ALT-PU-2019-2667-1
Closed vulnerabilities
BDU:2015-10225
Уязвимость FTP-сервера ProFTPD, позволяющая удалённому нарушителю получить доступ к защищаемой информации
BDU:2016-00938
Уязвимость FTP-сервера ProFTPd, позволяющая нарушителю повлиять на целостность, доступность и конфиденциальность информации
BDU:2019-02747
Уязвимость модуля mod_copy FTP-сервера ProFTPD, позволяющая нарушителю выполнить произвольный код в целевой системе посредством передачи команд CPFR и CPTO на сервер ProFTPD
Modified: 2025-04-12
CVE-2015-3306
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.html
- http://lists.opensuse.org/opensuse-updates/2015-06/msg00020.html
- http://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.html
- http://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.html
- http://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://www.debian.org/security/2015/dsa-3263
- http://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec
- http://www.securityfocus.com/bid/74238
- https://www.exploit-db.com/exploits/36742/
- https://www.exploit-db.com/exploits/36803/
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157581.html
- http://lists.opensuse.org/opensuse-updates/2015-06/msg00020.html
- http://packetstormsecurity.com/files/131505/ProFTPd-1.3.5-File-Copy.html
- http://packetstormsecurity.com/files/131555/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/131567/ProFTPd-CPFR-CPTO-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/132218/ProFTPD-1.3.5-Mod_Copy-Command-Execution.html
- http://packetstormsecurity.com/files/162777/ProFTPd-1.3.5-Remote-Command-Execution.html
- http://www.debian.org/security/2015/dsa-3263
- http://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec
- http://www.securityfocus.com/bid/74238
- https://www.exploit-db.com/exploits/36742/
- https://www.exploit-db.com/exploits/36803/
Modified: 2025-04-12
CVE-2016-3125
The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.
- http://bugs.proftpd.org/show_bug.cgi?id=4230
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179109.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179905.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00080.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00045.html
- http://proftpd.org/docs/NEWS-1.3.5b
- http://proftpd.org/docs/NEWS-1.3.6rc2
- http://www.openwall.com/lists/oss-security/2016/03/11/14
- http://www.openwall.com/lists/oss-security/2016/03/11/3
- http://bugs.proftpd.org/show_bug.cgi?id=4230
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179109.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179905.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00080.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00045.html
- http://proftpd.org/docs/NEWS-1.3.5b
- http://proftpd.org/docs/NEWS-1.3.6rc2
- http://www.openwall.com/lists/oss-security/2016/03/11/14
- http://www.openwall.com/lists/oss-security/2016/03/11/3
Modified: 2025-04-20
CVE-2017-7418
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
- http://bugs.proftpd.org/show_bug.cgi?id=4295
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
- http://www.securityfocus.com/bid/97409
- https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
- https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
- https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
- http://bugs.proftpd.org/show_bug.cgi?id=4295
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
- http://www.securityfocus.com/bid/97409
- https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
- https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
- https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
Modified: 2024-11-21
CVE-2019-12815
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
- http://bugs.proftpd.org/show_bug.cgi?id=4372
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
- http://www.securityfocus.com/bid/109339
- https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf
- https://github.com/proftpd/proftpd/pull/816
- https://lists.debian.org/debian-lts-announce/2019/08/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OJDQ3XUYWO42TJBO53NUWDZRA35QMVEI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XM5FPBAGSIKV6YJZEPM6GPGJO5JFT7XU/
- https://seclists.org/bugtraq/2019/Aug/3
- https://security.gentoo.org/glsa/201908-16
- https://tbspace.de/cve201912815proftpd.html
- https://www.debian.org/security/2019/dsa-4491
- http://bugs.proftpd.org/show_bug.cgi?id=4372
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
- http://www.securityfocus.com/bid/109339
- https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf
- https://github.com/proftpd/proftpd/pull/816
- https://lists.debian.org/debian-lts-announce/2019/08/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OJDQ3XUYWO42TJBO53NUWDZRA35QMVEI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XM5FPBAGSIKV6YJZEPM6GPGJO5JFT7XU/
- https://seclists.org/bugtraq/2019/Aug/3
- https://security.gentoo.org/glsa/201908-16
- https://tbspace.de/cve201912815proftpd.html
- https://www.debian.org/security/2019/dsa-4491
Modified: 2024-11-21
CVE-2019-19271
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
Modified: 2024-11-21
CVE-2019-19272
An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Closed bugs
CVE-2019-12815