Advisories » MGASA-2019-0385

Updated proftpd packages fix security vulnerability

Publication date: 13 Dec 2019
Modification date: 13 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-19269

Description

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b.
A dereference of a NULL pointer may occur. This pointer is returned
by the OpenSSL sk_X509_REVOKED_value() function when encountering an
empty CRL installed by a system administrator. The dereference occurs
when validating the certificate of a client connecting to the server
in a TLS client/server mutual-authentication setup (CVE-2019-19269).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25844
• https://www.debian.org/lts/security/2019/dla-2018
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19269

SRPMS

7/core

• proftpd-1.3.5e-4.2.mga7