Re: Drupal DRUPAL-SA-2006-005, DRUPAL-SA-2006-006
Jan Luehr wrote: Is fix for 005 and 006 on its way? The fixes you're talking about [1] don't seem complex at first sight, as the patches for Drupal 4.6.6 [2,3] are pretty simple. So, I guess the security team will be able to handle this without problems :) If you can't wait, just try to apply the patches yourself, and don't forget to create a .htaccess files in the files directory, with this simple content: SetHandler This_is_a_Drupal_security_line_do_not_remove. (Drupal 4.6.7 has code to create that file automatically.) If you have enough time, you can try to manually upgrade to the latest Drupal (4.7.1), as drupal in Debian is only in the 4.5.x series. Of course, this means you must manually maintain it by yourself. Ch. [1] Drupal 4.6.7 and 4.7.1 released http://drupal.org/drupal-4.7.1 [2] DRUPAL-SA-2006-005 : Patch for 4.6.6 http://drupal.org/files/sa-2006-005/4.6.6.patch [3] DRUPAL-SA-2006-006 : Patch for 4.6.6 http://drupal.org/files/sa-2006-006/4.6.6.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1073-1] New MySQL 4.1 packages fix several vulnerabilities
Martin Schulze wrote: The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed: woodysargesid mysql3.23.49-8.15n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3 I can't apt-get upgrade from 4.0.24-10sarge1 to 4.0.24-10sarge2. Is that package already created / uploaded to the security repository ? Or am I missing something? Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pam module for hylafax
Adarsh V.P wrote: i am using hylafax with debian sarge.I can only use the fax utilites(sendfax,faxstat,...) while logging in as root. Just man faxadduser can make you happy I guess :) faxadduser and faxdelusers tools manage the hylafax auth files /etc/hylafax/hosts.hfaxd /var/spool/hylafax/etc/hosts.hfaxd You can easily configure it to access it from other hosts. Ex faxstat -h myfaxserver. Don't forget to define passwords. Usernames defaults to the current (unix/linux) user. I strongly recommend you to read the very usefull HylaFax Handbook http://www.hylafax.org/content/Handbook Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pb de livraison
Caroline Wassmuth a écrit : Bonjour, Je ne sais pas si je suis au bon endroit pour faire part d'un problème de livraison d'un colis La Redoute. Merci de bien vouloir me confirmer cette adresse afin que je vous explique mon cas. Salutations Caroline Wassmuth english How to explain her that this list has nothing to do with a French online shop? I give up and wrote her not to bother the list anymore, in French. /english Réfléchissez 2 secondes : voyez-vous le mot redoute dans l'email ? Ceci est une liste consacrée à la sécurité de la distribution Debian GNU/Linux. Veuillez ne plus utiliser cette adresse. Inutile de répondre à ce mail et de déranger cette liste à nouveau. Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 874-1] New lynx packages fix arbitrary code execution
Martin Schulze a écrit : Debian Security Advisory DSA 874-1 [EMAIL PROTECTED] (...) Package: lynx (...) For the stable distribution (sarge) this problem has been fixed in version 2.8.5-2sarge1. I guess lynx-ssl is affected too ? Is a lynx-ssl being prepared ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 874-1] New lynx packages fix arbitrary code execution
Christophe Chisogne a écrit : I guess lynx-ssl is affected too ? Is a lynx-ssl being prepared ? Ok, it's DSA 876-1, solved :) DSA-876-1 lynx-ssl -- buffer overflow http://www.debian.org/security/2005/dsa-876 But I had a problem : I upgraded from Woody to Sarge. Woody had non-US, which Sarge dont have anymore. lynx-ssl/Woody was in non-US, but wasnt remove/replaced by the new lynx/Sarge during upgrade. So I had a system with an old unpatched lynx-ssl and not the current patched lynx (trivially solved with aptitude install lynx). The problem didnt seemed obvious at first, so I share my little experience here. If others have problems with non-US, I found a simple way to list the non-US packages (if grep-dctrl is installed): use grep-status, with a command like that one: # grep-status -F Section non-US -s Package,Version,Status Hope it can help others. Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is kernel package out-of-date?
Martin C. a écrit : see any changes in that packagein 2.6.* kernels The latest 2.6 kernel is found in kernel-image-2.6* packages. Ex (for Pentium 4) : kernel-image-2.6-686 always depends on the latest 2.6 kernel image available. - In stable, it's version 101 [1] (2.6.8) - In unstable, it's version 1:2.6.12-5 [2] (2.6.12) PS As you'll notice, the kernel source package was renamed [3] from kernel-source* to linux-2.6 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2617 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2555 These 2 vulnerabilities [5,6] are pretty recent. Debian kernel team is working on those [7], but this takes time. Should I use non-debian kernels or how can I do to update my debian kernel? with apt-get update and upgrade, never I got any update for this package. It's your choice : a) Use Debian kernel images (easier, up-to-date slowly) b) Build your own kernel images (not so easy, up-to-date quickly) My 2 cents. Ch. [1] kernel-image-2.6-686 Stable: 101 (2.6.8) http://packages.debian.org/stable/base/kernel-image-2.6-686 http://packages.debian.org/stable/base/kernel-image-2.6.8-2-686 [2] kernel-image-2.6-686 Unstable: 1:2.6.12-5 (2.6.12) http://packages.debian.org/unstable/base/kernel-image-2.6-686 http://packages.debian.org/unstable/base/linux-image-2.6-686 http://packages.debian.org/unstable/base/linux-image-2.6.12-1-686 [3] DWN August 16th, 2005 -- Linux Kernel Source Package Rename http://www.debian.org/News/weekly/2005/33/ [4] Kernel source: linux-2.6 http://packages.debian.org/unstable/source/linux-2.6 [5] CAN-2005-2617 (Published Aug 25 2005) Fixed in kernel.org 2.6.13-rc4 http://www.securityfocus.com/bid/14661/info [6] CAN-2005-2555 (Announced 01 Sep 2005) http://www.securityfocus.com/archive/1/409674/30/0/threaded http://www.ubuntu.com/usn/usn-169-1 [7] kernel - Rev 4134 http://svn.debian.org/wsvn/kernel/dists/sid/linux-2.6/?op=logrev=0sc=0isdir=1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Proftpd and bug #319849
Vincent Bernat a écrit : proftpd in Sarge is vulnerable to a format string vulnerability. The corresponding bug is marked as fixed in 1.2.10-20 and found in 1.2.10-15 (which is the Sarge version). This means that the Sarge version is still vulnerable. Indeed, sarge proftpd (1.2.10-15) is vulnerable to the 2 recent format string vulnerabilities [1,2], but testing proftpd (1.2.10-20) is not not [3] [1] SQLShowInfo format string vulnerability http://bugs.proftpd.org/show_bug.cgi?id=2645 [2] ftpshut format string vulnerability http://bugs.proftpd.org/show_bug.cgi?id=2646 [3] Debian Changelog proftpd (1.2.10-20) http://packages.debian.org/changelogs/pool/main/p/proftpd/proftpd_1.2.10-20/changelog However, the bug is closed and not tagged security. I guess it's a mistake, even for low-risk vulnerabilities Should this bug be reopened and tagged security ? vote: +1 Will a new upload by handled by security team shortly ? I hope so. Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache and CAN-2003-0020
Geoff Crompton a écrit : I can't find a DSA that corresponds to CAN-2003-0020. Woody isnt affected[1] : CAN-2003-0020: Apache: Missing filter for terminal escape sequences from error logs Ch. [1] Non-Vulnerability Security Information for woody http://www.nl.debian.org/security/nonvulns-woody
Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Jan Lühr a écrit : Do you recommend to use kernel-source-2.4.27 from sid (sarge) instead of 2.4.18 from woody? On a production server, I would run 2.4, not 2.6. And as Debian security support seems better now for the 2.4.27 kernel, I would choose it. It include fixes backported from kernel.org 2.4.28, even 2.4.29-rc1 Ex CAN-2004-1235 (uselib) is fixed since 2.4.29-rc1 at kernel.org and will be fixed soon by upcoming (Debian) kernel-source-2.4.27-8 (and kernel-image-2.4.27-xyz build from it) Or you can pick any kernel you want from kernel.org and build one yourself, either the traditional (make config; make dep...) or the Debian way (make config; make-kpkg -- via kernel-package). With the latter (debian), you obtain a debian package for your custom kernel. But that mean you become the local kernel/security maintainer. You can avoid this burden by simply using Debian kernel packages released by the kernel and security teams. Is all information available For my basic needs on this, I often use Google and the 2 links belows For infos about fixes in Debian 2.4.27 kernels, read changelogs in kernel-source-2.4.27 package, by example -- by ex near end of http://packages.debian.org/unstable/devel/kernel-source-2.4.27 For infos about fixes in kernel.org 2.4 kernels, read changelogs and changesets on the kernel.org homepage Christophe
Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Jan Lühr a écrit : Will kernel-source-2.4.27 be available in days or weeks? I guess days, since security fixes often means 'priority=high'. There are people working on it, ex Simon Horman. More infos: activity on kernel-source-2.4.27-2.4.27 (svn, Debian subversion) http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/?rev=0sc=1 The incoming kernel-source-2.4.27-8 changelog http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog?op=filerev=0sc=1 Well, running an rc-/pre-release on a production server is quite risky. Btw. Indeed, but some security fixes are already there. And 2.4 kernels are largely stable enough for my needs, even on prod servers. AFAIK kernel.org recommend not using their kernels, because they give no security support. I didnt knew this. I only check their 2.4 changelog from time to time, and sometimes sees security fixes. But they are often not taggued 'security', so I had to 'grep' for 'out of bounds', 'race', 'fix'... With Debian kernels, the job is already done for you :) I thought the security fixes (say from Distro xyz) were quickly backported to kernel.org, and were often fixed first by kernel.org. Perhaps I'm wrong on this, I'm just guessing Easiest way is to install Debian kernels when they are released, but I fear Sarge 2.4.27 kernel has better security support than woody 2.4.18 kernel. So I use woody with sarge's kernel. Thanks. Using kernel-source.2.4.24 from seems to be a good option. You mean 2.4.27, not 2.4.24 / 2.4.18 Can the openwall / grsecurity patches be applied to kernel-source-2.4.27? No idea. But I'm interested in more secure kernels too (buffer overflow protection, selinux, adamantix, grsecurity etc). Perhaps there are infos on the debianhardened project, but I dont have time now to check this. http://sourceforge.net/projects/debianhardened http://www.debian-hardened.org/wiki Christophe
Re: local root exploit
A.J. Loonstra a écrit : I tried modifying the exploit not to use /dev/shm... but this is wat happens: (...) It says it did exploit but it didn't... I just modify it the same way (without /dev/shm tmpfs-mounted). And it worked as expected (uid 0 and root access). Perhaps you inadvertly entered the Twilight zone? Christophe
CAN-2004-1056 status at kernel.org ?
A kernel vulnerability related to intel drms (CAN-2004-1056 insufficient locking checks in DRM code), has been reported by some vendors [5-7]. It seems to have been fixed in kernel-source-2.6.8-11, and will be fixed by a backport to kernel-source-2.4.27-8 (also fixes CAN-2004-1235 about uselib) [1-3] What's the status of that DRM bug at kernel.org : is it included in some vanilla kernels (2.4 or 2.6)? I dont see anything in kernel.org Changelogs, and only found out a cset [4] that seems related. Christophe PS Some infos I found about this From [1] * 121_drm-locking-checks-1.diff 121_drm-locking-checks-2.diff: [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056 (Fabio M. Di Nitto, Dann Frazier, Simon Horman). (Closes: Bug#285563) From [2] The fix for CAN-2004-1056, added in 2.6.8-11, also applies to 2.4 however, I don't think it will compile, because 2.4 doesn't define the LOCK_TEST_WITH_RETURN() in drmP.h. From [3] kernel-source-2.6.8 (2.6.8-11) unstable; urgency=high * [SECURITY] Fix insufficient locking checks in DRM code; CAN-2004-1056. Thanks to Fabio M. Di Nitto (Andres Salomon). From [4] # ChangeSet # 2004/11/11 22:23:44+11:00 [EMAIL PROTECTED](none) # drm: in-correct locking in intel drms [1] Changelog kernel-source2.4.27 http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog?op=filerev=0sc=1 [2] Debian Bug report logs - #285563 kernel-source-2.4.27: drm locking fix missing in 2.4 kernels http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285563 [3] Changelog kernel-source-2.6.8 (2.6.8-11) http://packages.debian.org/changelogs/pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-11/changelog [4] part of 2.6 changeset http://kernel.org/pub/linux/kernel/v2.6/testing/cset/[EMAIL PROTECTED](none)|ChangeSet|2004112344|59303.txt [5] 2004-11-01 Security issue: insufficient locking checks in DRM code https://bugs.freedesktop.org/show_bug.cgi?id=1803 [6] 2004-11-09 CAN-2004-1056 insufficient locking checks in DRM code https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138534 [7] 2004-12-15 Bugzilla Bug 74464 Kernel Local X server DoS in DRM drivers (CAN-2004-1056) http://bugs.gentoo.org/show_bug.cgi?id=74464 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
Vladislav Kurz a écrit : mount -t tmpfs tmpfs /dev/shm With or without that, it fails with [-] FAILED: uselib (Cannot allocate memory) Killed Tested with 2.4.27-1-686 (2004-09-03) compiled with gcc (GCC) 3.3.5 (Debian 1:3.3.5-5) and 2.4.27 kernel headers (-I/usr/src/kernel-source-2.4.27/include/) Ch.
Re: local root exploit
Christophe Chisogne a écrit : Vladislav Kurz a écrit : mount -t tmpfs tmpfs /dev/shm With or without that, it fails with Oups, I'm sorry, it really works, with /dev/shm mounted :( but for about 10% of executions. (yes, 'again' was the keyword) Tested with 2.4.27-1-686 (2004-09-03) compiled with gcc (GCC) 3.3.5 (Debian 1:3.3.5-5) and 2.4.27 kernel headers (-I/usr/src/kernel-source-2.4.27/include/) Ch.
Re: probleme de message
ravier françois a écrit : bonjour, je vous envoye se mail car j'ai un probleme de message qui apparais sur mon ecran se message et le suivant , free ver guardian activation limit exceeded for the free version please restart to recharge si vous pouvrer m'indiquée comment faire pour mens séparée. avec mes remerciement. madame ravier [french version] Ceci est une liste anglophone consacrée à la sécurité de la distribution Debian GNU/Linux. Votre mail est hors sujet et sera ignoré. Je vous conseille également de revoir sérieusement votre orthographe désastreuse. [english version] This is an english mailing list related to the security of the Debian GNU/Linux distribution. Your mail is off topic and will be ignored. I also give you my advice to improve your really poor spelling. PS In the original mail, she was asking how to get rid off a message on the screen. Ch.
Re: Kernel Vulnerabilities
David Ramsden a écrit : On Sat, Nov 13, 2004 at 04:41:00PM -0800, peace bwitchu wrote: http://securitytracker.com/alerts/2004/Nov/1012165.html PoC for the first one is at: http://www.k-otik.com/exploits/2004.elfdump.c.php There is a reference in the changelog for 2.4.28-rc3: binfmt_elf: handle partial reads gracefully Fixed by debian patch 097-elf_loader_overflow-1.diff.bz2, which is included in kernel-source-2.4.27-6 (and corresp. kernel-image debs). Cfr Fix multiple vulnerablilities in the ELF loader. (Simon Horman) in 2.4.27-6 kernel-source changelog http://packages.debian.org/changelogs/pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-6/changelog Christophe
Re: Missing security fixes for Woody kernel
Philip Ross a écrit : The latest 2.4 kernel for Woody (kernel-image-2.4.18-1-686 version 2.4.18-13.1) is still vulnerable to the FPU crash CAN-2004-0554 discovered back in June 2004 and fixed in the 2.4.27 kernel. The code available at http://www.securiteam.com/exploits/5ZP0N0AD5A.html will crash an up to date Woody system. In the kernel-source 2.4.27-6 changelog http://packages.debian.org/changelogs/pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-6/changelog I see that the FPU crash CAN-2004-0554 is fixed: (...) kernel-source-2.4.26 (2.4.26-3) unstable; urgency=low * Fix clear_cpu() marco [CAN-2004-0554] . include/asm-i386/i387.h . include/asm-x86_64/i387.h Is there going to be a backported fix for this issue for Woody? Dont know. I simply installed a 2.4.27 kernel on the Woody box. Christophe
Re: Missing security fixes for Woody kernel
Christophe Chisogne a écrit : I see that the FPU crash CAN-2004-0554 is fixed: PS I found that information from (Google and) bug #253871. Debian Bug report logs - #253871 CAN-2004-0554 user application can hang the kernel http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=253871 Ch.
Re: php vulnerabilities
martin f krafft wrote: guy behind the repository is not a Debian developer. This simply means that you cannot trust him the same way you trust Debian developers, whether about integrity or competence. In a few words: perhaps he's not Debian Developper (I dont know), but he's well know in the (french) PHP world, and net/sys-admin for nexentservices.com. So, competence probably is there. Trust a DD or trust that guy : it's a personnal choice If you want same info with more words, read below ;-) Christophe Guillaume Plessis (gui at dotdeb dot org) [1] is sysadmin and network admin [2] for http://www.nexenservices.com/ which is related to http://www.nexen.net/docs/ nexen.net provides french translations [3] for MySQL and PHP doc since 1999 in collaboration with MySQL AB and php.net. They also warned [3] about these PHP vulns, and they make me discover a link to phpsecure [4], a website about PHP (lamp) security (sorry, in french). So, even if he's not a Debian Developper, we cant say it's a stupid guy nobody knows in the PHP world, especially those who speak french. [1] Information utilisateur admin http://perso.dotdeb.org/gui/tiki-user_information.php?view_user=admin [2] Nexen Services sysadmin http://perso.dotdeb.org/gui/tiki-index.php [3] Nexen docs http://www.nexen.net/docs/ [4] Alertes sécurité des applications PHP et MySQL http://www.nexen.net/news/gen.php#n3779 [5] PHPsecure http://www.phpsecure.info/v2/.php
any DSA for CAN-2004-1026 ?
Seems imlib has multiple overflows vulnerabilities [1,2,3]. Are Woody/Sarge vulnerable? Is a DSA in preparation for it? Christophe [1] imlib: Buffer overflows in image decoding http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml [2] CAN-2004-1026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026 [3] SUSE Security Summary Report SUSE-SR:2004:003 http://www.suse.de/de/security/2004_03_sr.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
coreutils/fileutils : 'dir' integer overflow vulnerability on woody
A bug report about a vulnerability of 'dir' [1] in package coreutils says it was fixed upstream in coreutils-5.1.0, and the latest is coreutils-5.2.0 but Debian/woody is vulnerable (dir is in woody package fileutils). I just filed a bug [2] for fileutils on woody, and I'm posting here because it's security related [3]. What's the/a Right Way (tm) to report security related bugs like this one? Am I supposed to do anything more to make woody's security improve ? (apart from writing patches, which is not obvious ;-) Christophe [1] Debian Bug report logs - #236035 coreutils: 'dir' integer overflow vulnerability. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=236035 [2] Debian Bug report logs - #261828 'dir' integer overflow vulnerability http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261828 [3] http://www.securityfocus.com/archive/1/356174 Christophe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
webmin and GLSA 200406-12
Is Debian webmin vulnerable to this one? I dont see anything on deb security page. GLSA 200406-12: Webmin: Multiple vulnerabilities Published: Jun 16, 2004 http://www.securityfocus.com/advisories/6857 Christophe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
proftpd affected by recent security hole (2004/05/12) ?
On proftpd.org front page, I read proftpd has a bug relating to ASCII translation [1]. Previous one [2] was critical (remote root shell) but affected only proftpd 1.2.7rc1 and up. Woody/stable has 1.2.4+1.2.5rc1, which is clearly not affected by the previous one. But is it affected by the new proftpd bug ? I guess not, but would like to be certain it's safe. [next question perhaps too much OT] By the way, proftpd 1.2.2rc1 fixed a previous hole relating to globs (something like 'ls */../*/../*/../'). Solution was to add a DenyFilter (\*.*/). I heard about another vuln (format string?) solved by DenyFilter too (%). So I used DenyFilter (\*.*/|%) in proftpd.conf. Is it safe not to use it with woody's proftpd ? Christophe [1] http://proftpd.org/ Quote: [12/May/2004] There are two issues which have come to our attention, there is an additional flaw related to the ASCII translation bug discovered by X-Force, this affects all versions up to and including 1.2.9rc3. Versions from 1.2.9 are not vulnerable. Additionally a flaw in the CIDRACL code has been discovered which can lead to an escalation in access rights within the ftp site. This flaw affects all versions up to and including 1.2.9, it has been fixed in cvs and 1.2.10rc1. To avoid the flaw do not use CIDR based ACLs on vulnerable versions or use mod_wrap and /etc/hosts.allow|deny. [2] http://proftpd.org/critbugs.html Quote: Bug: Remote Exploit in ASCII translation (...) Version: 1.2.7rc1 and later (...) Severity/Effect: Critical Date: September 23, 2003 (...) http://xforce.iss.net/xforce/alerts/id/154 (...) CANN-2003-0831 [3] http://bugs.proftpd.org/show_bug.cgi?id=1066 proftpd DoS (Resolved in 1.2.2rc1) like 'ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
proftpd affected by recent security hole (2004/05/12) ?
On proftpd.org front page, I read proftpd has a bug relating to ASCII translation [1]. Previous one [2] was critical (remote root shell) but affected only proftpd 1.2.7rc1 and up. Woody/stable has 1.2.4+1.2.5rc1, which is clearly not affected by the previous one. But is it affected by the new proftpd bug ? I guess not, but would like to be certain it's safe. [next question perhaps too much OT] By the way, proftpd 1.2.2rc1 fixed a previous hole relating to globs (something like 'ls */../*/../*/../'). Solution was to add a DenyFilter (\*.*/). I heard about another vuln (format string?) solved by DenyFilter too (%). So I used DenyFilter (\*.*/|%) in proftpd.conf. Is it safe not to use it with woody's proftpd ? Christophe [1] http://proftpd.org/ Quote: [12/May/2004] There are two issues which have come to our attention, there is an additional flaw related to the ASCII translation bug discovered by X-Force, this affects all versions up to and including 1.2.9rc3. Versions from 1.2.9 are not vulnerable. Additionally a flaw in the CIDRACL code has been discovered which can lead to an escalation in access rights within the ftp site. This flaw affects all versions up to and including 1.2.9, it has been fixed in cvs and 1.2.10rc1. To avoid the flaw do not use CIDR based ACLs on vulnerable versions or use mod_wrap and /etc/hosts.allow|deny. [2] http://proftpd.org/critbugs.html Quote: Bug: Remote Exploit in ASCII translation (...) Version: 1.2.7rc1 and later (...) Severity/Effect: Critical Date: September 23, 2003 (...) http://xforce.iss.net/xforce/alerts/id/154 (...) CANN-2003-0831 [3] http://bugs.proftpd.org/show_bug.cgi?id=1066 proftpd DoS (Resolved in 1.2.2rc1) like 'ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*'
