proftpd-1.3.5b-2.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10048 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z proftpd-1.3.5b-2.5 on GA media These are all security issues fixed in the proftpd-1.3.5b-2.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10048 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10048 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-0542/ SUSE CVE CVE-2009-0542 page https://www.suse.com/security/cve/CVE-2009-0543/ SUSE CVE CVE-2009-0543 page https://www.suse.com/security/cve/CVE-2009-3639/ SUSE CVE CVE-2009-3639 page https://www.suse.com/security/cve/CVE-2011-1137/ SUSE CVE CVE-2011-1137 page https://www.suse.com/security/cve/CVE-2011-4130/ SUSE CVE CVE-2011-4130 page https://www.suse.com/security/cve/CVE-2013-4359/ SUSE CVE CVE-2013-4359 page https://www.suse.com/security/cve/CVE-2015-3306/ SUSE CVE CVE-2015-3306 page https://www.suse.com/security/cve/CVE-2016-3125/ SUSE CVE CVE-2016-3125 page openSUSE Tumbleweed proftpd-1.3.5b-2.5 proftpd-devel-1.3.5b-2.5 proftpd-doc-1.3.5b-2.5 proftpd-lang-1.3.5b-2.5 proftpd-ldap-1.3.5b-2.5 proftpd-mysql-1.3.5b-2.5 proftpd-pgsql-1.3.5b-2.5 proftpd-radius-1.3.5b-2.5 proftpd-sqlite-1.3.5b-2.5 proftpd-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-devel-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-doc-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-lang-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-ldap-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-mysql-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-pgsql-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-radius-1.3.5b-2.5 as a component of openSUSE Tumbleweed proftpd-sqlite-1.3.5b-2.5 as a component of openSUSE Tumbleweed SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql. CVE-2009-0542 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-0542.html CVE-2009-0542 https://bugzilla.suse.com/475316 SUSE Bug 475316 ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres. CVE-2009-0543 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-0543.html CVE-2009-0543 https://bugzilla.suse.com/475316 SUSE Bug 475316 The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2009-3639 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3639.html CVE-2009-3639 https://bugzilla.suse.com/549740 SUSE Bug 549740 https://bugzilla.suse.com/549741 SUSE Bug 549741 Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message. CVE-2011-1137 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1137.html CVE-2011-1137 Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer. CVE-2011-4130 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4130.html CVE-2011-4130 https://bugzilla.suse.com/729830 SUSE Bug 729830 Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authentication request, which triggers a large memory allocation. CVE-2013-4359 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4359.html CVE-2013-4359 https://bugzilla.suse.com/843444 SUSE Bug 843444 The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. CVE-2015-3306 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3306.html CVE-2015-3306 https://bugzilla.suse.com/1142281 SUSE Bug 1142281 https://bugzilla.suse.com/927290 SUSE Bug 927290 The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors. CVE-2016-3125 openSUSE Tumbleweed:proftpd-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-devel-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-doc-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-lang-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-ldap-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-mysql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-pgsql-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-radius-1.3.5b-2.5 openSUSE Tumbleweed:proftpd-sqlite-1.3.5b-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3125.html CVE-2016-3125 https://bugzilla.suse.com/970890 SUSE Bug 970890