Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Fedora 8: 2009-0195 Moderate: ProFTPD CSRF Attack Mitigation

fedora
Calendar Grey January 7, 2009
Dist Fedora Esm H88
A patch for proftpd in Fedora 8 addresses a CSRF vulnerability that permits exploit attempts, along with resolving SSL termination issues.
This update fixes a security issue where an attacker could conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands

Summary

ProFTPD is an enhanced FTP server with a focus toward simplicity, security,

and ease of configuration. It features a very Apache-like configuration

syntax, and a highly customizable server infrastructure, including support for

multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory

visibility.

This package defaults to the standalone behaviour of ProFTPD, but all the

needed scripts to have it run by xinetd instead are included.

This update fixes a security issue where an attacker could conduct cross-site

request forgery (CSRF) attacks and execute arbitrary FTP commands. It also fixes

some SSL shutdown issues seen with certain clients.

* Fri Jan 2 2009 Matthias Saou 1.3.1-8

- Update default configuration to have a lit of available modules and more

example configuration for them.

- Include patches to fix TLS issues (#457280).

* Fri Jan 2 2009 Matthias Saou 1.3.1-7

- Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115).

* Fri Aug 8 2008 Matthias Saou 1.3.1-6

- Add mod_ban support (#457289, Philip Prindeville).

* Tue Feb 19 2008 Fedora Release Engineering

- Autorebuild for GCC 4.3

* Wed Feb 13 2008 Matthias Saou 1.3.1-4

- Pass --enable-shadow to also have it available, not just PAM (#378981).

- Add mod_ifsession as DSO (#432539).

* Mon Dec 17 2007 Matthias Saou 1.3.1-3

- Rebuild for new openssl, patch from Paul Howarth.

* Mon Oct 22 2007 Matthias Saou 1.3.1-2

- Include openldap schema file for quota support (Fran Taylor, #291891).

- Include FDS compatible LDIF file for quota support (converted).

- Prefix source welcome.msg for consistency.

[ 1 ] Bug #464127 - CVE-2008-4242 proftpd CSRF attack

https://bugzilla.redhat.com/show_bug.cgi?id=464127

su -c 'yum update proftpd' at the command line.

For more information, refer to "Managing Software with yum",

available at .

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory moderate Fedora proftpd CSRF

Change Log

References

Update Instructions

Severity
important
Lowest
Low
Medium
High
Critical

Product: Fedora 8
Version: 1.3.1
Release: 8.fc8
URL: http://www.proftpd.org/
Summary: Flexible, stable and highly-configurable FTP server

Topics%20covered

Topics Covered

security advisory moderate Fedora proftpd CSRF

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here