Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[tj () castaglia org: [Proftpd-user] ProFTPD Remote Exploit]

From: Sven Hoexter <sven () timegate de>
Date: Tue, 23 Sep 2003 18:37:45 +0200
FYI

----- Forwarded message from TJ Saunders <tj () castaglia org> -----

Date: Tue, 23 Sep 2003 07:46:01 -0700 (PDT)
From: TJ Saunders <tj () castaglia org>
To: proftp-announce () lists sourceforge net
Cc: proftp-devel () lists sourceforge net, proftp-user () lists sourceforge net
Subject: [Proftpd-user] ProFTPD Remote Exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, ProFTPD community. The ProFTPD Project team must make the
following announcement:

X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's
handling of ASCII translation.  An attacker, by downloading a carefully
crafted file, can remotely exploit this bug to create a root shell:

  http://xforce.iss.net/xforce/alerts/id/154

The source distributions on the project FTP server have been replaced
with patched versions (hence the 'p' in the filenames); the MD5
checksums and PGP signatures for these patched distributions are listed
below.  The old RPMs have been deleted, and new RPMs provided.  All
snapshots have been removed from the server.

All ProFTPD users are strongly encouraged to upgrade to one of these
distributions as soon as possible.

The ProFTPD Project team would like to heartily thank the X-Force
engineers for the responsible and professional way in which they
reported the vulnerability, and worked with the ProFTPD Project team to
address this issue.

The patched distributions, including PGP signatures and MD5 sums, will
soon be available from any of the proftpd mirrors.  Mirrors are
available via FTP as:

  ftp.<two_letter_iso_country_code>.proftpd.org

(example: ftp.nl.proftpd.org).  Not all countries have mirrors;
however you should select one that is geographically close to you.

The MD5 sums for the source tarballs are:

  ca6bbef30253a8af0661fdc618677e5c  proftpd-1.2.7p.tar.bz2
  677adebba98488fb6c232f7de898b58a  proftpd-1.2.7p.tar.gz
  417e41092610816bd203c3766e96f23b  proftpd-1.2.8p.tar.bz2
  abf8409bbd9150494bc1847ace06857a  proftpd-1.2.8p.tar.gz
  b89c44467f85eea41f8b1df17f8a0faa  proftpd-1.2.9rc1p.tar.bz2
  14ab9868666d68101ed942717a1632d1  proftpd-1.2.9rc1p.tar.gz
  27e3f62a5615999adbbebcefa92b4510  proftpd-1.2.9rc2p.tar.bz2
  9ce26b461b2fa3d986c9822b85c94e5f  proftpd-1.2.9rc2p.tar.gz

The PGP signatures for the source tarballs are:

  proftpd-1.2.7p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XJbeOiT+lEZdqEQJCuACgjIqCnaiEnwTN9/X1S2XxhRilbCUAnRwb
    eupCsaIMU9E/XB1SotySMAeM
    =MCrF
    -----END PGP SIGNATURE-----

  proftpd-1.2.7p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XCreOiT+lEZdqEQJz1ACgz2Z0NIsGc5koqdAaSsmOVAtcPjIAoIUl
    qjJUxv/8FlNqe7PrstNwJxJ1
    =kUMM
    -----END PGP SIGNATURE-----

  proftpd-1.2.8p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XKbeOiT+lEZdqEQJkdwCgwvAvCsexFTi2jUUNJOaKAxyy9D0AoLOh
    HL55kzPx+IoMzQZ8N2ZyDm8W
    =CXRV
    -----END PGP SIGNATURE-----

  proftpd-1.2.8p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XEbeOiT+lEZdqEQJWDQCfaTrJw1TszG1pqcNcHrjjFv5t/14AoLKw
    wA5+sD8vreT1Q7Nv1KuX3ttQ
    =lIhI
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc1p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XLbeOiT+lEZdqEQJcAgCgjHAVTJ9Gfk82XpCoWZ6Aydc2/6MAoIS+
    CizbSVdgZtCAMB8lBf68ldiQ
    =x5sf
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc1p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XFbeOiT+lEZdqEQL89QCgjNsnNh9yTDzSv3gGsduvps850eYAoJcY
    9e+UykVc3pqUByzEpskd3tnN
    =zOxx
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc2p.tar.bz2:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XMbeOiT+lEZdqEQKZDACeNmNmMi5GpoMpxZ3bCQkzJox9P88AoOhE
    96Z2dRyVg+olgMfILsLGTgyH
    =sZq5
    -----END PGP SIGNATURE-----

  proftpd-1.2.9rc2p.tar.gz:

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUAP2+XGLeOiT+lEZdqEQILWQCeN2BB/f3euf2Jw3WhG/s2SX/Zni0An3Md
    YDBSMvQ1WG4/XV+EUrPR07a5
    =cOs7
    -----END PGP SIGNATURE-----

My PGP key has been used to sign the source tarballs as well as this
announcement; it is available via MIT's public keyserver.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBP3Bgo7eOiT+lEZdqEQKc7wCgjNunSMRpnlENcIfvD7HJQ3ztR+0AmgP6
TAtnk6j+hNgJxnb6fMWr9PpO
=5hhJ
-----END PGP SIGNATURE-----




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
ProFTPD Users List   <proftpd-users () proftpd org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

----- End forwarded message -----

===========================================
And from a later mail:
byg>BTW, How about version prior 1.2.7?

They are believed to not have this bug.  I would recommend upgrading to
one of the patched releases, just to be certain.

TJ
==========================================

Sven
-- 
http://www.comboguano.de
http://sven.linux-ist-pleite.de
I'm root, if you see me laughing you better have a backup!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: