lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030923163745.GC4775@sven.home.hoaxter.de>
From: sven at timegate.de (Sven Hoexter)
Subject: [tj@...taglia.org: [Proftpd-user] ProFTPD Remote Exploit]

FYI

----- Forwarded message from TJ Saunders <tj@...taglia.org> -----

Date: Tue, 23 Sep 2003 07:46:01 -0700 (PDT)
From: TJ Saunders <tj@...taglia.org>
To: proftp-announce@...ts.sourceforge.net
Cc: proftp-devel@...ts.sourceforge.net, proftp-user@...ts.sourceforge.net
Subject: [Proftpd-user] ProFTPD Remote Exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, ProFTPD community. The ProFTPD Project team must make the
following announcement:

X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's
handling of ASCII translation.  An attacker, by downloading a carefully
crafted file, can remotely exploit this bug to create a root shell:

  http://xforce.iss.net/xforce/alerts/id/154

The source distributions on the project FTP server have been replaced
with patched versions (hence the 'p' in the filenames); the MD5
checksums and PGP signatures for these patched distributions are listed
below.  The old RPMs have been deleted, and new RPMs provided.  All
snapshots have been removed from the server.

All ProFTPD users are strongly encouraged to upgrade to one of these
distributions as soon as possible.

The ProFTPD Project team would like to heartily thank the X-Force
engineers for the responsible and professional way in which they
reported the vulnerability, and worked with the ProFTPD Project team to
address this issue.

The patched distributions, including PGP signatures and MD5 sums, will
soon be available from any of the proftpd mirrors.  Mirrors are
available via FTP as:

  ftp.<two_letter_iso_country_code>.proftpd.org

(example: ftp.nl.proftpd.org).  Not all countries have mirrors;
however you should select one that is geographically close to you.

The MD5 sums for the source tarballs are:

  ca6bbef30253a8af0661fdc618677e5c  proftpd-1.2.7p.tar.bz2
  677adebba98488fb6c232f7de898b58a  proftpd-1.2.7p.tar.gz
  417e41092610816bd203c3766e96f23b  proftpd-1.2.8p.tar.bz2
  abf8409bbd9150494bc1847ace06857a  proftpd-1.2.8p.tar.gz
  b89c44467f85eea41f8b1df17f8a0faa  proftpd-1.2.9rc1p.tar.bz2
  14ab9868666d68101ed942717a1632d1  proftpd-1.2.9rc1p.tar.gz
  27e3f62a5615999adbbebcefa92b4510  proftpd-1.2.9rc2p.tar.bz2
  9ce26b461b2fa3d986c9822b85c94e5f  proftpd-1.2.9rc2p.tar.gz

The PGP signatures for the source tarballs are:

  proftpd-1.2.7p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XJbeOiT+lEZdqEQJCuACgjIqCnaiEnwTN9/X1S2XxhRilbCUAnRwb
    eupCsaIMU9E/XB1SotySMAeM
    =MCrF
    -----END PGP SIGNATURE-----

  proftpd-1.2.7p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XCreOiT+lEZdqEQJz1ACgz2Z0NIsGc5koqdAaSsmOVAtcPjIAoIUl
    qjJUxv/8FlNqe7PrstNwJxJ1
    =kUMM
    -----END PGP SIGNATURE-----

  proftpd-1.2.8p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XKbeOiT+lEZdqEQJkdwCgwvAvCsexFTi2jUUNJOaKAxyy9D0AoLOh
    HL55kzPx+IoMzQZ8N2ZyDm8W
    =CXRV
    -----END PGP SIGNATURE-----

  proftpd-1.2.8p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XEbeOiT+lEZdqEQJWDQCfaTrJw1TszG1pqcNcHrjjFv5t/14AoLKw
    wA5+sD8vreT1Q7Nv1KuX3ttQ
    =lIhI
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc1p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XLbeOiT+lEZdqEQJcAgCgjHAVTJ9Gfk82XpCoWZ6Aydc2/6MAoIS+
    CizbSVdgZtCAMB8lBf68ldiQ
    =x5sf
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc1p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XFbeOiT+lEZdqEQL89QCgjNsnNh9yTDzSv3gGsduvps850eYAoJcY
    9e+UykVc3pqUByzEpskd3tnN
    =zOxx
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc2p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XMbeOiT+lEZdqEQKZDACeNmNmMi5GpoMpxZ3bCQkzJox9P88AoOhE
    96Z2dRyVg+olgMfILsLGTgyH
    =sZq5
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc2p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XGLeOiT+lEZdqEQILWQCeN2BB/f3euf2Jw3WhG/s2SX/Zni0An3Md
    YDBSMvQ1WG4/XV+EUrPR07a5
    =cOs7
    -----END PGP SIGNATURE-----

My PGP key has been used to sign the source tarballs as well as this
announcement; it is available via MIT's public keyserver.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBP3Bgo7eOiT+lEZdqEQKc7wCgjNunSMRpnlENcIfvD7HJQ3ztR+0AmgP6
TAtnk6j+hNgJxnb6fMWr9PpO
=5hhJ
-----END PGP SIGNATURE-----




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
ProFTPD Users List   <proftpd-users@...ftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

----- End forwarded message -----

===========================================
And from a later mail:
byg>BTW, How about version prior 1.2.7?

They are believed to not have this bug.  I would recommend upgrading to
one of the patched releases, just to be certain.

TJ
==========================================

Sven
-- 
http://www.comboguano.de
http://sven.linux-ist-pleite.de
I'm root, if you see me laughing you better have a backup!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ