Alerts This Week
Warning Icon 1 609
Alerts This Week
Warning Icon 1 609

Fedora 43 ProFTPD Important SQL Injection Risk CVE-2026-42167

fedora
Calendar Grey May 8, 2026
Dist Fedora Esm H88
ProFTPD in Fedora 43 fixes an important SQL injection issue through mod_sql, ensuring server security and stability.
Cumulative bug-fix release from upstream

Summary

ProFTPD is an enhanced FTP server with a focus toward simplicity, security,

and ease of configuration. It features a very Apache-like configuration

syntax, and a highly customizable server infrastructure, including support for

multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory

visibility.

This package defaults to the standalone behavior of ProFTPD, but all the

needed scripts to have it run by systemd instead are included.

Update Information:

Cumulative bug-fix release from upstream. Includes fix for a possible SQL- injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled by default.

Topics%20covered

Topics Covered

security advisory SQL Injection fedora remote DoS important proftpd

Change Log

* Thu Apr 30 2026 Paul Howarth - 1.3.9a-1 - Update to 1.3.9a - SCP transfers failed for files with spaces in their names (GH#1886) - LDAPDefaultGID ignored since 1.3.9 (GH#1898) - Compilation of mod_wrap2 failed when the --enable-wrapper-options configure option was used (Bug #4512) - mod_sftp failed to parse authorized user/host public keys with CRLF line endings (GH#1904) - Uploads using MODE Z sometimes resulted in corrupted files or broken transfers (GH#1896) - Remove usage of the deprecated MySQL_OPT_RECONNECT option for newer MySQL versions (GH#1911) - Update usage of MySQL API for SSL/TLS connections to server (GH#340) - mod_sftp leaked file descriptor when reading SFTPHostKey file (GH#1959) - Large/slow SCP downloads could be unnecessarily truncated by TimeoutStalled (GH#1964) - Handling of CRLs in mod_tls was incorrect, leading to confusing errors (GH#1960) - Resumed SSL_SESSION management in mod_tls lead to memory growth, infinite loop using newer OpenSSL versions (GH#1963) - mod_quotatab_ldap interactions could lead to segfault due to stale pointer (GH#1984) - RNTO before authentication lead to out-of-order response codes (GH#2003) - MaxLoginAttemptsFromUser event never triggered in mod_ban for SFTP sessions (GH#2009) - Using toupper(3) on non-ASCII FTP command bytes might cause remote DoS (GH#2019) - Out-of-bounds single byte read when FTP command input buffer starts with LF (GH#2020) - FTP command LIST/NLST -B could cause buffer overflow when listing certain crafted filenames (GH#2030) - Memory exhaustion with mod_log_forensic when downloading very large files via SFTP (GH#2043) - Setting process groups during authentication crashed when using mod_radius and (GH#2046) - SQL injection possible via mod_sql because of is_escaped_text() logic error (GH#2052, CVE-2026-42167) * Sat Jan 17 2026 Fedora Release Engineering - 1.3.9-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

References


[ 1 ] Bug #2466604 - CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2466604

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-bdb9342c72' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: proftpd
Product: Fedora 43
Version: 1.3.9a
Release: 1.fc43
URL: http://www.proftpd.org/
Summary: Flexible, stable and highly-configurable FTP server

Topics%20covered

Topics Covered

security advisory SQL Injection fedora remote DoS important proftpd

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here