|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] [ GLSA 200702-02 ] ProFTPD: Local privilege escalation
From: Raphael Marichez (falco
gentoo.org)
Date: Tue Feb 13 2007 - 16:49:24 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200702-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: ProFTPD: Local privilege escalation
Date: February 13, 2007
Bugs: #158122
ID: 200702-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A flaw in ProFTPD may allow a local attacker to obtain root privileges.
Background
==========
ProFTPD is a powerful, configurable, and free FTP daemon.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-ftp/proftpd < 1.3.1_rc1 >= 1.3.1_rc1
Description
===========
A flaw exists in the mod_ctrls module of ProFTPD, normally used to
allow FTP server administrators to configure the daemon at runtime.
Impact
======
An FTP server administrator permitted to interact with mod_ctrls could
potentially compromise the ProFTPD process and execute arbitrary code
with the privileges of the FTP Daemon, which is normally the root user.
Workaround
==========
Disable mod_ctrls, or ensure only trusted users can access this
feature.
Resolution
==========
All ProFTPD users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.1_rc1"
References
==========
[ 1 ] CVE-2006-6563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6563
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200702-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRdJAczvRww8BFPxFAQJHLQf9GXMV+YmkTtqie6CvRQinMH9hFwnZtfCr
O3QU4PgoqCfs2Tq4QRneEJx2JxUXK2VlNRbIp+HcE3MbOrdj3fkTMsUy/2r1KNsC
AIw6EIbsLSCOcssJ11R2YHW863XoUmEUbI1tCwryJKhFbDTO7hgZvs6kwcorowN4
B9TG60AdZnamUAptOjTZ9sBbaiKqtiPgExbvIGFmU3iK2SZaLD9MCmMSnsTSdcOG
lOrC4+Q1la3DLmL45iOubHC68siMiWPLwOvOBOgmYTNtDtuRUwecKD6nh8LP9YMW
mh/ZiY3peHeXRQCQp9l9FlLLo+bgZuxXImfdnkxSKADUZBd8OXLVQw==
=swTA
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]