Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0767
proftpd-dfsg regression update
3 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: proftpd-dfsg
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-9273
Reference: ESB-2020.0703
ESB-2020.0635
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/03/msg00002.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : proftpd-dfsg
Version : 1.3.5e+r1.3.5-2+deb8u7
CVE ID : CVE-2020-9273
It was discovered that there was a regression in a previous fix for a
use-after-free vulnerability in the proftpd-dfsg FTP server.
Exploitation of the original vulnerability within the memory pool handling
could have allowed a remote attacker to execute arbitrary code on the
affected system. However, the fix that was released in proftpd-dfsg
version 1.3.5e+r1.3.5-2+deb8u6 had a regression around the handling
of log formatting.
For more information, please see:
https://github.com/proftpd/proftpd/issues/903
For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version
1.3.5e+r1.3.5-2+deb8u7.
We recommend that you upgrade your proftpd-dfsg packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Regards,
- - --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5dT6MACgkQHpU+J9Qx
Hlg12RAAxjvWQ2MCsU7DIIkVujp4pFA3gbXglaQtj7GPgnvOD7+E/CbIpS5h4ChQ
elFscK6MNCWqeU0F0qbjmE0R55PDiCuTiLGgYHg+j3mPkFHsS31BJEQ+jXORIVPK
pXcJWSYIpQhi3zwbeQMkeN/K4Cm+NI++iXNUCELVOMLBX4N1Wix+2zkERMb3pXsw
ZODRIKRpi0NpMrP1xYxOxK1vVSMVbxu97SLT0DsyFPG7jmjcm7c/xlPyjR2mKnij
KA1zNWE/rFQuuEacLVMI/B68I3hnRgGjt1oexmitxTU8AjqAsnt60wsHQcDR2NF+
olHglbca8V8jjs07gjnWEvE8zVvcFCUNXGsb4UYtrGSvL3unhI5ogi4Tp/jw/mfL
ReFi4iLyW5GpqlE1BSAMEpATotlk+jSS0sUDuGVG0T1ybA9Sn64lF7wxUcr3IZw1
FK772xh+C76VjU7VmSTVDSXyO9OjJ13edh3ZCu5DFbVEpd1SBLYrkhdPH3pDoLj+
ApC6G4uOQ51iO/grMEmKkk4AEdMUCnr2o2CUYZg8iNGeAegEOkohr/p2m+x3Cn+8
v1BICuxjegq8XEz4/+mfKfLRnimHvgloEG2QfIANiREBEH4DQ8Wc3vG+fbo4KT7+
UdLudt2L4rLXaPLXq7aMX2oxdbBgrfqpYlE665boHGmkA06NYo4=
=K8+l
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXl2womaOgq3Tt24GAQinnA/+M2WRm767Fxs+T81esE+UkxzI0eDCHtF+
n7ktR5SNd8zGI56gAJEf6mnWltoLGaYCmlU5sgt8k66a6D/aWEftjglO0N2vSQTI
PO5lUBfd0pWL5cjUpCD4QZf9m/6Z37N5oSR2MnkFZ8EVu+ywmTfi8Rx73KtJ+el8
F789nVYmmvJXdAI/umjS4QOX2U3VLMIEx6NaE/PAX0bUYqveVgTwdN7b+thKO0cM
O+kY4DjQePgnsBB9/wNzxxsFcSKabozvFMMUdxPndFPtF8NMVqbBbafGIlNTkmb1
vHyYWCezyVvRzc1BCKq64dk00pwhmc+CgZGfonz0GVxwzl6Etr8mt7/sAcutaM3e
3bX9hZvX7PrBuKB09XEldrwXofzgaavrqrDLxc0ISDXw5VoDznYxTAmUtX7CN+8I
FCTMC9J6ITZlkfk3B2YytO5aQwl1gnvalijZzrS6OboefVbnbeCpUFac8XXm7lqu
w9XhyMpRzNiBNrDlHcuV+TT/HWkgR5n0kLzgME0/HmHeRvIoBTqcF7IBv6qDS5G7
e3j47QAL0l3tpQ6aG6lVxQxbdTsrbEr5ssMmNNMD7nq9cr/aNQe4JyrH5b6NvzGM
k0CZ62nvwvqPRJRrjah5i9RZXt3ChB22T5OXZjDA2sW44Z9Kl0mUfSkujVzxJOtz
bTfTC06ZasU=
=dkhr
-----END PGP SIGNATURE-----