Fedora 24 Critical: ProFTPD Symlink Bypass Fix for Local Access

ProFTPD is an enhanced FTP server with a focus toward simplicity, security,

and ease of configuration. It features a very Apache-like configuration

syntax, and a highly customizable server infrastructure, including support for

multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory

visibility.

This package defaults to the standalone behavior of ProFTPD, but all the

needed scripts to have it run by systemd instead are included.

Current upstream maintenance release for the 1.3.5 series. Includes fix for

CVE-2017-7418, where not all path elements were checked for symlinks when using

a chroot, so attackers with local access could bypass the AllowChrootSymlinks

control by replacing a path component (other than the last one) with a symbolic

link.

[ 1 ] Bug #1439693 - CVE-2017-7418 proftpd: AllowChrootSymlinks control bypass

https://bugzilla.redhat.com/show_bug.cgi?id=1439693

su -c 'dnf upgrade proftpd' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org