Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0703
proftpd-dfsg security update
27 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: proftpd-dfsg
Publisher: Debian
Operating System: Debian GNU/Linux 9
Debian GNU/Linux 10
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-9273
Reference: ESB-2020.0635
Original Bulletin:
http://www.debian.org/security/2020/dsa-4635
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4635-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 26, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : proftpd-dfsg
CVE ID : CVE-2020-9273
Debian Bug : 951800
Antonio Morales discovered an user-after-free flaw in the memory pool
allocator in ProFTPD, a powerful modular FTP/SFTP/FTPS server.
Interrupting current data transfers can corrupt the ProFTPD memory pool,
leading to denial of service, or potentially the execution of arbitrary
code.
For the oldstable distribution (stretch), this problem has been fixed
in version 1.3.5b-4+deb9u4.
For the stable distribution (buster), this problem has been fixed in
version 1.3.6-4+deb10u4.
We recommend that you upgrade your proftpd-dfsg packages.
For the detailed security status of proftpd-dfsg please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/proftpd-dfsg
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5W9SVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QtFhAAmyPdXWZvQztGTqvZrGRIUgQ9pklUva9IFsuBt5pLwHdWPRn1VvUGgKX4
aIQHZvvg/5hmsZv4C5nh8FMdU6MDa87rMO86oJYjQSimAmi16L3ydWgoa8OfQ3kj
5Z+4+yU1Mum00Su5Gw0qXozkHbTcRvMvr4fNcMcjXku9nUxTrz9bwb+bYSqRRq7K
7IEqTTLyrq/a8pHBvBz86+Zn0nvOqQTnGW0O3vQORO4+dMUBoL5DRCC9B3eK3NfB
hNcSUuC1aChqiLTlik0hmuwK5UxyPdSDn56jAFA3aBS0ArNp5lUCim/WbuAFDGy+
jy2kwYj2dlcvV/h7larptqbMTw3mkymv4sgWVjE9FcuwuqYDtcFZo8oTd2/pqyZC
zVUgcihwPTGdtPd2yYGzyPcyi2OrlVYCcWxpDf1ePRV5bRVTF4PA5uHvBjtFb6vr
YLcZkkcLSCpVMB3rP8eWlUp5tSbqCAt7l2wr6Zy9Ul4PNXTtGS9IX1y456mZlZLP
p3Oip8KHbmcH85WjJBw2HN6ECb8CJYKleCTbP9CoZBGBaBc48Qg/mAhi98cvX58b
Z9BAM1duW3JDAbx7yV1CXpaDaXLfkv71aPv/CqZC4TIi0htMHWjysLMtt/9b8hR4
oiz7HILVWGjvaIzGScEqOK3XumvHz5XDG2LmwcPVJ0oWCGQVfRI=
=pzZt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXlczx2aOgq3Tt24GAQipUg//Ut7gyJbRKeeqb9NQb9DSfQEbq4bJ7CN5
nPAcpKVo1XeM8oECM764vZxsvyH4BDM0Xzxwia8jZsY2vs4ftX2ZCMnbUEPE/W2V
lVI+nQbZypJ18gFr+fGgiOlqbpE2Nn4e88+9eHnb6lSTiqpvyppNW2e9pkGdNFIA
DzzQcnCq5p8p1wBqMSC7r4On8Lqox7+8Jaxn5jG8ydvWQEE7i5nAd8k3UlsgM3wr
AjPsL93ioeGisETgqw9dSbaJOHq/MyBhG5dSEt/dOvX3hWNmkK5xNJHHAfPjPzX3
BrCVkXTUquM9nBJywb1dyc3qUt2RfHILbvmC0Z1s1RAhiGkokDBBfqeT/h/NZRrN
W0CNAEKdtu0hRTHfRglL5EB3FzrwJSCQ6e7XpJ/BEyLhrlY6Ps9r8zBxHMoByCbi
klnjv7HtHwzbVcPqY3nNtVhHQahHWfHEfdT29JdV2hU/83D8dzp0cWZCcqdYdkMp
1LC4+eW4ZEb0CDZxtO9XVN0bND6MOSAxLo0RYC76yP2M7ShYvtni3s7R/8MKWPYQ
JSLqoPydUsI+A8nFeCi/sjm2mZ4aMPkpTwxmiFU00Lznsx7EpGnLk66FVH4C84Mp
veXuD+GDEegqRWTfmtCNT55wWjzsCtVvP2yrm8oZJUMfkZCyewiExNt5k5kdDBxO
x+wAXyXdQEo=
=dfl7
-----END PGP SIGNATURE-----