Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0767 proftpd-dfsg regression update 3 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: proftpd-dfsg Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-9273 Reference: ESB-2020.0703 ESB-2020.0635 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/03/msg00002.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : proftpd-dfsg Version : 1.3.5e+r1.3.5-2+deb8u7 CVE ID : CVE-2020-9273 It was discovered that there was a regression in a previous fix for a use-after-free vulnerability in the proftpd-dfsg FTP server. Exploitation of the original vulnerability within the memory pool handling could have allowed a remote attacker to execute arbitrary code on the affected system. However, the fix that was released in proftpd-dfsg version 1.3.5e+r1.3.5-2+deb8u6 had a regression around the handling of log formatting. For more information, please see: https://github.com/proftpd/proftpd/issues/903 For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version 1.3.5e+r1.3.5-2+deb8u7. We recommend that you upgrade your proftpd-dfsg packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5dT6MACgkQHpU+J9Qx Hlg12RAAxjvWQ2MCsU7DIIkVujp4pFA3gbXglaQtj7GPgnvOD7+E/CbIpS5h4ChQ elFscK6MNCWqeU0F0qbjmE0R55PDiCuTiLGgYHg+j3mPkFHsS31BJEQ+jXORIVPK pXcJWSYIpQhi3zwbeQMkeN/K4Cm+NI++iXNUCELVOMLBX4N1Wix+2zkERMb3pXsw ZODRIKRpi0NpMrP1xYxOxK1vVSMVbxu97SLT0DsyFPG7jmjcm7c/xlPyjR2mKnij KA1zNWE/rFQuuEacLVMI/B68I3hnRgGjt1oexmitxTU8AjqAsnt60wsHQcDR2NF+ olHglbca8V8jjs07gjnWEvE8zVvcFCUNXGsb4UYtrGSvL3unhI5ogi4Tp/jw/mfL ReFi4iLyW5GpqlE1BSAMEpATotlk+jSS0sUDuGVG0T1ybA9Sn64lF7wxUcr3IZw1 FK772xh+C76VjU7VmSTVDSXyO9OjJ13edh3ZCu5DFbVEpd1SBLYrkhdPH3pDoLj+ ApC6G4uOQ51iO/grMEmKkk4AEdMUCnr2o2CUYZg8iNGeAegEOkohr/p2m+x3Cn+8 v1BICuxjegq8XEz4/+mfKfLRnimHvgloEG2QfIANiREBEH4DQ8Wc3vG+fbo4KT7+ UdLudt2L4rLXaPLXq7aMX2oxdbBgrfqpYlE665boHGmkA06NYo4= =K8+l - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXl2womaOgq3Tt24GAQinnA/+M2WRm767Fxs+T81esE+UkxzI0eDCHtF+ n7ktR5SNd8zGI56gAJEf6mnWltoLGaYCmlU5sgt8k66a6D/aWEftjglO0N2vSQTI PO5lUBfd0pWL5cjUpCD4QZf9m/6Z37N5oSR2MnkFZ8EVu+ywmTfi8Rx73KtJ+el8 F789nVYmmvJXdAI/umjS4QOX2U3VLMIEx6NaE/PAX0bUYqveVgTwdN7b+thKO0cM O+kY4DjQePgnsBB9/wNzxxsFcSKabozvFMMUdxPndFPtF8NMVqbBbafGIlNTkmb1 vHyYWCezyVvRzc1BCKq64dk00pwhmc+CgZGfonz0GVxwzl6Etr8mt7/sAcutaM3e 3bX9hZvX7PrBuKB09XEldrwXofzgaavrqrDLxc0ISDXw5VoDznYxTAmUtX7CN+8I FCTMC9J6ITZlkfk3B2YytO5aQwl1gnvalijZzrS6OboefVbnbeCpUFac8XXm7lqu w9XhyMpRzNiBNrDlHcuV+TT/HWkgR5n0kLzgME0/HmHeRvIoBTqcF7IBv6qDS5G7 e3j47QAL0l3tpQ6aG6lVxQxbdTsrbEr5ssMmNNMD7nq9cr/aNQe4JyrH5b6NvzGM k0CZ62nvwvqPRJRrjah5i9RZXt3ChB22T5OXZjDA2sW44Z9Kl0mUfSkujVzxJOtz bTfTC06ZasU= =dkhr -----END PGP SIGNATURE-----