From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 305A015ACFC for ; Wed, 3 May 2023 09:25:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 82B56E0A83; Wed, 3 May 2023 09:20:17 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E6553E08D0 for ; Wed, 3 May 2023 09:13:12 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 2EEBB3416A6 for ; Wed, 3 May 2023 09:13:12 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 12AF37F224 for ; Wed, 3 May 2023 09:13:12 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202305-03 ] ProFTPd: Memory Disclosure Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============1095772982836855290==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Wed, 03 May 2023 09:13:11 -0000 Message-ID: <168310519207.8.13179521139795149909@2ac734cbf5a7> X-Archives-Salt: 007c472b-4be8-44dd-8fdb-85fc9b06a692 X-Archives-Hash: d58d8e681a32f557c16825ba2e370e18 --===============1095772982836855290== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202305-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: ProFTPd: Memory Disclosure Date: May 03, 2023 Bugs: #811495 ID: 202305-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in ProFTPd which could result in memory disclosure. Background ========== ProFTPD is an advanced and very configurable FTP server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-ftp/proftpd < 1.3.7c >= 1.3.7c Description =========== ProFTPd unconditionally sends passwords to Radius servers for authentication in multiples of 16 bytes. If a password is not of a length that is a multiple of 16 bytes, ProFTPd will read beyond the end of the password string and send bytes beyond the end of the string buffer. Impact ====== Radius servers used for authentication can receive the contents of the ProFTPd process' memory. Workaround ========== There is no known workaround at this time. Resolution ========== All ProFTPd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.7c" References ========== [ 1 ] CVE-2021-46854 https://nvd.nist.gov/vuln/detail/CVE-2021-46854 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202305-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============1095772982836855290== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmRSJacACgkQFMQkOaVy +9miHxAApgU8rktt75Tn0RVTvwg+rZmLpLlhXvZcMuZggeXC1zRi8UP5pLGAEaOY PevxRZ5pg46A9ubLzi7IG7bcNKkfVQzHQEhtvoXE275ViVPicDzQC+NPka5XS8fL AIAkTM1dQIfN5FPC5q3/mI1jWG/skiE6JFaS1JgQ4uGLeyfVDzUAINRlDbMljJTU 9dnpeKFfztx+Gr+ZIugGdrThhIX6gfapU6RzNcKOrZR044mNEt6v8pJwQcDAqOSQ 1XMgug5uEss8jHUF1de5oF7jKAzZKqcbJDvK9Bn2lRiFkk3amAIMWkXh83Y49yJQ JZJcMOheQMcKCpkcjgVriPf1NC85znFrwFLTDwmC1Sq4u/zJjqRzmBBixQ0YKyRs T5ztxMe+zlNsJU+s2q5o2T7Vxd8SaI+Ls2x3GsSn1AqDQBOyAivvHgTcWja/krSY t8O6/hAlc0PhqGN6bK50igiSOL7kDn9pjQhC8JGtefhqXlawghcQV3JSfHaODpmK O7bhlcUMSsT8LixNZOApD32RPnTMYtoZAqMBPLkmdHezOnRxz2MN0P7/oH0SINwf eQD8e1BNPqc0kK/VlHXdnRmLxdQqb3Pdug48rlwmqbX1x72mr+utQo5R0cW3M2al Y7zbmg67UGS+J42d3B9+4xSiCFK6bmqODkyYZttb+c7ArbIt/qU= =GDra -----END PGP SIGNATURE----- --===============1095772982836855290==--