[gentoo-announce] [ GLSA 201908-16 ] ProFTPD: Remote code execution - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201908-16 ] ProFTPD: Remote code execution
Date:	Thu, 15 Aug 2019 16:34:12
Message-Id:	`20190815155804.GK861995@bubba.lan`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201908-16

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: ProFTPD: Remote code execution

9

     Date: August 15, 2019

10

     Bugs: #690528

11

       ID: 201908-16

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in ProFTPD could result in the arbitrary execution of

19

code.

20

21

Background

22

==========

23

24

ProFTPD is an advanced and very configurable FTP server.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-ftp/proftpd             < 1.3.6-r5               >= 1.3.6-r5 

33

34

Description

35

===========

36

37

It was discovered that ProFTPD's "mod_copy" module does not properly

38

restrict privileges for anonymous users.

39

40

Impact

41

======

42

43

A remote attacker, by anonymously uploading a malicious file, could

44

possibly execute arbitrary code with the privileges of the process,

45

cause a Denial of Service condition or disclose information.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All ProFTPD users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.6-r5"

59

60

References

61

==========

62

63

[ 1 ] CVE-2019-12815

64

      https://nvd.nist.gov/vuln/detail/CVE-2019-12815

65

66

Availability

67

============

68

69

This GLSA and any updates to it are available for viewing at

70

the Gentoo Security Website:

71

72

 https://security.gentoo.org/glsa/201908-16

73

74

Concerns?

75

=========

76

77

Security is a primary focus of Gentoo Linux and ensuring the

78

confidentiality and security of our users' machines is of utmost

79

importance to us. Any security concerns should be addressed to

80

security@g.o or alternatively, you may file a bug at

81

https://bugs.gentoo.org.

82

83

License

84

=======

85

86

Copyright 2019 Gentoo Foundation, Inc; referenced text

87

belongs to its owner(s).

88

89

The contents of this document are licensed under the

90

Creative Commons - Attribution / Share Alike license.

91

92

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201908-16
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: ProFTPD: Remote code execution
9	Date: August 15, 2019
10	Bugs: #690528
11	ID: 201908-16
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in ProFTPD could result in the arbitrary execution of
19	code.
20
21	Background
22	==========
23
24	ProFTPD is an advanced and very configurable FTP server.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-ftp/proftpd < 1.3.6-r5 >= 1.3.6-r5
33
34	Description
35	===========
36
37	It was discovered that ProFTPD's "mod_copy" module does not properly
38	restrict privileges for anonymous users.
39
40	Impact
41	======
42
43	A remote attacker, by anonymously uploading a malicious file, could
44	possibly execute arbitrary code with the privileges of the process,
45	cause a Denial of Service condition or disclose information.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All ProFTPD users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.6-r5"
59
60	References
61	==========
62
63	[ 1 ] CVE-2019-12815
64	https://nvd.nist.gov/vuln/detail/CVE-2019-12815
65
66	Availability
67	============
68
69	This GLSA and any updates to it are available for viewing at
70	the Gentoo Security Website:
71
72	https://security.gentoo.org/glsa/201908-16
73
74	Concerns?
75	=========
76
77	Security is a primary focus of Gentoo Linux and ensuring the
78	confidentiality and security of our users' machines is of utmost
79	importance to us. Any security concerns should be addressed to
80	security@g.o or alternatively, you may file a bug at
81	https://bugs.gentoo.org.
82
83	License
84	=======
85
86	Copyright 2019 Gentoo Foundation, Inc; referenced text
87	belongs to its owner(s).
88
89	The contents of this document are licensed under the
90	Creative Commons - Attribution / Share Alike license.
91
92	https://creativecommons.org/licenses/by-sa/2.5