Overview Details

File _patchinfo of Package patchinfo

<patchinfo incident="6633">
  <issue id="1032443" tracker="bnc">VUL-0: CVE-2017-7418: proftpd: AllowChrootSymlinks not enforced by replacing a path component with a symbolic link</issue>
  <issue id="2017-7418" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>computersalat</packager>
  <description>
This update for proftpd to version 1.3.5d fixes the following issues:

This security issue was fixed:

- CVE-2017-7418: ProFTPD checked only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link (bsc#1032443).

These non-security issues were fixed:

- Reduce TLS protocols to TLSv1.1 and TLSv1.2
- Disable TLSCACertificateFile
- Add TLSCertificateChainFile
- All FTP logins are treated as anonymous logins again
- SSH rekey during authentication could have caused issues with clients.
- Recursive SCP uploads of multiple directories were not handled properly.
- LIST returned different results for file, depending on path syntax.
- "AuthAliasOnly on" in server config broke anonymous logins.
- Fixed memory leak when mod_facl is used.
- Fix systemd vs SysVinit inconsistency
</description>
  <summary>Security update for proftpd</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places