Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 510
Alerts This Week
Warning Icon 1 510

Fedora 22: 2015-97055df8a0 Moderate: ProFTPD SFTP Memory Concerns

fedora
Calendar Grey December 12, 2015
Dist Fedora Esm H88
Obtain essential patches for Fedora 22's ProFTPD to address SFTP extension memory vulnerabilities and improve overall security.
Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings

Summary

ProFTPD is an enhanced FTP server with a focus toward simplicity, security,

and ease of configuration. It features a very Apache-like configuration

syntax, and a highly customizable server infrastructure, including support for

multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory

visibility.

This package defaults to the standalone behavior of ProFTPD, but all the

needed scripts to have it run by systemd instead are included.

Update Information:

Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes. The mod_sftp module currently places no bounds/length limitations when reading these SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, and allocate more memory than is necessary, causing excessive resource usage or the FTP daemon to crash. This update limits the amount of memory allocated to handle these extensions.

Change Log

References


[ 1 ] Bug #1286977 - proftpd: unbounded SFTP extended attribute key/values https://bugzilla.redhat.com/show_bug.cgi?id=1286977

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update proftpd' at the command line. For more information, refer to "Managing Software with yum", available at .

Name: proftpd
Product: Fedora 22
Version: 1.3.5a
Release: 5.fc22
Summary: Flexible, stable and highly-configurable FTP server

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.