lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1E4qvx-0003D9-Df@mercury.mandriva.com>
Date: Mon, 15 Aug 2005 20:12:09 -0600
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:140 - Updated proftpd packages fix format string vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           proftpd
 Advisory ID:            MDKSA-2005:140
 Date:                   August 15th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Two format string vulnerabilities were discovered in ProFTPD.  The
 first exists when displaying a shutdown message containin the name of
 the current directory.  This could be exploited by a user who creates
 a directory containing format specifiers and sets the directory as the
 current directory when the shutdown message is being sent.
 
 The second exists when displaying response messages to the cleint using
 information retreived from a database using mod_sql.  Note that mod_sql
 support is not enabled by default, but the contrib source file has been
 patched regardless.
 
 The updated packages have been patched to correct these problems.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390
  http://secunia.com/advisories/16181
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 9754b8d4357f6843ed9f613d1daeca4e  10.0/RPMS/proftpd-1.2.9-3.3.100mdk.i586.rpm
 9009783efdf84c2f92a988e6268f0631  10.0/RPMS/proftpd-anonymous-1.2.9-3.3.100mdk.i586.rpm
 cef8ec2cd6a3ec3c1e2b737221cbf97c  10.0/SRPMS/proftpd-1.2.9-3.3.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 23c5bf83875f00ab5f554029c6aa9177  amd64/10.0/RPMS/proftpd-1.2.9-3.3.100mdk.amd64.rpm
 80b34a20f86d090c0b1f19972f213af8  amd64/10.0/RPMS/proftpd-anonymous-1.2.9-3.3.100mdk.amd64.rpm
 cef8ec2cd6a3ec3c1e2b737221cbf97c  amd64/10.0/SRPMS/proftpd-1.2.9-3.3.100mdk.src.rpm

 Mandrakelinux 10.1:
 68039b1c9e9090856e8e93c11edc3c10  10.1/RPMS/proftpd-1.2.10-2.1.101mdk.i586.rpm
 0952d937b0d8432eeb365ea07ba267b9  10.1/RPMS/proftpd-anonymous-1.2.10-2.1.101mdk.i586.rpm
 fafda6527589ac244691743278c5fb2f  10.1/SRPMS/proftpd-1.2.10-2.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 1c37bda199475b68dae530c06285222f  x86_64/10.1/RPMS/proftpd-1.2.10-2.1.101mdk.x86_64.rpm
 4e2c3f72c6bc1710e82f81d919df4a0d  x86_64/10.1/RPMS/proftpd-anonymous-1.2.10-2.1.101mdk.x86_64.rpm
 fafda6527589ac244691743278c5fb2f  x86_64/10.1/SRPMS/proftpd-1.2.10-2.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 62c9ac6c9f9cefe3ae26d00287430abd  10.2/RPMS/proftpd-1.2.10-9.1.102mdk.i586.rpm
 77020ac5c67cf4ed616a4d858cbdca61  10.2/RPMS/proftpd-anonymous-1.2.10-9.1.102mdk.i586.rpm
 332bc621d075cce043964146d874eefc  10.2/SRPMS/proftpd-1.2.10-9.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 9077e02a37afaeef184095d5e32d4795  x86_64/10.2/RPMS/proftpd-1.2.10-9.1.102mdk.x86_64.rpm
 6f7e7a053d2a8d3872efdd87dcf1227f  x86_64/10.2/RPMS/proftpd-anonymous-1.2.10-9.1.102mdk.x86_64.rpm
 332bc621d075cce043964146d874eefc  x86_64/10.2/SRPMS/proftpd-1.2.10-9.1.102mdk.src.rpm

 Corporate 3.0:
 ed09c8c53d71e04c21ffaf1d647722c1  corporate/3.0/RPMS/proftpd-1.2.9-3.3.C30mdk.i586.rpm
 5885b14d6817c11ef29c03aed76cb61f  corporate/3.0/RPMS/proftpd-anonymous-1.2.9-3.3.C30mdk.i586.rpm
 b71bb2a58e0ac2d224c2fc332fbccdc7  corporate/3.0/SRPMS/proftpd-1.2.9-3.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 96d72d9503f3b7f86d7b162453f9f25c  x86_64/corporate/3.0/RPMS/proftpd-1.2.9-3.3.C30mdk.x86_64.rpm
 eff847004e164052d380b9937ec641ee  x86_64/corporate/3.0/RPMS/proftpd-anonymous-1.2.9-3.3.C30mdk.x86_64.rpm
 b71bb2a58e0ac2d224c2fc332fbccdc7  x86_64/corporate/3.0/SRPMS/proftpd-1.2.9-3.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDAUt5mqjQ0CJFipgRAqCQAKDYxGSSDQIrxuL9LnqxWOo5vl/fwgCdFevV
WMVFZhi3wVbAG3ShLkcuKts=
=VlqT
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ