Red Hat Bugzilla – Bug 237533
CVE-2007-2165: proftpd auth bypass vulnerability
Last modified: 2008-07-30 16:09:51 EDT
"The Auth API in ProFTPD before 20070417, when multiple simultaneous
authentication modules are configured, does not require that the module that
checks authentication is the same as the module that retrieves authentication
data, which might allow remote attackers to bypass authentication, as
demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved
Still no backport of the patch to the stable 1.3.0a release. It's pretty
annoying, since the patch against the latest RC doesn't apply cleanly because of
variable name changes. I tried to backport it, but the risk in _me_ doing so is
just too high.
I really don't understand how/why projects decide to not provide security
patches for what they consider to be the current stable release... I'm going to
push new proftpd packages anyway, to fix bug #244168 but not this bug,
Still no patches backported to 1.3.0a, so I've at least pushed 1.3.1rc3 to devel
(F8) since it fixes all know vulnerabilities, and should be more than stable
enough for inclusion. Maybe later backporting it to all current releases would
Any further news here?
Also, if the 1.3.1rc3 is working fine in devel, would you consider pushing to
epel? or is it too disruptive going from 1.3.0a to 1.3.1rc3?
I've updated devel to 1.3.1 final, now that it's out. I don't think updating
from 1.3.0 to 1.3.1 is too disruptive, but I'm not sure it won't break on some
I've had no reports of any problems with 1.3.1, so I'll push it in F-7 testing
updates. If everything looks good once it's there, then it should be possible to
push it to stable.
proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update proftpd'
proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Reopening for Werewolf.
I'm confused. The package in F-7 updates has been newer than that one in F-8 for
ages, and I haven't received any nag mails about it.
Still they're all 1.3.1, so the security fix is included. Nevertheless, I'll be
pushing 1.3.1-3 as an F-8 update.
How about also updating EPEL-5 too?
It has version 1.3.0a still...
(In reply to comment #10)
> How about also updating EPEL-5 too?
> It has version 1.3.0a still...
Ouch, you're absolutely right! I'll do that now. I still can't reproduce the
EL-4 build failure from bug #250223 on my machine, so I think I'll give up on
EL-4 proftpd, though.
Both EL-5 and EL4 build fine, so those are updated too now.
proftpd-1.3.1-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.