost-1.3.0-4.2mdv2007.0.x86_64.rpm cd85e8a8042d8840b44660b980879859 2007.0/x86_64/proftpd-mod_case-1.3.0-4.2mdv2007.0.x86_64.rpm 876c823f55cc56328c1cf6cc4c88ac96 2007.0/x86_64/proftpd-mod_clamav-1.3.0-4.2mdv2007.0.x86_64.rpm 976fb7efc64eb1d96ba6dbe35a698471 2007.0/x86_64/proftpd-mod_ctrls_admin-1.3.0-4.2mdv2007.0.x86_64.rpm 545f2c9ee7cdd13132fdbaa6c4be63b9 2007.0/x86_64/proftpd-mod_facl-1.3.0-4.2mdv2007.0.x86_64.rpm 6f8c16234f9c9c08e332aaf91d74489f 2007.0/x86_64/proftpd-mod_gss-1.3.0-4.2mdv2007.0.x86_64.rpm d2f5795181c4e7b43f92fc5ae0ce3ab6 2007.0/x86_64/proftpd-mod_ifsession-1.3.0-4.2mdv2007.0.x86_64.rpm fbbb100387e43c1fd879c4da1502393a 2007.0/x86_64/proftpd-mod_ldap-1.3.0-4.2mdv2007.0.x86_64.rpm 9e41369b4fb53d33df4568c19728bd30 2007.0/x86_64/proftpd-mod_load-1.3.0-4.2mdv2007.0.x86_64.rpm 4498f75ddf6f54736cda5d435999ade8 2007.0/x86_64/proftpd-mod_quotatab-1.3.0-4.2mdv2007.0.x86_64.rpm 5098bfb4b07b68f673ce2988656e5027 2007.0/x86_64/proftpd-mod_quotatab_file-1.3.0-4.2mdv2007.0.x86_64.rpm 3395c4202286675cef765b600c50a9d9 2007.0/x86_64/proftpd-mod_quotatab_ldap-1.3.0-4.2mdv2007.0.x86_64.rpm 5eebf72bcecb15b91368abe57ca5e33f 2007.0/x86_64/proftpd-mod_quotatab_sql-1.3.0-4.2mdv2007.0.x86_64.rpm 1144a84050daef248645ef7af0f92995 2007.0/x86_64/proftpd-mod_radius-1.3.0-4.2mdv2007.0.x86_64.rpm b917bf18c26150aa240e3afbbcf0b2f1 2007.0/x86_64/proftpd-mod_ratio-1.3.0-4.2mdv2007.0.x86_64.rpm a06fe91a4a37f5e403e1e58b05591724 2007.0/x86_64/proftpd-mod_rewrite-1.3.0-4.2mdv2007.0.x86_64.rpm 8ce4fe2a4a4558f0925d479d67400137 2007.0/x86_64/proftpd-mod_shaper-1.3.0-4.2mdv2007.0.x86_64.rpm 1b8d0e93191bcbc3f32c09cc00eb9155 2007.0/x86_64/proftpd-mod_site_misc-1.3.0-4.2mdv2007.0.x86_64.rpm 548a2acaeba3bd5840c3ff7aacd2574c 2007.0/x86_64/proftpd-mod_sql-1.3.0-4.2mdv2007.0.x86_64.rpm a7a8731b55ad81410c91b4a0559068ed 2007.0/x86_64/proftpd-mod_sql_mysql-1.3.0-4.2mdv2007.0.x86_64.rpm 18f8a27c84d8d62437c40bd1828d78b0 2007.0/x86_64/proftpd-mod_sql_postgres-1.3.0-4.2mdv2007.0.x86_64.rpm a0e81004cde841dd8cf826eed6fb3225 2007.0/x86_64/proftpd-mod_time-1.3.0-4.2mdv2007.0.x86_64.rpm 90298f22556f11f1e42488b87de37773 2007.0/x86_64/proftpd-mod_tls-1.3.0-4.2mdv2007.0.x86_64.rpm f3fa5fe3b33fae484b35dd0368dcf00f 2007.0/x86_64/proftpd-mod_wrap-1.3.0-4.2mdv2007.0.x86_64.rpm 064fb39be6c6f5326e20ed9d881cebf7 2007.0/x86_64/proftpd-mod_wrap_file-1.3.0-4.2mdv2007.0.x86_64.rpm e3871e76aed8d19fa548ee8641138076 2007.0/x86_64/proftpd-mod_wrap_sql-1.3.0-4.2mdv2007.0.x86_64.rpm 997d5a11fe5fca5c7f04f5fe425a58b9 2007.0/SRPMS/proftpd-1.3.0-4.2mdv2007.0.src.rpm Corporate 3.0: 1a83657627d6f218ae54f8b2c45fbd79 corporate/3.0/i586/proftpd-1.2.9-3.5.C30mdk.i586.rpm 70e1eb731cfe7c8cb555a1eabc4bc4a3 corporate/3.0/i586/proftpd-anonymous-1.2.9-3.5.C30mdk.i586.rpm 1d7d9073cd0debaea27401a45bf24fbc corporate/3.0/SRPMS/proftpd-1.2.9-3.5.C30mdk.src.rpm Corporate 3.0/X86_64: 41b6f448e1354f9589beee850f491f50 corporate/3.0/x86_64/proftpd-1.2.9-3.5.C30mdk.x86_64.rpm 615446968808ac110d05aecfe3dbabd5 corporate/3.0/x86_64/proftpd-anonymous-1.2.9-3.5.C30mdk.x86_64.rpm 1d7d9073cd0debaea27401a45bf24fbc corporate/3.0/SRPMS/proftpd-1.2.9-3.5.C30mdk.src.rpm Corporate 4.0: 633aefd9b99b8c2879c0edf256b47d7a corporate/4.0/i586/proftpd-1.2.10-20.2.20060mlcs4.i586.rpm edaf7462323b66dd57860f03e98c4795 corporate/4.0/i586/proftpd-anonymous-1.2.10-20.2.20060mlcs4.i586.rpm 79c119bdf57238b11f3b92882c1c0e75 corporate/4.0/SRPMS/proftpd-1.2.10-20.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: f135f65d15347fe5f6b72d00b93964e7 corporate/4.0/x86_64/proftpd-1.2.10-20.2.20060mlcs4.x86_64.rpm 5e25ac25c11105ca94f5a9aa2dd4dafc corporate/4.0/x86_64/proftpd-anonymous-1.2.10-20.2.20060mlcs4.x86_64.rpm 79c119bdf57238b11f3b92882c1c0e75 corporate/4.0/SRPMS/proftpd-1.2.10-20.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFYf3ymqjQ0CJFipgRAvcRAJ91oK3DHG1R+twQlhUHjwRE2Kg/WACcC7sV 1GR8XH6WF+J7S1rz3go/LRo= =NoMr -----END PGP SIGNATURE-----