| Package | proftpd-dfsg |
|---|---|
| Version | 1.3.5e+r1.3.5b-4+deb9u4 (stretch), 1.3.6-4+deb10u7 (buster) |
| Related CVEs | CVE-2023-48795 CVE-2023-51713 CVE-2024-48651 CVE-2024-57392 |
Multiple vulnerabilities were fixed in ProFTPD, a popular FTP server.
CVE-2023-48795:
The SSH transport protocol with certain OpenSSH extensions like the SFTP implementation found in ProFTPD, allows remote attackers
to bypass integrity checks such that some packets are omitted (from the extension negotiation message),
and a client and server may consequently end up with a connection for which some security features have been downgraded
or disabled.
This attack is also known as the Terrapin attack.
CVE-2023-51713:
The make_ftp_cmd function in ProFTPD has a one-byte out-of-bounds read.
CVE-2024-48651:
A user with no supplemental groups will incorrectly inherit supplemental groups
from the parent process. The parent process retains supplemental GID 0, which is inherited by child
processes and not overwritten if the authenticated user has no supplemental groups.
CVE-2024-57392:
A Buffer Overflow vulnerability allowed a remote attacker to execute arbitrary code (RCE) and can cause a
Denial of Service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port.
Moreover two important bugs were fixed on this release
Blastradius fix:
Fix the computation of the RADIUS Message-Authenticator signature to conform
more properly to RFC 2869, and allow RADIUS authentification to work against
mitigations of CVE-2024-3596.
Debian bug #1090813:
The PassivePorts directive can cause proftpd to swap data streams across
clients when the server is in passive mode.
For Debian 10 buster, these problems have been fixed in version 1.3.6-4+deb10u7.
For Debian 9 stretch, these problems have been fixed in version 1.3.5e+r1.3.5b-4+deb9u4.
We recommend that you upgrade your proftpd-dfsg packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.