6069736 2001-02-08 19:41 -0200 /108 rader/ <secure@CONECTIVA.COM.BR> Sänt av: joel@lysator.liu.se Importerad: 2001-02-09 00:15 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: secure@CONECTIVA.COM.BR Mottagare: Bugtraq (import) <15308> Ärende: [CLA-2001:380] Conectiva Linux Security Announcement - proftpd ------------------------------------------------------------ From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200102082141.TAA16909@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : proftpd SUMMARY : Denial of Service DATE : 2001-02-08 19:17:00 ID : CLA-2001:380 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0 - ------------------------------------------------------------------------- DESCRIPTION "proftpd" is a very popular ftp server. Wojciech Purczynski reported two memory leak problems that could be used in a DoS attack: 1) A memoy leak will happen everytime a SIZE command is given, provided that the scoreboard file is not writable. The default installation is *not* vulnerable to this problem; 2) A similar problem existed with the USER command. Every USER command would cause the server to use more memory. Additionally, Przemyslaw Frasunek reported some format string vulnerabilities which have been fixed. SOLUTION It is recommended that all ProFTPd users upgrade to the latest packages. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/proftpd-1.2.0rc3-1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/proftpd-doc-1.2.0rc3-1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.conectiva.com.br/suporte/atualizacoes - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6gxJ042jd0JmAcZARAla9AJ96Oo0rdg48gVWpQk5aGI8LA+YI8wCeOp3j p3mfPpPSK0NwfGf3gax7Rxg= =tNZB -----END PGP SIGNATURE----- (6069736) --------------------------------(Ombruten)