openSUSE Security Update : proftpd (openSUSE-SU-2013:1563-1)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

proftpd was updated to 1.3.4d.

- Fixed broken build when using --disable-ipv6 configure
option

- Fixed mod_sql 'SQLAuthType Backend' MySQL issues

- fix for bnc#843444 (CVE-2013-4359)

- http://bugs.proftpd.org/show_bug.cgi?id=3973

- add proftpd-sftp-kbdint-max-responses-bug3973.patch

- Improve systemd service file

- use upstream tmpfiles.d file. related to [bnc#811793]

- Use /run instead of /var/run

- update to 1.3.4c

- Added Spanish translation.

- Fixed several mod_sftp issues, including
SFTPPassPhraseProvider, handling of symlinks for
REALPATH requests, and response code logging.

- Fixed symlink race for creating directories when
UserOwner is in effect.

- Increased performance of FTP directory listings.

- rebase and rename patches (remove version string)

- proftpd-1.3.4a-dist.patch -> proftpd-dist.patch

- proftpd-1.3.4a-ftpasswd.patch -> proftpd-ftpasswd.patch

- proftpd-1.3.4a-strip.patch -> proftpd-strip.patch

- fix proftpd.conf (rebase basic.conf patch)

- IdentLookups is now a separate module <IfModule
mod_ident.c> IdentLookups on/off </IfModule> is needed
and module is not built cause crrodriguez disabled it.

- fix for bnc#787884
(https://bugzilla.novell.com/show_bug.cgi?id=787884)

- added extra Source proftpd.conf.tmpfile

- Disable ident lookups, this protocol is totally obsolete
and dangerous. (add --disable-ident)

- Fix debug info generation ( add --disable-strip)

- Add systemd unit

- update to 1.3.4b

+ Fixed mod_ldap segfault on login when LDAPUsers with no
filters used.

+ Fixed sporadic SFTP upload issues for large files.

+ Fixed SSH2 handling for some clients (e.g. OpenVMS).

+ New FactsOptions directive; see
doc/modules/mod_facts.html#FactsOptions

+ Fixed build errors on Tru64, AIX, Cygwin.

- add Source Signatuire (.asc) file

- add noBuildDate patch

- add lang pkg

- --enable-nls

- add configure option

- --enable-openssl, --with-lastlog

See also :

http://bugs.proftpd.org/show_bug.cgi?id=3973
http://lists.opensuse.org/opensuse-updates/2013-10/msg00032.html
https://bugzilla.novell.com/show_bug.cgi?id=787884
https://bugzilla.novell.com/show_bug.cgi?id=811793
https://bugzilla.novell.com/show_bug.cgi?id=843444

Solution :

Update the affected proftpd packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : false

Family: SuSE Local Security Checks

Nessus Plugin ID: 75173 ()

Bugtraq ID: 62328

CVE ID: CVE-2013-4359

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now