Alerts This Week
Warning Icon 1 619
Alerts This Week
Warning Icon 1 619

Fedora 21: 2015-7086 Critical: ProFTPD Unauthenticated Access

fedora
Calendar Grey May 10, 2015
Dist Fedora Esm H88
Urgent patch for proftpd in Fedora 21 tackling security flaws related to unauthenticated exploitation through mod_copy functionalities.
Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthe...

Summary

ProFTPD is an enhanced FTP server with a focus toward simplicity, security,

and ease of configuration. It features a very Apache-like configuration

syntax, and a highly customizable server infrastructure, including support for

multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory

visibility.

This package defaults to the standalone behavior of ProFTPD, but all the

needed scripts to have it run by xinetd instead are included.

Update Information:

Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clients

Upstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169

Note that mod_copy is not loaded/enabled by default in the Fedora package.

Topics%20covered

Topics Covered

security advisory critical Fedora proftpd unauthenticated access FTP server mod_copy

Change Log

* Tue Apr 28 2015 Paul Howarth - 1.3.5-5 - Unauthenticated copying of files via SITE CPFR/CPTO was allowed by mod_copy (CVE-2015-3306, http://bugs.proftpd.org/show_bug.cgi?id=4169) * Tue Feb 10 2015 Paul Howarth - 1.3.5-4 - Anonymous upload directory specification needs to be slightly different if mod_vroot is in use (#1045922)
- Use %license where possible

References


[ 1 ] Bug #1212386 - CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy https://bugzilla.redhat.com/show_bug.cgi?id=1212386

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update proftpd' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
critical
Lowest
Low
Medium
High
Critical

Name: proftpd
Product: Fedora 21
Version: 1.3.5
Release: 5.fc21
URL: http://www.proftpd.org/
Summary: Flexible, stable and highly-configurable FTP server

Topics%20covered

Topics Covered

security advisory critical Fedora proftpd unauthenticated access FTP server mod_copy

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here