Fedora 10 : proftpd-1.3.2b-1.fc10 (2009-11666)
Medium Nessus Plugin ID 42846
SynopsisThe remote Fedora host is missing a security update.
DescriptionThis update fixes CVE-2009-3639, in which proftpd's mod_tls, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate. This allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority. This update to upstream release 1.3.2b also fixes the following issues recorded in the proftpd bug tracker at bugs.proftpd.org: - Regression causing command-line define options not to work (bug 3221) - Use correct cached user values with 'SQLNegativeCache on' (bug 3282) - Slower transfers of multiple small files (bug 3284) - Support MaxTransfersPerHost, MaxTransfersPerUser properly (bug 3287) - Handle symlinks to directories with trailing slashes properly (bug 3297)
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected proftpd package.