Module Name: othersrc
Committed By: lukem
Date: Sat Nov 25 01:22:53 UTC 2023
Modified Files:
othersrc/libexec/tnftpd: ChangeLog NEWS
Log Message:
Add history of various security advisories to ChangeLog and NEWS.
To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.69 othersrc/libexec/tnftpd/ChangeLog
cvs rdiff -u -r1.18 -r1.19 othersrc/libexec/tnftpd/NEWS
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: othersrc/libexec/tnftpd/ChangeLog
diff -u othersrc/libexec/tnftpd/ChangeLog:1.68 othersrc/libexec/tnftpd/ChangeLog:1.69
--- othersrc/libexec/tnftpd/ChangeLog:1.68 Sun Oct 1 06:15:30 2023
+++ othersrc/libexec/tnftpd/ChangeLog Sat Nov 25 01:22:53 2023
@@ -1,10 +1,35 @@
-$NetBSD: ChangeLog,v 1.68 2023/10/01 06:15:30 lukem Exp $
+$NetBSD: ChangeLog,v 1.69 2023/11/25 01:22:53 lukem Exp $
+Sat Nov 25 01:21:53 UTC 2023 [email protected]
+
+ * Add history of various security advisories to ChangeLog and NEWS.
+
Sun Oct 1 05:57:14 UTC 2023 [email protected]
* Release as "tnftpd 20231001".
+ * Security advisories:
+ * CVE-2020-7468: In FreeBSD 12.2-STABLE before r365772,
+ 11.4-STABLE before r365773, 12.1-RELEASE before p10,
+ 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a ftpd(8)
+ bug in the implementation of the file system sandbox, combined
+ with capabilities available to an authenticated FTP user, can
+ be used to escape the file system restriction configured in
+ ftpchroot(5). Moreover, the bug allows a malicious client to
+ gain root privileges.
+ * CVE-2023-40303: GNU inetutils through 2.4 may allow
+ privilege escalation because of unchecked return values of
+ set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and
+ uucpd. This is, for example, relevant if the setuid system
+ call fails when a process is trying to drop privileges before
+ letting an ordinary user control the activities of the
+ process.
+ * CVE-2023-45198: ftpd before "NetBSD-ftpd 20230930" can leak
+ information about the host filesystem before authentication
+ via an MLSD or MLST command.
+ * NetBSD-SA2023-007: multiple vulnerabilities in ftpd(8).
+
* Always use $YACC even without --enable-maintainer-mode.
* Update to NetBSD-ftpd 20230930:
@@ -28,7 +53,7 @@ Sat Sep 23 05:39:49 UTC 2023 lukem@NetBS
fatal. Also treat failed set{e,}(u,g}id calls as fatal.
Addresses CVE-2020-7468, via FreeBSD.
* Improve seteuid error handling, per suggestion by Simon
- Josefsson.
+ Josefsson and CVE-2023-40303.
* Add missing check_login checks for MLST and MLSD.
* Sync libnetbsd replacements with NetBSD upstream:
@@ -117,6 +142,15 @@ Fri Mar 22 09:00:00 UTC 2013 lukem@NetBS
* Release as "tnftpd 20130322"
+ * Security advisories:
+ * CVE-2011-0418: The glob implementation in Pure-FTPd before
+ 1.0.32, and in libc in NetBSD 5.1, does not properly expand
+ expressions containing curly brackets, which allows remote
+ authenticated users to cause a denial of service (memory
+ consumption) via a crafted FTP STAT command.
+ * NetBSD-SA2010-008: sftp(1)/ftp(1)/glob(3) related resource
+ exhaustion.
+
* Update build framekwork to autoconf 2.69, automake 1.11.1,
libtool 2.4.2.
@@ -153,6 +187,16 @@ Wed Dec 30 01:48:57 UTC 2009 lukem@NetBS
* Release as "tnftpd 20091122"
+ * Security advisories:
+ * CVE-2009-0537: Integer overflow in the fts_build function in
+ fts.c in libc in (1) OpenBSD 4.4 and earlier and (2) Microsoft
+ Interix 6.0 build 10.0.6030.0 allows context-dependent
+ attackers to cause a denial of service (application crash) via
+ a deep directory tree, related to the fts_level structure
+ member, as demonstrated by (a) du, (b) rm, (c) chmod, and (d)
+ chgrp on OpenBSD; and (e) SearchIndexer.exe on Vista
+ Enterprise.
+
Sat Nov 7 11:13:38 UTC 2009 [email protected]
* Convert to automake & libtool.
@@ -180,7 +224,8 @@ Sun Mar 1 03:10:40 UTC 2009 lukem@NetBS
fts_options.
- Avoid possible integer overflow and subsequent collateral
damage.
- Received from OpenBSD via US-CERT as VU #590371.
+ Received from OpenBSD via US-CERT as VU #590371 and
+ as CVE-2009-0537.
Tue Dec 30 22:36:05 UTC 2008 [email protected]
@@ -229,6 +274,16 @@ Mon Sep 29 00:56:00 UTC 2008 lukem@NetBS
* Tagged as "tnftpd-20080929".
+ * Security advisories:
+ * CVE-2008-4247: ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0,
+ Solaris, and possibly other operating systems interprets long
+ commands from an FTP client as multiple commands, which allows
+ remote attackers to conduct cross-site request forgery (CSRF)
+ attacks and execute arbitrary FTP commands via a long ftp://
+ URI that leverages an existing session from the FTP client
+ implementation in a web browser.
+ * NetBSD-SA2008-014: Cross-site request forgery in ftpd(8).
+
* Updated version to "tnftpd 20080929".
Sat Sep 27 16:05:08 UTC 2008 [email protected]
@@ -431,6 +486,9 @@ Mon Dec 4 02:09:16 UTC 2006 lukem@NetBS
* Tagged as "tnftpd-20061204".
+ * Security advisories:
+ * NetBSD-SA2006-027: libc glob(3) buffer overflow.
+
* Updated version to "tnftpd 20061204"
* Added NEWS file back.
@@ -561,6 +619,13 @@ Tue Aug 10 00:59:10 UTC 2004 lukem@NetBS
* Tagged as "tnftpd-20040810".
+ * Security advisories:
+ * CVE-2004-0794: Multiple signal handler race conditions in
+ lukemftpd (aka tnftpd before 20040810) allow remote
+ authenticated attackers to cause a denial of service or
+ execute arbitrary code.
+ * NetBSD-SA2004-009: ftpd root escalation.
+
* Updated version to "tnftpd 20040810"
Tue Aug 10 00:48:58 UTC 2004 [email protected]
@@ -744,12 +809,16 @@ Sun Dec 8 13:09:20 UTC 2002 lukem@NetBS
* provide replacement for strsuftollx()
- * update to NetBSD-current 2002-10-08
+ * update to NetBSD-current 2002-12-08
Sat Oct 26 12:25:03 UTC 2002 [email protected]
* tagged as "tnftpd 2.0 beta1"
+ * Security advisories:
+ * NetBSD-SA2002-027: ftpd STAT output non-conformance can
+ deceive firewall devices.
+
Sat Oct 26 03:24:45 UTC 2002 [email protected]
* renamed release to `tnftpd'
@@ -857,6 +926,10 @@ Sun Apr 8 03:35:55 UTC 2001 lukem@NetBS
* release 1.0
+ * Security advisories:
+ * NetBSD-SA2001-005: Ftpd denial of service and remote buffer
+ overflow.
+
Thu Apr 5 14:08:25 UTC 2001 [email protected]
* search for lockf and flock, and use the first found (in that
Index: othersrc/libexec/tnftpd/NEWS
diff -u othersrc/libexec/tnftpd/NEWS:1.18 othersrc/libexec/tnftpd/NEWS:1.19
--- othersrc/libexec/tnftpd/NEWS:1.18 Sun Oct 1 06:15:30 2023
+++ othersrc/libexec/tnftpd/NEWS Sat Nov 25 01:22:53 2023
@@ -1,11 +1,16 @@
-$NetBSD: NEWS,v 1.18 2023/10/01 06:15:30 lukem Exp $
+$NetBSD: NEWS,v 1.19 2023/11/25 01:22:53 lukem Exp $
This is tnftpd version 20231001.
Changes in tnftpd from 20200704 to 20231001:
- Security fixes to improve error handling when switching UID/GID,
- and to prevent MLSD and MLST before authentication succeeds.
+ Security advisories: CVE-2020-7468, CVE-2023-40303, CVE-2023-45198,
+ and NetBSD-SA2023-007.
+
+ Security fix to improve error handling when switching UID/GID,
+ inspired by CVE-2023-40303.
+
+ Security fix to prevent MLSD and MLST before authentication succeeds.
Fix buffer overflows when counting users, and when authenticating
using PAM.
@@ -31,8 +36,10 @@ Changes in tnftpd from 20130322 to 20130
Changes in tnftpd from 20100324 to 20130322:
+ Security advisories: CVE-2011-0418 and NetBSD-SA2010-008.
+
Security fix to avoid resource exhaustion when globbing paths.
- Fix in NetBSD from Maksymilian Arciemowicz. See CVE-2011-0418
+ Fix in NetBSD from Maksymilian Arciemowicz.
Changes in tnftpd from 20091122 to 20100324:
@@ -43,6 +50,8 @@ Changes in tnftpd from 20091122 to 20100
Changes in tnftpd from 20081009 to 20091122:
+ Security advisory: CVE-2009-0537.
+
Portability improvements.
Security fixes for fts in the internal ls.
@@ -62,6 +71,8 @@ Changes in tnftpd from 20080929 to 20081
Changes in tnftpd from 20080609 to 20080929:
+ Security advisories: CVE-2008-4247 and NetBSD-SA2008-014.
+
Don't split large commands into multiple commands; just fail on them.
This prevents cross-site request forgery (CSRF)-like attacks,
when a web browser is used to access an ftp server.
@@ -108,6 +119,8 @@ Changes in tnftpd from 20061204 to 20061
Changes in tnftpd from 20040810 to 20061204:
+ Security advisory: NetBSD-SA2006-027.
+
Fix buffer overflow in local version of glob(3).
Implement -D to run as a stand-alone daemon.
