Explore top 10 tips to secure your open-source projects now. Read More
×
Cumulative bug-fix update, including several buffer overflow fixes.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-75a8969e55 2026-07-18 00:27:50.464547+00:00 -------------------------------------------------------------------------------- Name : proftpd Product : Fedora 43 Version : 1.3.9c Release : 1.fc43 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. -------------------------------------------------------------------------------- Update Information: Cumulative bug-fix update, including several buffer overflow fixes. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 8 2026 Paul Howarth - 1.3.9c-1 - Update to 1.3.9c - ExecEnviron values not passed due to regression since 1.3.8.d (GH#2135) - Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146) - MaxTransfersPerUser no longer enforces configured limits (GH#2158) - AdminControlsACLs for config, get actions not honored as they should be (GH#2163) - Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166) - RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173) - SQL group name lookup concatenates client-provided group names without escaping (GH#2188) - Authenticated SFTP sessions can overflowthe SFTP packet buffer (GH#2190) - Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210) * Fri Jun 12 2026 Yaakov Selkowitz - 1.3.9b-2 - Rebuilt for openssl 4.0 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-75a8969e55' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Cumulative bug-fix update, including several buffer overflow fixes.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2f95481529 2026-07-18 00:26:14.272998+00:00 -------------------------------------------------------------------------------- Name : proftpd Product : Fedora 44 Version : 1.3.9c Release : 1.fc44 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. -------------------------------------------------------------------------------- Update Information: Cumulative bug-fix update, including several buffer overflow fixes. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 8 2026 Paul Howarth - 1.3.9c-1 - Update to 1.3.9c - ExecEnviron values not passed due to regression since 1.3.8.d (GH#2135) - Stack buffer overflow in MLSD/MLST handling for long path names (GH#2146) - MaxTransfersPerUser no longer enforces configured limits (GH#2158) - AdminControlsACLs for config, get actions not honored as they should be (GH#2163) - Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking (GH#2166) - RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters (GH#2173) - SQL group name lookup concatenates client-provided group names without escaping (GH#2188) - Authenticated SFTP sessions can overflowthe SFTP packet buffer (GH#2190) - Default Controls socket ACLs unintentionally allow all users access for sending Controls requests (GH#2210) * Fri Jun 12 2026 Yaakov Selkowitz - 1.3.9b-2 - Rebuilt for openssl 4.0 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2f95481529' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
New proftpd packages are available for Slackware 15.0 and -current to fix security issues.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] proftpd (SSA:2026-189-02) New proftpd packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/proftpd-1.3.9c-i586-1_slack15.0.txz: Upgraded. This update fixes bugs and security issues: ExecEnviron values not passed due to regression since 1.3.8.d. Stack buffer overflow in MLSD/MLST handling for long path names. MaxTransfersPerUser no longer enforces configured limits. AdminControlsACLs for config, get actions not honored as they should be. Memcached/Redis-cached JSON TLS session/OCSP entries decoded into fixed buffers without bounds checking. RewriteMap unescape builtin use causes one-byte out-of-bounds write, fails to reject illegal characters. SQL group name lookup concatenates client-provided group names without escaping. Authenticated SFTP sessions can overflow the SFTP packet buffer. Default Controls socket ACLs unintentionally allow all users access for sending Controls requests. (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/proftpd-1.3.9c-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/proftpd-1.3.9c-x86_64-1_slack15.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/proftpd-1.3.9c-i686-1.txz Updated package for Slackware x86_64-current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/proftpd-1.3.9c-x86_64-1.txz MD5 signatures: +-------------+ Slackware 15.0 package: 5e957bcf4abf13fc957520d6987eb954 proftpd-1.3.9c-i586-1_slack15.0.txz Slackware x86_64 15.0 package: 7506a63751fc4996465a2c83e9174eae proftpd-1.3.9c-x86_64-1_slack15.0.txz Slackware -current package: eb1aa81c4db3a984dc39f9e75438e067 n/proftpd-1.3.9c-i686-1.txz Slackware x86_64 -current package: d28ec7ff480ab4121deb30c59c73e9ca n/proftpd-1.3.9c-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg proftpd-1.3.9c-i586-1_slack15.0.txz +-----+ . Upgrade to the latest proftpd package for Slackware to address significant security issues and bugs in the software.. proftpd security issues, Slackware package updates, buffer overflow fix. . Severity: Critical. LinuxSecurity.com Team
Security update. Publication date: 12 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0200.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-42167, CVE-2026-44331 Description: CVE-2026-42167 mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM). CVE-2026-44331 a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect References: - https://bugs.mageia.org/show_bug.cgi?id=35445 - https://lists.fedoraproject.org/archives/list/
An update that fixes two vulnerabilities is now available.. openSUSE Security Update: Security update for proftpd ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0315-1 Rating: important References: #1233997 #1236889 Cross-References: CVE-2024-48651 CVE-2024-57392 CVSS scores: CVE-2024-48651 (SUSE): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-57392 (SUSE): 5.7 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP6 openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for proftpd fixes the following issues: - CVE-2024-57392: Null pointer dereference vulnerability by sending a maliciously crafted message (boo#1236889). - CVE-2024-48651: Supplemental group inheritance grants unintended access to GID 0 (boo#1233997). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2025-315=1 - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-315=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): proftpd-1.3.8d-bp157.2.3.1 proftpd-debuginfo-1.3.8d-bp157.2.3.1 proftpd-debugsource-1.3.8d-bp157.2.3.1 proftpd-devel-1.3.8d-bp157.2.3.1 proftpd-doc-1.3.8d-bp157.2.3.1 proftpd-ldap-1.3.8d-bp157.2.3.1 proftpd-ldap-debuginfo-1.3.8d-bp157.2.3.1 proftpd-mysql-1.3.8d-bp157.2.3.1 proftpd-mysql-debuginfo-1.3.8d-bp157.2.3.1 proftpd-pgsql-1.3.8d-bp157.2.3.1 proftpd-pgsql-debuginfo-1.3.8d-bp157.2.3.1 proftpd-radius-1.3.8d-bp157.2.3.1 proftpd-radius-debuginfo-1.3.8d-bp157.2.3.1 proftpd-sqlite-1.3.8d-bp157.2.3.1 proftpd-sqlite-debuginfo-1.3.8d-bp157.2.3.1 - openSUSE Backports SLE-15-SP7 (noarch): proftpd-lang-1.3.8d-bp157.2.3.1 - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): proftpd-1.3.8d-bp156.2.6.1 proftpd-devel-1.3.8d-bp156.2.6.1 proftpd-doc-1.3.8d-bp156.2.6.1 proftpd-ldap-1.3.8d-bp156.2.6.1 proftpd-mysql-1.3.8d-bp156.2.6.1 proftpd-pgsql-1.3.8d-bp156.2.6.1 proftpd-radius-1.3.8d-bp156.2.6.1 proftpd-sqlite-1.3.8d-bp156.2.6.1 - openSUSE Backports SLE-15-SP6 (noarch): proftpd-lang-1.3.8d-bp156.2.6.1 References: https://www.suse.com/security/cve/CVE-2024-48651.html https://www.suse.com/security/cve/CVE-2024-57392.html https://bugzilla.suse.com/1233997 https://bugzilla.suse.com/1236889 . An important security update for proftpd addresses two vulnerabilities affecting openSUSE. Apply updates to mitigate risks.. openSUSE proftpd security patch update vulnerabilities. . Severity: Important. LinuxSecurity.com Team
New proftpd packages are available for Slackware 15.0 and -current to fix a security issue.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] proftpd (SSA:2026-154-03) New proftpd packages are available for Slackware 15.0 and -current to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/proftpd-1.3.9b-i586-1_slack15.0.txz: Upgraded. This update fixes a security issue: Additional fixes for SQL injection, notably for handling `%{env:...}` and `%{note:...}` variables. For more information, see: https://www.cve.org/CVERecord?id=CVE-2026-42167 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/proftpd-1.3.9b-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/proftpd-1.3.9b-x86_64-1_slack15.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/proftpd-1.3.9b-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/proftpd-1.3.9b-x86_64-1.txz MD5 signatures: +-------------+ Slackware 15.0 package: c1fb9d4ddf43f8619964b363c010e157 proftpd-1.3.9b-i586-1_slack15.0.txz Slackware x86_64 15.0 package: 414ccbd2e9faee806d141bf5c488cdc3 proftpd-1.3.9b-x86_64-1_slack15.0.txz Slackware -current package: 432397c14bc54c0ffd6af3f1f54da8af n/proftpd-1.3.9b-i686-1.txz Slackware x86_64 -current package: 264fbc075d665f23b1c93b652fdbec15 n/proftpd-1.3.9b-x86_64-1.txz Installationinstructions: +------------------------+ Upgrade the package as root: # upgradepkg proftpd-1.3.9b-i586-1_slack15.0.txz +-----+ . Critical proftpd update for Slackware 15.0 fixes SQL injection security issue. Immediate upgrade recommended.. proftpd update security slackware SQL injection exploit resolution. . Severity: Critical. LinuxSecurity.com Team
This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-4ddb108952 2026-05-21 01:26:51.960444+00:00 -------------------------------------------------------------------------------- Name : proftpd Product : Fedora 43 Version : 1.3.9a Release : 2.fc43 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. -------------------------------------------------------------------------------- Update Information: This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default. -------------------------------------------------------------------------------- ChangeLog: * Mon May 11 2026 Paul Howarth - 1.3.9a-2 - Additional escaping for avoidance of SQL injection issues with %{note:...} and %{env:...}; these are on top of the existing fix for CVE-2026-42167 in 1.3.9a - Fix for SQL Injection inmod_wrap2_sql via reverse DNS hostname (CVE-2026-44331, rhbz#2466899, https://github.com/proftpd/proftpd/issues/2057) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466899 - CVE-2026-44331 proftpd: SQL injection via reverse DNS hostname [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2466899 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-4ddb108952' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-871243b391 2026-05-21 00:54:04.884676+00:00 -------------------------------------------------------------------------------- Name : proftpd Product : Fedora 44 Version : 1.3.9a Release : 2.fc44 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. -------------------------------------------------------------------------------- Update Information: This update contains an updated mod_wrap2_sql that addresses a potential SQL injection issue when connected to from a client with a maliciously-constructed reverse DNS record (CVE-2026-44331). Note that mod_wrap2_sql is not enabled by default and the issue can only happen if UseReverseDNS is enabled, which is also off by default. -------------------------------------------------------------------------------- ChangeLog: * Mon May 11 2026 Paul Howarth - 1.3.9a-2 - Additional escaping for avoidance of SQL injection issues with %{note:...} and %{env:...}; these are on top of the existing fix for CVE-2026-42167 in 1.3.9a - Fix for SQL Injection inmod_wrap2_sql via reverse DNS hostname (CVE-2026-44331, rhbz#2466899, https://github.com/proftpd/proftpd/issues/2057) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466899 - CVE-2026-44331 proftpd: SQL injection via reverse DNS hostname [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2466899 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-871243b391' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Get the latest Linux and open source security news straight to your inbox.