Jez Hancock
2003-Sep-23 17:14 UTC
[da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]
Recent proftpd security vulnerability release FYI. Ports has latest patched proftpd distribution. -- Jez http://www.munk.nu/ -------------- next part -------------- An embedded message was scrubbed... From: Dave Ahmad <da@securityfocus.com> Subject: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd) Date: Tue, 23 Sep 2003 10:25:54 -0600 (MDT) Size: 4588 Url: http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030924/8df8d723/attachment.eml
Jez Hancock
2003-Sep-23 17:19 UTC
[da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]
Apologies for double post!
Haesu
2003-Sep-23 23:19 UTC
[da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]
I just want to clarify... # $FreeBSD: ports/ftp/proftpd/Makefile,v 1.56 2003/09/23 18:42:43 mharo Exp $ # PORTNAME= proftpd PORTVERSION= 1.2.8 PORTREVISION= 1 Is that the updated port that fixes vulnerability? It's 1.2.8 still, but I think this is the patched version, since rcsID shows 9/23 which is yesterday. Thanks, -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Wed, Sep 24, 2003 at 01:13:58AM +0100, Jez Hancock wrote:> Recent proftpd security vulnerability release FYI. Ports has latest > patched proftpd distribution. > -- > Jez > > http://www.munk.nu/> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm > Precedence: bulk > List-Id: <bugtraq.list-id.securityfocus.com> > List-Post: <mailto:bugtraq@securityfocus.com> > List-Help: <mailto:bugtraq-help@securityfocus.com> > List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> > List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> > Delivered-To: mailing list bugtraq@securityfocus.com > Delivered-To: moderator for bugtraq@securityfocus.com > Date: Tue, 23 Sep 2003 10:25:54 -0600 (MDT) > From: Dave Ahmad <da@securityfocus.com> > To: bugtraq@securityfocus.com > Subject: ISS Security Brief: ProFTPD ASCII File Remote Compromise > Vulnerability (fwd) > X-Spam-Score: -103.8 (---------------------------------------------------) > X-Spam-Status: No, hits=-103.8 required=6.0 > tests=KNOWN_MAILING_LIST,PGP_SIGNATURE,USER_AGENT_PINE, > USER_IN_WHITELIST > version=2.55 > X-Spam-Level: > X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > > > -----BEGIN PGP SIGNED MESSAGE----- > > Internet Security Systems Security Brief > September 23, 2003 > > ProFTPD ASCII File Remote Compromise Vulnerability > > Synopsis: > > ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD > is a highly configurable FTP (File Transfer Protocol) server for Unix > that allows for per-directory access restrictions, easy configuration of > virtual FTP servers, and support for multiple authentication mechanisms. > A flaw exists in the ProFTPD component that handles incoming ASCII file > transfers. > > Impact: > > An attacker capable of uploading files to the vulnerable system can > trigger a buffer overflow and execute arbitrary code to gain complete > control of the system. Attackers may use this vulnerability to destroy, > steal, or manipulate data on vulnerable FTP sites. > > Affected Versions: > > ProFTPD 1.2.7 > ProFTPD 1.2.8 > ProFTPD 1.2.8rc1 > ProFTPD 1.2.8rc2 > ProFTPD 1.2.9rc1 > ProFTPD 1.2.9rc2 > > Note: Versions previous to version 1.2.7 may also be vulnerable. > > For the complete ISS X-Force Security Advisory, please visit: > http://xforce.iss.net/xforce/alerts/id/154 > > ______ > > About Internet Security Systems (ISS) > Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a > pioneer and world leader in software and services that protect critical > online resources from an ever-changing spectrum of threats and misuse. > Internet Security Systems is headquartered in Atlanta, GA, with > additional operations throughout the Americas, Asia, Australia, Europe > and the Middle East. > > Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved > worldwide. > > Permission is hereby granted for the electronic redistribution of this > document. It is not to be edited or altered in any way without the > express written consent of the Internet Security Systems X-Force. If you > wish to reprint the whole or any part of this document in any other > medium excluding electronic media, please email xforce@iss.net for > permission. > > Disclaimer: The information within this paper may change without notice. > Use of this information constitutes acceptance for use in an AS IS > condition. There are NO warranties, implied or otherwise, with regard to > this information or its use. Any use of this information is at the > user's risk. In no event shall the author/distributor (Internet Security > Systems X-Force) be held liable for any damages whatsoever arising out > of or in connection with the use or spread of this information. > X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, > as well as at http://www.iss.net/security_center/sensitive.php > Please send suggestions, updates, and comments to: X-Force > xforce@iss.net of Internet Security Systems, Inc. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBP3BeFTRfJiV99eG9AQG2ngP/XopPpEYCbR6HSYhObaK+c2D32kwfiQEP > CJqXmoljU661kBKvL2RclLF8tutegL3T44/5utBuVgzCWALSRrJiJgZMWafRtE7m > lnl7V5Rzo7aEBxhmiaOqdLoNgzNd8NTtSkPrcFQZxjrQe9FvpIgsyiuY6ADNoDfH > mXStpCwCFWg> =TZR3 > -----END PGP SIGNATURE----- >> _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"