Site Navigation:
security proftpd-1.3.2d-1.el5 security update
Release: Fedora EPEL 5
Update ID: FEDORA-EPEL-2010-2274
Builds: proftpd-1.3.2d-1.el5 (logs)
Pushed: True
Date Submitted: 2010-02-19 22:24:36
Date Released: 2010-02-22 21:59:53
Submitter: pghmcfc
Karma: 0

This update addresses CVE-2009-3555 (SSL/TLS renegotiation vulnerability), mitigating the problem by refusing all client-initiated SSL/TLS session renegotiations.

This update to the latest maintenance release also fixes a number of bugs recorded in the proftpd bug tracker:

  • SSL/TLS renegotiation vulnerability (CVE-2009-3555, bug 3324)
  • Failed database transaction can cause mod_quotatab to loop (bug 3228)
  • Segfault in mod_wrap (bug 3332)
  • <Directory> sections can have <Limit> problems (bug 3337)
  • mod_wrap2 segfaults when a valid user retries the USER command (bug 3341)
  • modauthfile handles 'getgroups' request incorrectly (bug 3347)
  • Segfault caused by scrubbing zero-length portion of memory (bug 3350)
  • Lack of PID protection in ScoreboardFile (bug 3370)
  • Crash when retrying a failed login with mod_radius being used (bug 3372)
  • RADIUS authentication broken on 64-bit platforms (bug 3381)
  • SIGHUP eventually causes certain DSO modules to segfault (bug 3387)

Finally, the behaviour of the MLSD FTP command (used in many modern FTP clients to list directories) is fixed for the case when the FTP server's configuration disallows its usage (using a <Limit> clause) in some but not all places (#544002).

Bugs Fixed
533125 - CVE-2009-3555: TLS: MITM attacks via session renegotiation
bodhi - 2010-02-22 22:36:05
This update has been pushed to testing
pghmcfc - 2010-03-09 11:20:59
This update has been submitted for stable.
bodhi - 2010-03-12 00:04:44
This update has been pushed to stable

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters