| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: sven at timegate.de (Sven Hoexter)
Subject: [tj@...taglia.org: [Proftpd-user] ProFTPD Remote Exploit]
FYI
----- Forwarded message from TJ Saunders <tj@...taglia.org> -----
Date: Tue, 23 Sep 2003 07:46:01 -0700 (PDT)
From: TJ Saunders <tj@...taglia.org>
To: proftp-announce@...ts.sourceforge.net
Cc: proftp-devel@...ts.sourceforge.net, proftp-user@...ts.sourceforge.net
Subject: [Proftpd-user] ProFTPD Remote Exploit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, ProFTPD community. The ProFTPD Project team must make the
following announcement:
X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's
handling of ASCII translation. An attacker, by downloading a carefully
crafted file, can remotely exploit this bug to create a root shell:
http://xforce.iss.net/xforce/alerts/id/154
The source distributions on the project FTP server have been replaced
with patched versions (hence the 'p' in the filenames); the MD5
checksums and PGP signatures for these patched distributions are listed
below. The old RPMs have been deleted, and new RPMs provided. All
snapshots have been removed from the server.
All ProFTPD users are strongly encouraged to upgrade to one of these
distributions as soon as possible.
The ProFTPD Project team would like to heartily thank the X-Force
engineers for the responsible and professional way in which they
reported the vulnerability, and worked with the ProFTPD Project team to
address this issue.
The patched distributions, including PGP signatures and MD5 sums, will
soon be available from any of the proftpd mirrors. Mirrors are
available via FTP as:
ftp.<two_letter_iso_country_code>.proftpd.org
(example: ftp.nl.proftpd.org). Not all countries have mirrors;
however you should select one that is geographically close to you.
The MD5 sums for the source tarballs are:
ca6bbef30253a8af0661fdc618677e5c proftpd-1.2.7p.tar.bz2
677adebba98488fb6c232f7de898b58a proftpd-1.2.7p.tar.gz
417e41092610816bd203c3766e96f23b proftpd-1.2.8p.tar.bz2
abf8409bbd9150494bc1847ace06857a proftpd-1.2.8p.tar.gz
b89c44467f85eea41f8b1df17f8a0faa proftpd-1.2.9rc1p.tar.bz2
14ab9868666d68101ed942717a1632d1 proftpd-1.2.9rc1p.tar.gz
27e3f62a5615999adbbebcefa92b4510 proftpd-1.2.9rc2p.tar.bz2
9ce26b461b2fa3d986c9822b85c94e5f proftpd-1.2.9rc2p.tar.gz
The PGP signatures for the source tarballs are:
proftpd-1.2.7p.tar.bz2:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XJbeOiT+lEZdqEQJCuACgjIqCnaiEnwTN9/X1S2XxhRilbCUAnRwb
eupCsaIMU9E/XB1SotySMAeM
=MCrF
-----END PGP SIGNATURE-----
proftpd-1.2.7p.tar.gz:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XCreOiT+lEZdqEQJz1ACgz2Z0NIsGc5koqdAaSsmOVAtcPjIAoIUl
qjJUxv/8FlNqe7PrstNwJxJ1
=kUMM
-----END PGP SIGNATURE-----
proftpd-1.2.8p.tar.bz2:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XKbeOiT+lEZdqEQJkdwCgwvAvCsexFTi2jUUNJOaKAxyy9D0AoLOh
HL55kzPx+IoMzQZ8N2ZyDm8W
=CXRV
-----END PGP SIGNATURE-----
proftpd-1.2.8p.tar.gz:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XEbeOiT+lEZdqEQJWDQCfaTrJw1TszG1pqcNcHrjjFv5t/14AoLKw
wA5+sD8vreT1Q7Nv1KuX3ttQ
=lIhI
-----END PGP SIGNATURE-----
proftpd-1.2.9rc1p.tar.bz2:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XLbeOiT+lEZdqEQJcAgCgjHAVTJ9Gfk82XpCoWZ6Aydc2/6MAoIS+
CizbSVdgZtCAMB8lBf68ldiQ
=x5sf
-----END PGP SIGNATURE-----
proftpd-1.2.9rc1p.tar.gz:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XFbeOiT+lEZdqEQL89QCgjNsnNh9yTDzSv3gGsduvps850eYAoJcY
9e+UykVc3pqUByzEpskd3tnN
=zOxx
-----END PGP SIGNATURE-----
proftpd-1.2.9rc2p.tar.bz2:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XMbeOiT+lEZdqEQKZDACeNmNmMi5GpoMpxZ3bCQkzJox9P88AoOhE
96Z2dRyVg+olgMfILsLGTgyH
=sZq5
-----END PGP SIGNATURE-----
proftpd-1.2.9rc2p.tar.gz:
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUAP2+XGLeOiT+lEZdqEQILWQCeN2BB/f3euf2Jw3WhG/s2SX/Zni0An3Md
YDBSMvQ1WG4/XV+EUrPR07a5
=cOs7
-----END PGP SIGNATURE-----
My PGP key has been used to sign the source tarballs as well as this
announcement; it is available via MIT's public keyserver.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBP3Bgo7eOiT+lEZdqEQKc7wCgjNunSMRpnlENcIfvD7HJQ3ztR+0AmgP6
TAtnk6j+hNgJxnb6fMWr9PpO
=5hhJ
-----END PGP SIGNATURE-----
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
ProFTPD Users List <proftpd-users@...ftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
----- End forwarded message -----
===========================================
And from a later mail:
byg>BTW, How about version prior 1.2.7?
They are believed to not have this bug. I would recommend upgrading to
one of the patched releases, just to be certain.
TJ
==========================================
Sven
--
http://www.comboguano.de
http://sven.linux-ist-pleite.de
I'm root, if you see me laughing you better have a backup!
Powered by blists - more mailing lists