ALT-PU-2019-2667-1
Closed vulnerabilities
BDU:2015-10225
Уязвимость FTP-сервера ProFTPD, позволяющая удалённому нарушителю получить доступ к защищаемой информации
BDU:2016-00938
Уязвимость FTP-сервера ProFTPd, позволяющая нарушителю повлиять на целостность, доступность и конфиденциальность информации
BDU:2019-02747
Уязвимость модуля mod_copy FTP-сервера ProFTPD, позволяющая нарушителю выполнить произвольный код в целевой системе посредством передачи команд CPFR и CPTO на сервер ProFTPD
Modified: 2024-11-21
CVE-2015-3306
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
- FEDORA-2015-7164
- FEDORA-2015-7164
- FEDORA-2015-6401
- FEDORA-2015-6401
- FEDORA-2015-7086
- FEDORA-2015-7086
- openSUSE-SU-2015:1031
- openSUSE-SU-2015:1031
- http://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.html
- http://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.html
- http://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.html
- http://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.html
- http://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.html
- DSA-3263
- DSA-3263
- http://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec
- http://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec
- 74238
- 74238
- 36742
- 36742
- 36803
- 36803
Modified: 2024-11-21
CVE-2016-3125
The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.
- http://bugs.proftpd.org/show_bug.cgi?id=4230
- http://bugs.proftpd.org/show_bug.cgi?id=4230
- FEDORA-2016-f95d8ea3ad
- FEDORA-2016-f95d8ea3ad
- FEDORA-2016-977d57cf2d
- FEDORA-2016-977d57cf2d
- FEDORA-2016-ac3587be9a
- FEDORA-2016-ac3587be9a
- openSUSE-SU-2016:1334
- openSUSE-SU-2016:1334
- openSUSE-SU-2016:1558
- openSUSE-SU-2016:1558
- http://proftpd.org/docs/NEWS-1.3.5b
- http://proftpd.org/docs/NEWS-1.3.5b
- http://proftpd.org/docs/NEWS-1.3.6rc2
- http://proftpd.org/docs/NEWS-1.3.6rc2
- [oss-security] 20160311 Re: ProFTPD before 1.3.5b/1.3.6rc2 uses 1024 bit Diffie Hellman parameters for TLS even if user sets manual parameters
- [oss-security] 20160311 Re: ProFTPD before 1.3.5b/1.3.6rc2 uses 1024 bit Diffie Hellman parameters for TLS even if user sets manual parameters
- [oss-security] 20160311 ProFTPD before 1.3.5b/1.3.6rc2 uses 1024 bit Diffie Hellman parameters for TLS even if user sets manual parameters
- [oss-security] 20160311 ProFTPD before 1.3.5b/1.3.6rc2 uses 1024 bit Diffie Hellman parameters for TLS even if user sets manual parameters
Modified: 2024-11-21
CVE-2017-7418
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
- http://bugs.proftpd.org/show_bug.cgi?id=4295
- http://bugs.proftpd.org/show_bug.cgi?id=4295
- openSUSE-SU-2019:1836
- openSUSE-SU-2019:1836
- openSUSE-SU-2019:1870
- openSUSE-SU-2019:1870
- openSUSE-SU-2020:0031
- openSUSE-SU-2020:0031
- 97409
- 97409
- https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
- https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
- https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
- https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
- https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
- https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
Modified: 2024-11-21
CVE-2019-12815
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
- http://bugs.proftpd.org/show_bug.cgi?id=4372
- http://bugs.proftpd.org/show_bug.cgi?id=4372
- openSUSE-SU-2019:1836
- openSUSE-SU-2019:1836
- openSUSE-SU-2019:1870
- openSUSE-SU-2019:1870
- openSUSE-SU-2020:0031
- openSUSE-SU-2020:0031
- 109339
- 109339
- https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf
- https://github.com/proftpd/proftpd/pull/816
- https://github.com/proftpd/proftpd/pull/816
- [debian-lts-announce] 20190807 [SECURITY] [DLA 1873-1] proftpd-dfsg security update
- [debian-lts-announce] 20190807 [SECURITY] [DLA 1873-1] proftpd-dfsg security update
- FEDORA-2019-e9187610c3
- FEDORA-2019-e9187610c3
- FEDORA-2019-82b0f48691
- FEDORA-2019-82b0f48691
- 20190805 [SECURITY] [DSA 4491-1] proftpd-dfsg security update
- 20190805 [SECURITY] [DSA 4491-1] proftpd-dfsg security update
- GLSA-201908-16
- GLSA-201908-16
- https://tbspace.de/cve201912815proftpd.html
- https://tbspace.de/cve201912815proftpd.html
- DSA-4491
- DSA-4491
Modified: 2024-11-21
CVE-2019-19271
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
Modified: 2024-11-21
CVE-2019-19272
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Closed bugs
CVE-2019-12815