Stay Secure with the Latest Linux Advisories

security advisorysecurity issuecritical

Fedora 25: Critical ProFTPD CVE-2017-7418 Symlink Bypass Fix

Current upstream maintenance release for the 1.3.5 series. Includes fix for CVE-2017-7418, where not all path elements were checked for symlinks when using a chroot, so attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2017-c6f424c3ff 2017-04-19 03:08:24.316658 --------------------------------------------------------------------------------Name : proftpd Product : Fedora 25 Version : 1.3.5e Release : 1.fc25 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. --------------------------------------------------------------------------------Update Information: Current upstream maintenance release for the 1.3.5 series. Includes fix for CVE-2017-7418, where not all path elements were checked for symlinks when using a chroot, so attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. --------------------------------------------------------------------------------References: [ 1 ] Bug #1439693 - CVE-2017-7418 proftpd: AllowChrootSymlinks control bypass https://bugzilla.redhat.com/show_bug.cgi?id=1439693 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade proftpd' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. . Important security patch for proftpd in Fedora 25 resolves CVE-2017-7418, addressing vulnerabilities related to symlink bypass exploits.. proftpd security update,Fedora 25 advisory,symlink fix. . Severity: Critical. LinuxSecurity.com Team

Apr 19, 2017 •Critical Fedora