[SECURITY] [DLA 3975-1] proftpd-dfsg security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3975-1] proftpd-dfsg security update
From: rouca@debian.org
Date: Fri, 29 Nov 2024 20:56:20 +0000
Message-id: <[🔎] c61f9e24a83dcfad6fecd13626d03854@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3975-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
November 29, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : proftpd-dfsg
Version        : 1.3.7a+dfsg-12+deb11u3
CVE ID         : CVE-2023-48795 CVE-2023-51713 CVE-2024-48651
Debian Bug     : 1082326

ProFTPD a popular FTP server was affected by multiple
vulnerabilities.

CVE-2023-48795

    The SSH transport protocol and variant like SFTP protocol used by
    ProFTPD allowed remote attackers to bypass integrity checks
    such that some packets are omitted (from the extension negotiation message),
    and a client and server may consequently end up with a connection
    for which some security features have been downgraded or disabled,
    aka a Terrapin attack.

CVE-2023-51713

    make_ftp_cmd function has a one-byte out-of-bounds read,
    because of mishandling of quote/backslash semantics.

CVE-2024-48651

    In proftpd with mod_sftp and mod_sql, an user with
    no supplemental groups will incorrectly inherit supplemental
    groups from the parent process. Thhis behavior resulted in users gaining supplemental
    membership in nogroup, or depending of version root group (GID=0).

For Debian 11 bullseye, these problems have been fixed in version
1.3.7a+dfsg-12+deb11u3.

We recommend that you upgrade your proftpd-dfsg packages.

For the detailed security status of proftpd-dfsg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/proftpd-dfsg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmdKKnQRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF8hBRAAiUqg/oVVDHt1IZX0mJ2gkLlwxtW6siFF
WxpgQWx1rClZJlLFGQK6XEjTp6Ldk8InJTjqFrNPtKHqFGB4ncPwcQAsnLfbdFqT
KtOutnqjeOB8TxZoOirEJDmLshOWzh6+aaAniMoBikeunzs+QNRhdQr3X55oDPR8
zU8y7GJoHnrN6O7wve0mIMVQC+OZzlVu/Hdcev/9oupyjaBw2lMepiANaBOz3L1p
dP2BrofvCSerHYAp0AYahHJ2B4Z9MTS4V8CK+MP02viqkNNMBWvUPG9gYNiAJ5sb
alwc54hJF90CyF4LhPcqBtl+cZwJSW21kMjt5WqgS1kT8dUOFUhF61V6ApX5QRu8
3pIHjJOY2y0+sumb1Up2tW6Eo6epHr4RuUZPnSdv62ZccriC25QBvoyICchxVQ3T
74wlSDpLuNCmcbXXMhHodi0s5eq51MstD/xST2Rq20gXGv534dGWLxgAc0rhSx8W
yfRK4uQUF/yMpVSq9xuRsvIYsgtF2/BXMqzyilvztbWZFrgViFs922xiKMgcX4q3
WJaSUUIFmgDUh8ds6CQSMzBMu64b3ltnR/66iBFhWa3bH2XfhPRwZkreaqARpwou
iagwT1nq3nRSHbxCzcmRmWlsePPHqgtCHNLyIxJtqzanc7IUgl+x4HEzkUWTn9Me
ZLO6ubC9THU=
=nCJJ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3973-1] redis security update
Next by Date: [SECURITY] [DLA 3976-1] tgt security update
Previous by thread: [SECURITY] [DLA 3973-1] redis security update
Next by thread: [SECURITY] [DLA 3976-1] tgt security update
Index(es):
- Date
- Thread