Module Name: othersrc Committed By: lukem Date: Sat Nov 25 01:22:53 UTC 2023
Modified Files: othersrc/libexec/tnftpd: ChangeLog NEWS Log Message: Add history of various security advisories to ChangeLog and NEWS. To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 othersrc/libexec/tnftpd/ChangeLog cvs rdiff -u -r1.18 -r1.19 othersrc/libexec/tnftpd/NEWS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: othersrc/libexec/tnftpd/ChangeLog diff -u othersrc/libexec/tnftpd/ChangeLog:1.68 othersrc/libexec/tnftpd/ChangeLog:1.69 --- othersrc/libexec/tnftpd/ChangeLog:1.68 Sun Oct 1 06:15:30 2023 +++ othersrc/libexec/tnftpd/ChangeLog Sat Nov 25 01:22:53 2023 @@ -1,10 +1,35 @@ -$NetBSD: ChangeLog,v 1.68 2023/10/01 06:15:30 lukem Exp $ +$NetBSD: ChangeLog,v 1.69 2023/11/25 01:22:53 lukem Exp $ +Sat Nov 25 01:21:53 UTC 2023 lu...@netbsd.org + + * Add history of various security advisories to ChangeLog and NEWS. + Sun Oct 1 05:57:14 UTC 2023 lu...@netbsd.org * Release as "tnftpd 20231001". + * Security advisories: + * CVE-2020-7468: In FreeBSD 12.2-STABLE before r365772, + 11.4-STABLE before r365773, 12.1-RELEASE before p10, + 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a ftpd(8) + bug in the implementation of the file system sandbox, combined + with capabilities available to an authenticated FTP user, can + be used to escape the file system restriction configured in + ftpchroot(5). Moreover, the bug allows a malicious client to + gain root privileges. + * CVE-2023-40303: GNU inetutils through 2.4 may allow + privilege escalation because of unchecked return values of + set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and + uucpd. This is, for example, relevant if the setuid system + call fails when a process is trying to drop privileges before + letting an ordinary user control the activities of the + process. + * CVE-2023-45198: ftpd before "NetBSD-ftpd 20230930" can leak + information about the host filesystem before authentication + via an MLSD or MLST command. + * NetBSD-SA2023-007: multiple vulnerabilities in ftpd(8). + * Always use $YACC even without --enable-maintainer-mode. * Update to NetBSD-ftpd 20230930: @@ -28,7 +53,7 @@ Sat Sep 23 05:39:49 UTC 2023 lukem@NetBS fatal. Also treat failed set{e,}(u,g}id calls as fatal. Addresses CVE-2020-7468, via FreeBSD. * Improve seteuid error handling, per suggestion by Simon - Josefsson. + Josefsson and CVE-2023-40303. * Add missing check_login checks for MLST and MLSD. * Sync libnetbsd replacements with NetBSD upstream: @@ -117,6 +142,15 @@ Fri Mar 22 09:00:00 UTC 2013 lukem@NetBS * Release as "tnftpd 20130322" + * Security advisories: + * CVE-2011-0418: The glob implementation in Pure-FTPd before + 1.0.32, and in libc in NetBSD 5.1, does not properly expand + expressions containing curly brackets, which allows remote + authenticated users to cause a denial of service (memory + consumption) via a crafted FTP STAT command. + * NetBSD-SA2010-008: sftp(1)/ftp(1)/glob(3) related resource + exhaustion. + * Update build framekwork to autoconf 2.69, automake 1.11.1, libtool 2.4.2. @@ -153,6 +187,16 @@ Wed Dec 30 01:48:57 UTC 2009 lukem@NetBS * Release as "tnftpd 20091122" + * Security advisories: + * CVE-2009-0537: Integer overflow in the fts_build function in + fts.c in libc in (1) OpenBSD 4.4 and earlier and (2) Microsoft + Interix 6.0 build 10.0.6030.0 allows context-dependent + attackers to cause a denial of service (application crash) via + a deep directory tree, related to the fts_level structure + member, as demonstrated by (a) du, (b) rm, (c) chmod, and (d) + chgrp on OpenBSD; and (e) SearchIndexer.exe on Vista + Enterprise. + Sat Nov 7 11:13:38 UTC 2009 lu...@netbsd.org * Convert to automake & libtool. @@ -180,7 +224,8 @@ Sun Mar 1 03:10:40 UTC 2009 lukem@NetBS fts_options. - Avoid possible integer overflow and subsequent collateral damage. - Received from OpenBSD via US-CERT as VU #590371. + Received from OpenBSD via US-CERT as VU #590371 and + as CVE-2009-0537. Tue Dec 30 22:36:05 UTC 2008 lu...@netbsd.org @@ -229,6 +274,16 @@ Mon Sep 29 00:56:00 UTC 2008 lukem@NetBS * Tagged as "tnftpd-20080929". + * Security advisories: + * CVE-2008-4247: ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, + Solaris, and possibly other operating systems interprets long + commands from an FTP client as multiple commands, which allows + remote attackers to conduct cross-site request forgery (CSRF) + attacks and execute arbitrary FTP commands via a long ftp:// + URI that leverages an existing session from the FTP client + implementation in a web browser. + * NetBSD-SA2008-014: Cross-site request forgery in ftpd(8). + * Updated version to "tnftpd 20080929". Sat Sep 27 16:05:08 UTC 2008 lu...@netbsd.org @@ -431,6 +486,9 @@ Mon Dec 4 02:09:16 UTC 2006 lukem@NetBS * Tagged as "tnftpd-20061204". + * Security advisories: + * NetBSD-SA2006-027: libc glob(3) buffer overflow. + * Updated version to "tnftpd 20061204" * Added NEWS file back. @@ -561,6 +619,13 @@ Tue Aug 10 00:59:10 UTC 2004 lukem@NetBS * Tagged as "tnftpd-20040810". + * Security advisories: + * CVE-2004-0794: Multiple signal handler race conditions in + lukemftpd (aka tnftpd before 20040810) allow remote + authenticated attackers to cause a denial of service or + execute arbitrary code. + * NetBSD-SA2004-009: ftpd root escalation. + * Updated version to "tnftpd 20040810" Tue Aug 10 00:48:58 UTC 2004 lu...@netbsd.org @@ -744,12 +809,16 @@ Sun Dec 8 13:09:20 UTC 2002 lukem@NetBS * provide replacement for strsuftollx() - * update to NetBSD-current 2002-10-08 + * update to NetBSD-current 2002-12-08 Sat Oct 26 12:25:03 UTC 2002 lu...@netbsd.org * tagged as "tnftpd 2.0 beta1" + * Security advisories: + * NetBSD-SA2002-027: ftpd STAT output non-conformance can + deceive firewall devices. + Sat Oct 26 03:24:45 UTC 2002 lu...@netbsd.org * renamed release to `tnftpd' @@ -857,6 +926,10 @@ Sun Apr 8 03:35:55 UTC 2001 lukem@NetBS * release 1.0 + * Security advisories: + * NetBSD-SA2001-005: Ftpd denial of service and remote buffer + overflow. + Thu Apr 5 14:08:25 UTC 2001 lu...@netbsd.org * search for lockf and flock, and use the first found (in that Index: othersrc/libexec/tnftpd/NEWS diff -u othersrc/libexec/tnftpd/NEWS:1.18 othersrc/libexec/tnftpd/NEWS:1.19 --- othersrc/libexec/tnftpd/NEWS:1.18 Sun Oct 1 06:15:30 2023 +++ othersrc/libexec/tnftpd/NEWS Sat Nov 25 01:22:53 2023 @@ -1,11 +1,16 @@ -$NetBSD: NEWS,v 1.18 2023/10/01 06:15:30 lukem Exp $ +$NetBSD: NEWS,v 1.19 2023/11/25 01:22:53 lukem Exp $ This is tnftpd version 20231001. Changes in tnftpd from 20200704 to 20231001: - Security fixes to improve error handling when switching UID/GID, - and to prevent MLSD and MLST before authentication succeeds. + Security advisories: CVE-2020-7468, CVE-2023-40303, CVE-2023-45198, + and NetBSD-SA2023-007. + + Security fix to improve error handling when switching UID/GID, + inspired by CVE-2023-40303. + + Security fix to prevent MLSD and MLST before authentication succeeds. Fix buffer overflows when counting users, and when authenticating using PAM. @@ -31,8 +36,10 @@ Changes in tnftpd from 20130322 to 20130 Changes in tnftpd from 20100324 to 20130322: + Security advisories: CVE-2011-0418 and NetBSD-SA2010-008. + Security fix to avoid resource exhaustion when globbing paths. - Fix in NetBSD from Maksymilian Arciemowicz. See CVE-2011-0418 + Fix in NetBSD from Maksymilian Arciemowicz. Changes in tnftpd from 20091122 to 20100324: @@ -43,6 +50,8 @@ Changes in tnftpd from 20091122 to 20100 Changes in tnftpd from 20081009 to 20091122: + Security advisory: CVE-2009-0537. + Portability improvements. Security fixes for fts in the internal ls. @@ -62,6 +71,8 @@ Changes in tnftpd from 20080929 to 20081 Changes in tnftpd from 20080609 to 20080929: + Security advisories: CVE-2008-4247 and NetBSD-SA2008-014. + Don't split large commands into multiple commands; just fail on them. This prevents cross-site request forgery (CSRF)-like attacks, when a web browser is used to access an ftp server. @@ -108,6 +119,8 @@ Changes in tnftpd from 20061204 to 20061 Changes in tnftpd from 20040810 to 20061204: + Security advisory: NetBSD-SA2006-027. + Fix buffer overflow in local version of glob(3). Implement -D to run as a stand-alone daemon.