Bug 237533 (CVE-2007-2165) - CVE-2007-2165: proftpd auth bypass vulnerability
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2007-2165
Product: Fedora
Classification: Fedora
Component: proftpd
Version: 8
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Matthias Saou
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-23 17:49 UTC by Ville Skyttä
Modified: 2008-07-30 20:09 UTC (History)
2 users (show)

Fixed In Version: 1.3.1-2.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-03 18:12:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ville Skyttä 2007-04-23 17:49:11 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165
http://bugs.proftpd.org/show_bug.cgi?id=2922

"The Auth API in ProFTPD before 20070417, when multiple simultaneous
authentication modules are configured, does not require that the module that
checks authentication is the same as the module that retrieves authentication
data, which might allow remote attackers to bypass authentication, as
demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved
from /etc/passwd."

Comment 1 Matthias Saou 2007-06-15 15:41:11 UTC
Still no backport of the patch to the stable 1.3.0a release. It's pretty
annoying, since the patch against the latest RC doesn't apply cleanly because of
variable name changes. I tried to backport it, but the risk in _me_ doing so is
just too high.

I really don't understand how/why projects decide to not provide security
patches for what they consider to be the current stable release... I'm going to
push new proftpd packages anyway, to fix bug #244168 but not this bug,
unfortunately :-(

Comment 2 Matthias Saou 2007-08-19 16:22:21 UTC
Still no patches backported to 1.3.0a, so I've at least pushed 1.3.1rc3 to devel
(F8) since it fixes all know vulnerabilities, and should be more than stable
enough for inclusion. Maybe later backporting it to all current releases would
make sense...

Comment 3 Kevin Fenzi 2007-09-14 00:11:55 UTC
Any further news here?

Also, if the 1.3.1rc3 is working fine in devel, would you consider pushing to
epel? or is it too disruptive going from 1.3.0a to 1.3.1rc3? 

Comment 4 Matthias Saou 2007-10-09 17:51:22 UTC
I've updated devel to 1.3.1 final, now that it's out. I don't think updating
from 1.3.0 to 1.3.1 is too disruptive, but I'm not sure it won't break on some
complex setups...

Comment 5 Matthias Saou 2007-10-22 14:37:17 UTC
I've had no reports of any problems with 1.3.1, so I'll push it in F-7 testing
updates. If everything looks good once it's there, then it should be possible to
push it to stable.

Comment 6 Fedora Update System 2007-10-24 07:05:04 UTC
proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update proftpd'

Comment 7 Fedora Update System 2007-11-05 15:10:57 UTC
proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Lubomir Kundrak 2007-11-05 15:57:16 UTC
Reopening for Werewolf.

Comment 9 Matthias Saou 2008-02-03 17:37:08 UTC
I'm confused. The package in F-7 updates has been newer than that one in F-8 for
ages, and I haven't received any nag mails about it.
Still they're all 1.3.1, so the security fix is included. Nevertheless, I'll be
pushing 1.3.1-3 as an F-8 update.

Comment 10 Kevin Fenzi 2008-02-03 17:41:38 UTC
How about also updating EPEL-5 too?
It has version 1.3.0a still... 

Comment 11 Matthias Saou 2008-02-03 17:47:25 UTC
(In reply to comment #10)
> How about also updating EPEL-5 too?
> It has version 1.3.0a still... 

Ouch, you're absolutely right! I'll do that now. I still can't reproduce the
EL-4 build failure from bug #250223 on my machine, so I think I'll give up on
EL-4 proftpd, though.

Comment 12 Matthias Saou 2008-02-03 18:12:58 UTC
Both EL-5 and EL4 build fine, so those are updated too now.

Comment 13 Fedora Update System 2008-07-30 20:09:51 UTC
proftpd-1.3.1-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.