[ MDKSA-2007:130 ] - Updated proftpd packages fix authentication bypass vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:130
http://www.mandriva.com/security/
_______________________________________________________________________

Package : proftpd
Date : June 20, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

The Auth API in ProFTPD, when multiple simultaneous authentication
modules are configured, did not require that the module that checks
authentication is the same module that retrieves authentication data,
which could possibly be used to allow remote attackers to bypass
authentication.

The updated packages have been patched to prevent this issue. As well,
this update provides proper PAM configuration files for ProFTPD
on Corporate Server 4 that had prevented any mod_auth_pam-based
connections from succeeding authentication.

As well, ProFTPD 1.3.0 is being provided for Corporate 3 and Corporate
Server 4.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
4df0bb279c6d8f7bca7dc07ab3eb2d31 2007.0/i586/proftpd-1.3.0-4.5mdv2007.0.i586.rpm
c2946c78cb194b5f51d92a953992aa89 2007.0/i586/proftpd-anonymous-1.3.0-4.5mdv2007.0.i586.rpm
925224538848b48252478e217fbec141 2007.0/i586/proftpd-mod_autohost-1.3.0-4.5mdv2007.0.i586.rpm
f305778522e898984c78c7e765a2cc76 2007.0/i586/proftpd-mod_case-1.3.0-4.5mdv2007.0.i586.rpm
2abec2599e8419fc157def93994e82e5 2007.0/i586/proftpd-mod_clamav-1.3.0-4.5mdv2007.0.i586.rpm
5faedb96d6a677514c129edeb7093372 2007.0/i586/proftpd-mod_ctrls_admin-1.3.0-4.5mdv2007.0.i586.rpm
6f75196f4631f118f7acf1729759e07f 2007.0/i586/proftpd-mod_facl-1.3.0-4.5mdv2007.0.i586.rpm
923a23a42f6bd9d2e5bc8594066537f2 2007.0/i586/proftpd-mod_gss-1.3.0-4.5mdv2007.0.i586.rpm
5a2b197795a0efc4fba59a0bc2b8f131 2007.0/i586/proftpd-mod_ifsession-1.3.0-4.5mdv2007.0.i586.rpm
7b2b918c9635afd6bb08f98257a6b4db 2007.0/i586/proftpd-mod_ldap-1.3.0-4.5mdv2007.0.i586.rpm
a0d2e6370399a7244fe51a47048b4ef2 2007.0/i586/proftpd-mod_load-1.3.0-4.5mdv2007.0.i586.rpm
6a0ece8bdaaa6c1f48902b2c2df26ea0 2007.0/i586/proftpd-mod_quotatab-1.3.0-4.5mdv2007.0.i586.rpm
d2522f67f32bfca2c3527384788f9a20 2007.0/i586/proftpd-mod_quotatab_file-1.3.0-4.5mdv2007.0.i586.rpm
3f3894791558762d69845e6e910dae1c 2007.0/i586/proftpd-mod_quotatab_ldap-1.3.0-4.5mdv2007.0.i586.rpm
30edda52bb9fda389d43ebde94492641 2007.0/i586/proftpd-mod_quotatab_sql-1.3.0-4.5mdv2007.0.i586.rpm
6c054b96b625d64a9d50857e179ffbd3 2007.0/i586/proftpd-mod_radius-1.3.0-4.5mdv2007.0.i586.rpm
ff8f33895f9a32f288e8ed494989c20a 2007.0/i586/proftpd-mod_ratio-1.3.0-4.5mdv2007.0.i586.rpm
827b6ec650689fb9a3feac1bd495787c 2007.0/i586/proftpd-mod_rewrite-1.3.0-4.5mdv2007.0.i586.rpm
b9396dca35e62ddef1b0fdb8b26a4ac9 2007.0/i586/proftpd-mod_shaper-1.3.0-4.5mdv2007.0.i586.rpm
75f200926728544d7a4873bad06d2cb3 2007.0/i586/proftpd-mod_site_misc-1.3.0-4.5mdv2007.0.i586.rpm
cff19e7b2c019134111dab837d5436f4 2007.0/i586/proftpd-mod_sql-1.3.0-4.5mdv2007.0.i586.rpm
8f1aff76b00cadebc2cb829293d474b0 2007.0/i586/proftpd-mod_sql_mysql-1.3.0-4.5mdv2007.0.i586.rpm
e597af607ab4ada1407a2f395d822afb 2007.0/i586/proftpd-mod_sql_postgres-1.3.0-4.5mdv2007.0.i586.rpm
bd6690392c2728daa500870f2610b758 2007.0/i586/proftpd-mod_time-1.3.0-4.5mdv2007.0.i586.rpm
f8173b4b26d0d63befd2b92f73ab9b3a 2007.0/i586/proftpd-mod_tls-1.3.0-4.5mdv2007.0.i586.rpm
cda11e65a754aa5767bb64c84ef90234 2007.0/i586/proftpd-mod_wrap-1.3.0-4.5mdv2007.0.i586.rpm
d7c3ef9d9d86a0169c89be2ec337697d 2007.0/i586/proftpd-mod_wrap_file-1.3.0-4.5mdv2007.0.i586.rpm
263c3654a26ad95cf5ae24dd988f0a0a 2007.0/i586/proftpd-mod_wrap_sql-1.3.0-4.5mdv2007.0.i586.rpm
3299419cb899a2e5dc59bce9c1acb110 2007.0/SRPMS/proftpd-1.3.0-4.5mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
940641dfb53f06220006a78bc3ef412a 2007.0/x86_64/proftpd-1.3.0-4.5mdv2007.0.x86_64.rpm
272f5c877ec0dbb2ec763234037b9f45 2007.0/x86_64/proftpd-anonymous-1.3.0-4.5mdv2007.0.x86_64.rpm
c3639b4ebda795d4f4ada5d822351bbd 2007.0/x86_64/proftpd-mod_autohost-1.3.0-4.5mdv2007.0.x86_64.rpm
cd8f4de8f8ba96999d5c4c72ee34b8aa 2007.0/x86_64/proftpd-mod_case-1.3.0-4.5mdv2007.0.x86_64.rpm
bec70f0a129f9621e37478b9ca35d82b 2007.0/x86_64/proftpd-mod_clamav-1.3.0-4.5mdv2007.0.x86_64.rpm
b8c522241e7debdfd2e838251fd06b75 2007.0/x86_64/proftpd-mod_ctrls_admin-1.3.0-4.5mdv2007.0.x86_64.rpm
399f89d3817e837797f4f15af6c10d80 2007.0/x86_64/proftpd-mod_facl-1.3.0-4.5mdv2007.0.x86_64.rpm
d75e5036eaf567ad702c4e7ababb2245 2007.0/x86_64/proftpd-mod_gss-1.3.0-4.5mdv2007.0.x86_64.rpm
b6bad90f9006f26d3a5edc2108926fcc 2007.0/x86_64/proftpd-mod_ifsession-1.3.0-4.5mdv2007.0.x86_64.rpm
100ce895b525057284deb236a0fda789 2007.0/x86_64/proftpd-mod_ldap-1.3.0-4.5mdv2007.0.x86_64.rpm
681ba7d40478c0f30c236ebe792718bf 2007.0/x86_64/proftpd-mod_load-1.3.0-4.5mdv2007.0.x86_64.rpm
609656a44f2c4a581c429d3fb5e772c6 2007.0/x86_64/proftpd-mod_quotatab-1.3.0-4.5mdv2007.0.x86_64.rpm
ab7367049078956fdf822104032b6f70 2007.0/x86_64/proftpd-mod_quotatab_file-1.3.0-4.5mdv2007.0.x86_64.rpm
cc642a2bdb6f833fe5132d47f3f5f26b 2007.0/x86_64/proftpd-mod_quotatab_ldap-1.3.0-4.5mdv2007.0.x86_64.rpm
3658ead93a56dbc601157a15df578416 2007.0/x86_64/proftpd-mod_quotatab_sql-1.3.0-4.5mdv2007.0.x86_64.rpm
e29d2e68f61916091b93f1c86b1e0257 2007.0/x86_64/proftpd-mod_radius-1.3.0-4.5mdv2007.0.x86_64.rpm
16f66ebf852171d9fe1e8343342bea55 2007.0/x86_64/proftpd-mod_ratio-1.3.0-4.5mdv2007.0.x86_64.rpm
5a2df1e2e63c2dbff65f7ee04c0eaead 2007.0/x86_64/proftpd-mod_rewrite-1.3.0-4.5mdv2007.0.x86_64.rpm
e4aec51decb390c7826f032e23eb42ca 2007.0/x86_64/proftpd-mod_shaper-1.3.0-4.5mdv2007.0.x86_64.rpm
fcd136ad6b900e3a61269cbed5c25209 2007.0/x86_64/proftpd-mod_site_misc-1.3.0-4.5mdv2007.0.x86_64.rpm
75d4aefcafe256d0bd9c8c66a1d38dc2 2007.0/x86_64/proftpd-mod_sql-1.3.0-4.5mdv2007.0.x86_64.rpm
5f4bd2e0781928a87ff4fea034e91d1e 2007.0/x86_64/proftpd-mod_sql_mysql-1.3.0-4.5mdv2007.0.x86_64.rpm
138ef662cf42977c82422f457a97e50b 2007.0/x86_64/proftpd-mod_sql_postgres-1.3.0-4.5mdv2007.0.x86_64.rpm
ae43000ebfe0421b521af2fd4106898e 2007.0/x86_64/proftpd-mod_time-1.3.0-4.5mdv2007.0.x86_64.rpm
e1f0ff6ed6a41afc7aa9e2b20556dbb8 2007.0/x86_64/proftpd-mod_tls-1.3.0-4.5mdv2007.0.x86_64.rpm
838756544cb2472ed5d132820b184f50 2007.0/x86_64/proftpd-mod_wrap-1.3.0-4.5mdv2007.0.x86_64.rpm
fdb226ad98715d1af3cfa052fe977793 2007.0/x86_64/proftpd-mod_wrap_file-1.3.0-4.5mdv2007.0.x86_64.rpm
f5ad64dba41e0a8a378ce68f68830055 2007.0/x86_64/proftpd-mod_wrap_sql-1.3.0-4.5mdv2007.0.x86_64.rpm
3299419cb899a2e5dc59bce9c1acb110 2007.0/SRPMS/proftpd-1.3.0-4.5mdv2007.0.src.rpm

Mandriva Linux 2007.1:
4b1d228962a1de1e09c8f3ea726849d6 2007.1/i586/proftpd-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
bfa675072317434abeea36b7cdec31c5 2007.1/i586/proftpd-devel-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
32a7206bdb1824336ebcf6ba03e6691b 2007.1/i586/proftpd-mod_autohost-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
38d95f4ebbdf8de0554bc3af1b3c9e17 2007.1/i586/proftpd-mod_ban-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
fb4036a8c065af77c8a2ea85c492a81a 2007.1/i586/proftpd-mod_case-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
181ce7dfd6917f223ca7f4327fd7ab30 2007.1/i586/proftpd-mod_clamav-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
dc83e69bfd9e4f164bfe367e39ede0d0 2007.1/i586/proftpd-mod_ctrls_admin-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
17d0816f66eca26fe37ac0db513dc923 2007.1/i586/proftpd-mod_gss-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
09fa82fe7ef48bd2bda42c34a83f6033 2007.1/i586/proftpd-mod_ifsession-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
54e690f8413eb62ab7733fdda4a0222f 2007.1/i586/proftpd-mod_ldap-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
e937a48e4014137c2e45b8b5e8113996 2007.1/i586/proftpd-mod_load-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
263a70ff3670dea161ef7649b5c290de 2007.1/i586/proftpd-mod_quotatab-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
a074a7838dfb82cf234a99aa0c049a83 2007.1/i586/proftpd-mod_quotatab_file-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
a62039e5ea274343dc4ae97750b1db1c 2007.1/i586/proftpd-mod_quotatab_ldap-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
79e2bdf3154a1699fb4908983d1665aa 2007.1/i586/proftpd-mod_quotatab_radius-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
b621d0e8f31323252cfea0233f22eff0 2007.1/i586/proftpd-mod_quotatab_sql-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
f1e808e6e6fe516a11b87ebd42cb3379 2007.1/i586/proftpd-mod_radius-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
097444ebc47f634d4d5403340a4a873a 2007.1/i586/proftpd-mod_ratio-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
d9e489312513f7e7f9cf6036de0af1a5 2007.1/i586/proftpd-mod_rewrite-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
8962cb028755089796af0f09f96de093 2007.1/i586/proftpd-mod_shaper-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
a69863fbcd526c90e37f826a6f9c3187 2007.1/i586/proftpd-mod_site_misc-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
d1570263aa067370be4640163e1753d0 2007.1/i586/proftpd-mod_sql-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
694e3ec959d13fde8dd2b6478de3918d 2007.1/i586/proftpd-mod_sql_mysql-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
2a807d8473b3c68bb5b738039f433908 2007.1/i586/proftpd-mod_sql_postgres-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
59ea33a497e208f280019da201316cae 2007.1/i586/proftpd-mod_time-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
cc04311aaad90ab8bf854e447d8a3f57 2007.1/i586/proftpd-mod_tls-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
da7a372fad04ce856fbab929805cb669 2007.1/i586/proftpd-mod_wrap-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
9406a1a670290f3cb0f9973a3e21d630 2007.1/i586/proftpd-mod_wrap_file-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
a14bf3d954440dd7f8d47a6b8afcc2fa 2007.1/i586/proftpd-mod_wrap_sql-1.3.1-0.rc2.3.2mdv2007.1.i586.rpm
8bc7c79e359964e602cff2449524950c 2007.1/SRPMS/proftpd-1.3.1-0.rc2.3.2mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
c2523b8709c9a540961647aad40d9989 2007.1/x86_64/proftpd-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
356fe665f2352eec48cb246e0708b4d4 2007.1/x86_64/proftpd-devel-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
c9cd8258b22d92430a7e0371e7c60e54 2007.1/x86_64/proftpd-mod_autohost-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
9dab10bdd62e5435358bc6109689bed4 2007.1/x86_64/proftpd-mod_ban-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
46058e43b04c91bdaddffcda96025987 2007.1/x86_64/proftpd-mod_case-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
88b192dbd9f93a6f8d993309c494281a 2007.1/x86_64/proftpd-mod_clamav-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
72fbec6f115c2dbb5699c6b4ac188b71 2007.1/x86_64/proftpd-mod_ctrls_admin-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
63573257ad2506fd4d201ba2df98c0f9 2007.1/x86_64/proftpd-mod_gss-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
a3f0d6445d3149ae0060d3b2aba69d6d 2007.1/x86_64/proftpd-mod_ifsession-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
1d7977c5df05438b710aaaea5ca01814 2007.1/x86_64/proftpd-mod_ldap-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
044d313faca53666d4f9fc14b8f47dee 2007.1/x86_64/proftpd-mod_load-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
a6843f00a2e55b8176ed44fbe13c764c 2007.1/x86_64/proftpd-mod_quotatab-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
b663d7a5944316ba11b445db0ccd9183 2007.1/x86_64/proftpd-mod_quotatab_file-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
63b556c8a929f04574fd4790acd4ed93 2007.1/x86_64/proftpd-mod_quotatab_ldap-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
d7a6e0353f2da156373b983e2ce6c01d 2007.1/x86_64/proftpd-mod_quotatab_radius-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
eb696413ff9ba4dbcd53ef182fb7555d 2007.1/x86_64/proftpd-mod_quotatab_sql-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
c277df37ce4df69a6a3610f7db201b80 2007.1/x86_64/proftpd-mod_radius-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
dc3a5f61099a17535f0e95e269506ac2 2007.1/x86_64/proftpd-mod_ratio-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
6226b9cdb17cb40a6a22a34826f24016 2007.1/x86_64/proftpd-mod_rewrite-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
542cb1afa04afd70dc5c0ea2b765831c 2007.1/x86_64/proftpd-mod_shaper-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
72fc6743ac5cd0e131b3bd58c90b44fa 2007.1/x86_64/proftpd-mod_site_misc-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
94eff54009a6d1762a8d5a57656cddff 2007.1/x86_64/proftpd-mod_sql-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
b16d68307139c675a52139f1116367ab 2007.1/x86_64/proftpd-mod_sql_mysql-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
c243ed37d94e015deeabb2e0c0d5b2c2 2007.1/x86_64/proftpd-mod_sql_postgres-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
7d621196c308529b70cbca69822f86c3 2007.1/x86_64/proftpd-mod_time-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
7bdf1859c1d17944c2a03c1a64c64fbd 2007.1/x86_64/proftpd-mod_tls-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
3f9b7ec94bc8ccfee81f713984858f82 2007.1/x86_64/proftpd-mod_wrap-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
c518f3986960987ec9fb09c1d5c36a1c 2007.1/x86_64/proftpd-mod_wrap_file-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
f02aff0c7bf81f9c602d187230894330 2007.1/x86_64/proftpd-mod_wrap_sql-1.3.1-0.rc2.3.2mdv2007.1.x86_64.rpm
8bc7c79e359964e602cff2449524950c 2007.1/SRPMS/proftpd-1.3.1-0.rc2.3.2mdv2007.1.src.rpm

Corporate 3.0:
071cee298ebaccb0945bdf2ef14758a7 corporate/3.0/i586/proftpd-1.3.0-0.1.C30mdk.i586.rpm
b26fd6dd8e43d471a18e9ca68080c2de corporate/3.0/i586/proftpd-anonymous-1.3.0-0.1.C30mdk.i586.rpm
f5dff5500c22b895b9ee4a1103a0c98b corporate/3.0/SRPMS/proftpd-1.3.0-0.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
898ed42bcdd19766472f0da3a07f9e3a corporate/3.0/x86_64/proftpd-1.3.0-0.1.C30mdk.x86_64.rpm
c6f4e2af00da2c6b9d4e7e5f9b4d93f6 corporate/3.0/x86_64/proftpd-anonymous-1.3.0-0.1.C30mdk.x86_64.rpm
f5dff5500c22b895b9ee4a1103a0c98b corporate/3.0/SRPMS/proftpd-1.3.0-0.1.C30mdk.src.rpm

Corporate 4.0:
96d2be6fae3efb7239f310d76bc04f80 corporate/4.0/i586/proftpd-1.3.0-0.1.20060mlcs4.i586.rpm
2a96dc582ed55f1f4fa0f0055d42cc29 corporate/4.0/i586/proftpd-anonymous-1.3.0-0.1.20060mlcs4.i586.rpm
c8104221586d7db34c8319832c63e27a corporate/4.0/SRPMS/proftpd-1.3.0-0.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
cf2c25efe10585b29dd400cbfdc93498 corporate/4.0/x86_64/proftpd-1.3.0-0.1.20060mlcs4.x86_64.rpm
399ea27ed2b7daaa589c4a8abadfb325 corporate/4.0/x86_64/proftpd-anonymous-1.3.0-0.1.20060mlcs4.x86_64.rpm
c8104221586d7db34c8319832c63e27a corporate/4.0/SRPMS/proftpd-1.3.0-0.1.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGeay5mqjQ0CJFipgRArHGAJ0VKmUKL0vmxsIbJBGKLohARh3hxQCgg7Yx
9Wm0YuocqihQgrZXtUA7Yfs=
=c2xp
-----END PGP SIGNATURE-----



Relevant Pages