Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Ubuntu 24.10: 7297-1 Critical: ProFTPD Privilege Escalation Issues

ubuntu
Calendar Grey February 25, 2025
Dist Ubuntu Esm H88
The CVE-2023-3456 security bulletin for OpenSSH highlights severe holes across various Debian distributions, bolstering platform security.
Several security issues were fixed in proftpd-dfsg.

Summary

Several security issues were fixed in proftpd-dfsg.

Software Description:

- proftpd-dfsg: Versatile, virtual-hosting FTP daemon

Details:

Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that the

transport protocol implementation in ProFTPD had weak integrity checks.

An attacker could use this vulnerability to bypass security features

like encryption and integrity checks. (CVE-2023-48795)

Martin Mirchev discovered that ProFTPD did not properly validate user

input over the network. An attacker could use this vulnerability to

crash ProFTPD or execute arbitrary code. (CVE-2023-51713)

Brian Ristuccia discovered that ProFTPD incorrectly inherited groups

from the parent process. An attacker could use this vulnerability to

elevate privileges. (CVE-2024-48651)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   proftpd-core                    1.3.8.b+dfsg-2ubuntu1.24.10.1

Ubuntu 24.04 LTS
   proftpd-core                    1.3.8.b+dfsg-1ubuntu0.1

Ubuntu 22.04 LTS
   proftpd-basic                   1.3.7c+dfsg-1ubuntu0.1
   proftpd-core                    1.3.7c+dfsg-1ubuntu0.1

Ubuntu 20.04 LTS
   proftpd-basic                   1.3.6c-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-7297-1

CVE-2023-48795, CVE-2023-51713, CVE-2024-48651

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-7297-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here