1212386 – (CVE-2015-3306) CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

Bug 1212386 (CVE-2015-3306) - CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

Summary: CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO al...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-3306
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://bugs.proftpd.org/show_bug.cgi?...
Whiteboard:
Depends On:	1212388 1212389
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-16 10:08 UTC by Vasyl Kaigorodov
Modified:	2021-02-04 00:56 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-27 14:09:09 UTC

Attachments	(Terms of Use)

Description Vasyl Kaigorodov 2015-04-16 10:08:22 UTC

Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:

http://bugs.proftpd.org/show_bug.cgi?id=4169

Upstream fix: https://github.com/proftpd/proftpd/pull/109

Comment 1 Vasyl Kaigorodov 2015-04-16 10:10:09 UTC

Created proftpd tracking bugs for this issue:

Affects: fedora-all [bug 1212388]
Affects: epel-all [bug 1212389]

Comment 2 Fedora Update System 2015-05-03 17:25:05 UTC

proftpd-1.3.5-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-05-03 17:25:12 UTC

proftpd-1.3.4e-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-05-10 23:49:36 UTC

proftpd-1.3.5-5.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-05-14 06:29:52 UTC

proftpd-1.3.5-5.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Paul Howarth 2015-05-14 08:14:26 UTC

Issue now addressed where necessary in all current Fedora and EPEL releases.

Comment 7 Carl Thompson 2015-06-11 16:48:18 UTC

Is RHEL 6 not considered a current release?

I see updates for fedora 20-22 and epel 7 but nothing on epel 6

Comment 8 Paul Howarth 2015-06-11 17:25:51 UTC

(In reply to Carl Thompson from comment #7)
> Is RHEL 6 not considered a current release?

It is, but as mentioned in Bug #1212389, EPEL-5 and EPEL-6 have an older version of proftpd that did not ship with mod_copy, and are hence not affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.