openSUSE Security Update : proftpd (openSUSE-2017-481)
Low Nessus Plugin ID 99430
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThis update for proftpd to version 1.3.5d fixes the following issues :
This security issue was fixed :
- CVE-2017-7418: ProFTPD checked only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link (bsc#1032443).
These non-security issues were fixed :
- Reduce TLS protocols to TLSv1.1 and TLSv1.2
- Disable TLSCACertificateFile
- Add TLSCertificateChainFile
- All FTP logins are treated as anonymous logins again
- SSH rekey during authentication could have caused issues with clients.
- Recursive SCP uploads of multiple directories were not handled properly.
- LIST returned different results for file, depending on path syntax.
- 'AuthAliasOnly on' in server config broke anonymous logins.
- Fixed memory leak when mod_facl is used.
- Fix systemd vs SysVinit inconsistency
SolutionUpdate the affected proftpd packages.