Updated proftpd packages fix security vulnerabilities
Publication date: 24 Dec 2015Modification date: 24 Dec 2015
Type: security
Affected Mageia releases : 5
Description
Updated proftpd packages fix security vulnerability:
Part of the SFTP handshake involves "extensions", which are key/value pairs,
comprised of strings. In SSH, strings are encoded for network transport as a
32-bit length, followed by the bytes. The mod_sftp module currently places no
bounds/length limitations when reading these SFTP extension key/value data from
the network. A malicious attacker might attempt to encode large values, and
allocate more memory than is necessary, causing excessive resource usage or the
FTP daemon to crash (proftpd#4210).
This update also includes a fix for a crash in mod_lang (proftpd#4206).
References
- https://bugs.mageia.org/show_bug.cgi?id=17336
- http://bugs.proftpd.org/show_bug.cgi?id=4206
- http://bugs.proftpd.org/show_bug.cgi?id=4210
- https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171090.html
- https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173656.html
SRPMS
5/core
- proftpd-1.3.5-5.1.mga5