Debian LTS: DLA-3975-1 moderate: ProFTPD integrity check bypass
debian lts
November 29, 2024
ProFTPD a popular FTP server was affected by multiple vulnerabilities
Topics Covered
Summary
CVE-2023-48795
The SSH transport protocol and variant like SFTP protocol used by
ProFTPD allowed remote attackers to bypass integrity checks
such that some packets are omitted (from the extension negotiation message),
and a client and server may consequently end up with a connection
for which some security features have been downgraded or disabled,
aka a Terrapin attack.
CVE-2023-51713
make_ftp_cmd function has a one-byte out-of-bounds read,
because of mishandling of quote/backslash semantics.
CVE-2024-48651
In proftpd with mod_sftp and mod_sql, an user with
no supplemental groups will incorrectly inherit supplemental
groups from the parent process. Thhis behavior resulted in users gaining supplemental
membership in nogroup, or depending of version root group (GID=0).
For Debian 11 bullseye, these problems have been fixed in version
1.3.7a+dfsg-12+deb11u3.
We recommend that you upgrade your proftpd-dfsg packages.
PREVIOUS
NEXT
Package: proftpd-dfsg
Version: 1.3.7a+dfsg-12+deb11u3
CVE ID: CVE-2023-48795 CVE-2023-51713 CVE-2024-48651
Debian Bug: 1082326
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!