Stay Secure with the Latest Linux Advisories

security advisorySQL Injectionsecurity issue

Fedora 42 ProFTPD Serious SQL Injection Vulnerability CVE-2026-42167

Cumulative bug-fix release from upstream. Includes fix for a possible SQL- injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled by default.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-739d341ab8 2026-05-08 19:40:45.156106+00:00 -------------------------------------------------------------------------------- Name : proftpd Product : Fedora 42 Version : 1.3.9a Release : 1.fc42 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. -------------------------------------------------------------------------------- Update Information: Cumulative bug-fix release from upstream. Includes fix for a possible SQL- injection issue via mod_sql (CVE-2026-42167). Note that mod_sql is not enabled by default. -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 30 2026 Paul Howarth - 1.3.9a-1 - Update to 1.3.9a - SCP transfers failed for files with spaces in their names (GH#1886) - LDAPDefaultGID ignored since 1.3.9 (GH#1898) - Compilation of mod_wrap2 failed when the --enable-wrapper-options configure option was used (Bug #4512) - mod_sftp failed to parse authorized user/host public keys with CRLF line endings (GH#1904) - Uploads using MODE Z sometimes resulted in corrupted files or broken transfers (GH#1896) - Remove usage of the deprecated MySQL_OPT_RECONNECT option for newerMySQL versions (GH#1911) - Update usage of MySQL API for SSL/TLS connections to server (GH#340) - mod_sftp leaked file descriptor when reading SFTPHostKey file (GH#1959) - Large/slow SCP downloads could be unnecessarily truncated by TimeoutStalled (GH#1964) - Handling of CRLs in mod_tls was incorrect, leading to confusing errors (GH#1960) - Resumed SSL_SESSION management in mod_tls lead to memory growth, infinite loop using newer OpenSSL versions (GH#1963) - mod_quotatab_ldap interactions could lead to segfault due to stale pointer (GH#1984) - RNTO before authentication lead to out-of-order response codes (GH#2003) - MaxLoginAttemptsFromUser event never triggered in mod_ban for SFTP sessions (GH#2009) - Using toupper(3) on non-ASCII FTP command bytes might cause remote DoS (GH#2019) - Out-of-bounds single byte read when FTP command input buffer starts with LF (GH#2020) - FTP command LIST/NLST -B could cause buffer overflow when listing certain crafted filenames (GH#2030) - Memory exhaustion with mod_log_forensic when downloading very large files via SFTP (GH#2043) - Setting process groups during authentication crashed when using mod_radius and (GH#2046) - SQL injection possible via mod_sql because of is_escaped_text() logic error (GH#2052, CVE-2026-42167) * Sat Jan 17 2026 Fedora Release Engineering - 1.3.9-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jul 25 2025 Fedora Release Engineering - 1.3.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466604 - CVE-2026-42167 proftpd: SQL injection due to logic error in is_escaped_text() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2466604 -------------------------------------------------------------------------------- This update can be installed with the "dnf" updateprogram. Use su -c 'dnf upgrade --advisory FEDORA-2026-739d341ab8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Cumulative fix for Fedora 42 ProFTPD addresses a critical SQL injection issue in mod_sql that needs attention.. Fedora ProFTPD Update SQL Injection Fix. . Severity: Important. LinuxSecurity.com Team

May 08, 2026 •Important Fedora