Bug 1212386 (CVE-2015-3306)
Summary: | CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | carnil, fedora, matthias, paul, yjog |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.proftpd.org/show_bug.cgi?id=4169 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-27 14:09:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1212388, 1212389 | ||
Bug Blocks: |
Description
Vasyl Kaigorodov
2015-04-16 10:08:22 UTC
Created proftpd tracking bugs for this issue: Affects: fedora-all [bug 1212388] Affects: epel-all [bug 1212389] proftpd-1.3.5-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.4e-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.5-5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.5-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. Issue now addressed where necessary in all current Fedora and EPEL releases. Is RHEL 6 not considered a current release? I see updates for fedora 20-22 and epel 7 but nothing on epel 6 (In reply to Carl Thompson from comment #7) > Is RHEL 6 not considered a current release? It is, but as mentioned in Bug #1212389, EPEL-5 and EPEL-6 have an older version of proftpd that did not ship with mod_copy, and are hence not affected by this issue. |