ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

This update for proftpd fixes the following issues :

  - GeoIP has been discontinued by Maxmind (boo#1156210)     This update removes module build for geoip see     https://support.maxmind.com/geolite-legacy-discontinuati     on-notice/

  - CVE-2019-19269: Fixed a NULL pointer dereference may     occur when validating the certificate of a client     connecting to the server (boo#1157803)

  - CVE-2019-19270: Fixed a Failure to check for the     appropriate field of a CRL entry prevents some valid     CRLs from being taken into account (boo#1157798)

  - CVE-2019-18217: Fixed remote unauthenticated     denial-of-service due to incorrect handling of overly     long commands (boo#1154600 gh#846)

Update to 1.3.6b

  - Fixed pre-authentication remote denial-of-service issue     (Issue #846).

  - Backported fix for building mod_sql_mysql using MySQL 8     (Issue #824).

Update to 1.3.6a :

  - Fixed symlink navigation (Bug#4332).

  - Fixed building of mod_sftp using OpenSSL 1.1.x releases     (Issue#674).

  - Fixed SITE COPY honoring of <Limit> restrictions     (Bug#4372).

  - Fixed segfault on login when using mod_sftp +     mod_sftp_pam (Issue#656).

  - Fixed restarts when using mod_facl as a static module

  - Add missing Requires(pre): group(ftp) for Leap 15 and     Tumbleweed (boo#1155834)

  - Add missing Requires(pre): user(ftp) for Leap 15 and     Tumbleweed (boo#1155834)

  - Use pam_keyinit.so (boo#1144056)

  - Reduce hard dependency on systemd to only that which is     necessary for building and installation.

update to 1.3.6 :

  - Support for using Redis for caching, logging; see the     doc/howto/Redis.html documentation.

  - Fixed mod_sql_postgres SSL support (Issue #415).

  - Support building against LibreSSL instead of OpenSSL     (Issue #361).

  - Better support on AIX for login restraictions (Bug     #4285).

  - TimeoutLogin (and other timeouts) were not working     properly for SFTP connections (Bug#4299).

  - Handling of the SIGILL and SIGINT signals, by the daemon     process, now causes the child processes to be terminated     as well (Issue #461).

  - RPM .spec file naming changed to conform to Fedora     guidelines.

  - Fix for 'AllowChrootSymlinks off' checking each     component for symlinks (CVE-2017-7418).

New Modules :

  - mod_redis, mod_tls_redis, mod_wrap2_redis With Redis now     supported as a caching mechanism, similar to Memcache,     there are now Redis-using modules: mod_redis (for     configuring the Redis connection information),     mod_tls_redis (for caching SSL sessions and OCSP     information using Redis), and mod_wrap2_redis (for using     ACLs stored in Redis).

Changed Modules :

  - mod_ban: The mod_ban module's BanCache directive can now     use Redis-based caching; see     doc/contrib/mod_ban.html#BanCache.

-New Configuration Directives

  - SQLPasswordArgon2, SQLPasswordScrypt

    The key lengths for Argon2 and Scrypt-based passwords     are now configurable via these new directives;
    previously, the key length had been hardcoded to be 32     bytes, which is not interoperable with all other     implementations (Issue #454).

Changed Configuration Directives

  - AllowChrootSymlinks When 'AllowChrootSymlinks off' was     used, only the last portion of the DefaultRoot path     would be checked to see if it was a symlink. Now, each     component of the DefaultRoot path will be checked to see     if it is a symlink when 'AllowChrootSymlinks off' is     used.

  - Include The Include directive can now be used within a     <Limit> section, e.g.: <Limit LOGIN> Include     /path/to/allowed.txt DenyAll </Limit> API Changes

  - A new JSON API has been added, for use by third-party     modules.

This update for proftpd fixes the following issues :

Security issues fixed :

  - CVE-2019-12815: Fixed arbitrary file copy in mod_copy     that allowed for remote code execution and information     disclosure without authentication (bnc#1142281).

The remote host is using ProFTPD, a free FTP server for Unix and Linux.
According to its banner, the version of ProFTPD installed on the remote host is prior to 1.3.5e or 1.3.6x prior to 1.3.6rc5 and is affected by an issue where an attacker who is not granted full filesystem access may reconfigure the home directory of an FTP user.

NVD reports :

ProFTPD ... controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link.

Current upstream maintenance release for the 1.3.5 series.

Includes fix for CVE-2017-7418, where not all path elements were checked for symlinks when using a chroot, so attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

This update for proftpd to version 1.3.5d fixes the following issues :

This security issue was fixed :

  - CVE-2017-7418: ProFTPD checked only the last path     component when enforcing AllowChrootSymlinks. Attackers     with local access could bypass the AllowChrootSymlinks     control by replacing a path component (other than the     last one) with a symbolic link (bsc#1032443).

These non-security issues were fixed :

  - Reduce TLS protocols to TLSv1.1 and TLSv1.2

  - Disable TLSCACertificateFile

  - Add TLSCertificateChainFile

  - All FTP logins are treated as anonymous logins again

  - SSH rekey during authentication could have caused issues     with clients.

  - Recursive SCP uploads of multiple directories were not     handled properly.

  - LIST returned different results for file, depending on     path syntax.

  - 'AuthAliasOnly on' in server config broke anonymous     logins.

  - Fixed memory leak when mod_facl is used.

  - Fix systemd vs SysVinit inconsistency

ID	Name	Product	Family	Severity
132911	openSUSE Security Update : proftpd (openSUSE-2020-31)	Nessus	SuSE Local Security Checks	critical
127741	openSUSE Security Update : proftpd (openSUSE-2019-1836)	Nessus	SuSE Local Security Checks	critical
106756	ProFTPD < 1.3.5e / 1.3.6x < 1.3.6rc5 AllowChrootSymlinks bypass	Nessus	FTP	medium
102030	FreeBSD : proftpd -- user chroot escape vulnerability (770d7e91-72af-11e7-998a-08606e47f965)	Nessus	FreeBSD Local Security Checks	medium
101637	Fedora 26 : proftpd (2017-5a01498b4b)	Nessus	Fedora Local Security Checks	medium
99598	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : proftpd (SSA:2017-112-03)	Nessus	Slackware Local Security Checks	medium
99493	Fedora 25 : proftpd (2017-c6f424c3ff)	Nessus	Fedora Local Security Checks	medium
99446	Fedora 24 : proftpd (2017-e15e37b689)	Nessus	Fedora Local Security Checks	medium
99430	openSUSE Security Update : proftpd (openSUSE-2017-481)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2017-7418

medium

Tenable Plugins

critical

critical

medium

medium

medium

medium

medium

medium

medium