http://bugs.proftpd.org/show_bug.cgi?id=4372

openSUSE-SU-2019:1836

openSUSE-SU-2019:1870

openSUSE-SU-2020:0031

109339

https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf

https://github.com/proftpd/proftpd/pull/816

[debian-lts-announce] 20190807 [SECURITY] [DLA 1873-1] proftpd-dfsg security update

FEDORA-2019-e9187610c3

FEDORA-2019-82b0f48691

20190805 [SECURITY] [DSA 4491-1] proftpd-dfsg security update

GLSA-201908-16

https://tbspace.de/cve201912815proftpd.html

DSA-4491

This update for proftpd fixes the following issues :

  - GeoIP has been discontinued by Maxmind (boo#1156210)     This update removes module build for geoip see     https://support.maxmind.com/geolite-legacy-discontinuati     on-notice/

  - CVE-2019-19269: Fixed a NULL pointer dereference may     occur when validating the certificate of a client     connecting to the server (boo#1157803)

  - CVE-2019-19270: Fixed a Failure to check for the     appropriate field of a CRL entry prevents some valid     CRLs from being taken into account (boo#1157798)

  - CVE-2019-18217: Fixed remote unauthenticated     denial-of-service due to incorrect handling of overly     long commands (boo#1154600 gh#846)

Update to 1.3.6b

  - Fixed pre-authentication remote denial-of-service issue     (Issue #846).

  - Backported fix for building mod_sql_mysql using MySQL 8     (Issue #824).

Update to 1.3.6a :

  - Fixed symlink navigation (Bug#4332).

  - Fixed building of mod_sftp using OpenSSL 1.1.x releases     (Issue#674).

  - Fixed SITE COPY honoring of <Limit> restrictions     (Bug#4372).

  - Fixed segfault on login when using mod_sftp +     mod_sftp_pam (Issue#656).

  - Fixed restarts when using mod_facl as a static module

  - Add missing Requires(pre): group(ftp) for Leap 15 and     Tumbleweed (boo#1155834)

  - Add missing Requires(pre): user(ftp) for Leap 15 and     Tumbleweed (boo#1155834)

  - Use pam_keyinit.so (boo#1144056)

  - Reduce hard dependency on systemd to only that which is     necessary for building and installation.

update to 1.3.6 :

  - Support for using Redis for caching, logging; see the     doc/howto/Redis.html documentation.

  - Fixed mod_sql_postgres SSL support (Issue #415).

  - Support building against LibreSSL instead of OpenSSL     (Issue #361).

  - Better support on AIX for login restraictions (Bug     #4285).

  - TimeoutLogin (and other timeouts) were not working     properly for SFTP connections (Bug#4299).

  - Handling of the SIGILL and SIGINT signals, by the daemon     process, now causes the child processes to be terminated     as well (Issue #461).

  - RPM .spec file naming changed to conform to Fedora     guidelines.

  - Fix for 'AllowChrootSymlinks off' checking each     component for symlinks (CVE-2017-7418).

New Modules :

  - mod_redis, mod_tls_redis, mod_wrap2_redis With Redis now     supported as a caching mechanism, similar to Memcache,     there are now Redis-using modules: mod_redis (for     configuring the Redis connection information),     mod_tls_redis (for caching SSL sessions and OCSP     information using Redis), and mod_wrap2_redis (for using     ACLs stored in Redis).

Changed Modules :

  - mod_ban: The mod_ban module's BanCache directive can now     use Redis-based caching; see     doc/contrib/mod_ban.html#BanCache.

-New Configuration Directives

  - SQLPasswordArgon2, SQLPasswordScrypt

    The key lengths for Argon2 and Scrypt-based passwords     are now configurable via these new directives;
    previously, the key length had been hardcoded to be 32     bytes, which is not interoperable with all other     implementations (Issue #454).

Changed Configuration Directives

  - AllowChrootSymlinks When 'AllowChrootSymlinks off' was     used, only the last portion of the DefaultRoot path     would be checked to see if it was a symlink. Now, each     component of the DefaultRoot path will be checked to see     if it is a symlink when 'AllowChrootSymlinks off' is     used.

  - Include The Include directive can now be used within a     <Limit> section, e.g.: <Limit LOGIN> Include     /path/to/allowed.txt DenyAll </Limit> API Changes

  - A new JSON API has been added, for use by third-party     modules.

The remote host is running ProFTPD. It is affected by a vulnerability in the mod_copy module which fails to honor   <Limit READ> and <Limit WRITE> configurations as expected. An unauthenticated, remote attacker can exploit this, by   using the mod_copy module's functionality, in order to copy arbitrary files in the FTP directory, provided that   anonymous logins and mod_copy are enabled and the FTP directory is accessible from a web server. If a file exists in   the FTP directory that contains PHP code but does not use the PHP extension, an attacker can copy this file to one with   a PHP extension in order to execute code.

The remote host is affected by the vulnerability described in GLSA-201908-16 (ProFTPD: Remote code execution)

    It was discovered that ProFTPD&rsquo;s &ldquo;mod_copy&rdquo; module does not       properly restrict privileges for anonymous users.
  Impact :

    A remote attacker, by anonymously uploading a malicious file, could       possibly execute arbitrary code with the privileges of the process, cause       a Denial of Service condition or disclose information.
  Workaround :

    There is no known workaround at this time.

This update for proftpd fixes the following issues :

Security issues fixed :

  - CVE-2019-12815: Fixed arbitrary file copy in mod_copy     that allowed for remote code execution and information     disclosure without authentication (bnc#1142281).

This update addresses an arbitrary file copy vulnerability in mod_copy in ProFTPD, which allowed for remote code execution and information disclosure without authentication due to not honoring `<Limit>` constraints.

Upstream bug: http://bugs.proftpd.org/show_bug.cgi?id=4372

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tobias Maedel discovered that the mod_copy module of ProFTPD, a FTP/SFTP/FTPS server, performed incomplete permission validation for the CPFR/CPTO commands.

Tobias Maedel discovered that the mod_copy module of ProFTPD, a FTP/SFTP/FTPS server, performed incomplete permission validation for the CPFR/CPTO commands.

For Debian 8 'Jessie', this problem has been fixed in version 1.3.5e+r1.3.5-2+deb8u3.

We recommend that you upgrade your proftpd-dfsg packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.  

All versions of ProFTPD incliuding 1.3.5b are affected by a remote code execution vulnerability due to an arbitrary file copy flaw in the mod_copy module, which is part of the default installation of ProFTPD and 'enabled by default in most distributions' according to the researcher who discovered the bug. According to the ProFTPD bug report, mod_copy does not honor the %lt;Limit READ> and <Limit WRITE> configuration settings, thereby allowing a remote attacker write permissions to 'copy any file on the FTP server' using CPFR and CPTO commands.

ID	Name	Product	Family	Severity
132911	openSUSE Security Update : proftpd (openSUSE-2020-31)	Nessus	SuSE Local Security Checks	critical
132749	ProFTPD 'mod_copy' Arbitrary File Copy Vulnerability (Remote)	Nessus	FTP	critical
127965	GLSA-201908-16 : ProFTPD: Remote code execution	Nessus	Gentoo Local Security Checks	critical
127741	openSUSE Security Update : proftpd (openSUSE-2019-1836)	Nessus	SuSE Local Security Checks	critical
127534	Fedora 30 : proftpd (2019-e9187610c3)	Nessus	Fedora Local Security Checks	critical
127519	Fedora 29 : proftpd (2019-82b0f48691)	Nessus	Fedora Local Security Checks	critical
127487	Debian DSA-4491-1 : proftpd-dfsg - security update	Nessus	Debian Local Security Checks	critical
127482	Debian DLA-1873-1 : proftpd-dfsg security update	Nessus	Debian Local Security Checks	critical
701079	ProFTPD <= 1.3.5b Remote Code Execution	Nessus Network Monitor	FTP Servers	high

CVE-2019-12815

CRITICAL

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

high