Bug 1317420 (CVE-2016-3125)

Summary: CVE-2016-3125 proftpd: usage of 1024 bit DH key even with manual parameters set
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: itamar, matthias, paul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20160311,reported=20160311,source=oss-security,cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N,cwe=CWE-327,fedora-all/proftpd=affected,epel-all/proftpd=affected
Fixed In Version: proftpd 1.3.5b Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:49:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1317421, 1317422    
Bug Blocks:    

Description Andrej Nemec 2016-03-14 08:44:46 UTC
The ProFTPD daemon supports TLS encrypted connections via the mod_tls module. This module has a configuration option TLSDHParamFile to specify user-defined Diffie Hellman parameters.

A vulnerability was found in ProFTPD before 1.3.5b. The software would ignore the user-defined parameters and use Diffie Hellman key exchanges with 1024 bit

Original report:

http://bugs.proftpd.org/show_bug.cgi?id=4230

External references:

http://proftpd.org/docs/RELEASE_NOTES-1.3.5b

CVE assignment:

http://seclists.org/oss-sec/2016/q1/612

Comment 1 Andrej Nemec 2016-03-14 08:45:57 UTC
Created proftpd tracking bugs for this issue:

Affects: fedora-all [bug 1317421]
Affects: epel-all [bug 1317422]

Comment 2 Fedora Update System 2016-03-20 20:20:55 UTC
proftpd-1.3.5b-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2016-03-21 01:51:50 UTC
proftpd-1.3.5b-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-03-26 18:11:49 UTC
proftpd-1.3.5b-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-03-28 01:54:42 UTC
proftpd-1.3.5b-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-07-02 15:18:32 UTC
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-07-02 16:19:56 UTC
proftpd-1.3.3g-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Product Security DevOps Team 2019-06-08 02:49:42 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.