openSUSE Security Update: proftpd: security and bugfix update to 1.3.4d ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1563-1 Rating: moderate References: #787884 #811793 #843444 Cross-References: CVE-2013-4359 Affected Products: openSUSE 12.3 openSUSE 12.2 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: proftpd was updated to 1.3.4d. * Fixed broken build when using --disable-ipv6 configure option * Fixed mod_sql "SQLAuthType Backend" MySQL issues - fix for bnc#843444 (CVE-2013-4359) * http://bugs.proftpd.org/show_bug.cgi?id=3973 * add proftpd-sftp-kbdint-max-responses-bug3973.patch - Improve systemd service file - use upstream tmpfiles.d file. related to [bnc#811793] - Use /run instead of /var/run - update to 1.3.4c * Added Spanish translation. * Fixed several mod_sftp issues, including SFTPPassPhraseProvider, handling of symlinks for REALPATH requests, and response code logging. * Fixed symlink race for creating directories when UserOwner is in effect. * Increased performance of FTP directory listings. - rebase and rename patches (remove version string) * proftpd-1.3.4a-dist.patch -> proftpd-dist.patch * proftpd-1.3.4a-ftpasswd.patch -> proftpd-ftpasswd.patch * proftpd-1.3.4a-strip.patch -> proftpd-strip.patch - fix proftpd.conf (rebase basic.conf patch) * IdentLookups is now a seperate module <IfModule mod_ident.c> IdentLookups on/off </IfModule> is needed and module is not built cause crrodriguez disabled it. - fix for bnc#787884 (https://bugzilla.novell.com/show_bug.cgi?id=787884) * added extra Source proftpd.conf.tmpfile - Disable ident lookups, this protocol is totally obsolete and dangerous. (add --disable-ident) - Fix debug info generation ( add --disable-strip) - Add systemd unit - update to 1.3.4b + Fixed mod_ldap segfault on login when LDAPUsers with no filters used. + Fixed sporadic SFTP upload issues for large files. + Fixed SSH2 handling for some clients (e.g. OpenVMS). + New FactsOptions directive; see doc/modules/mod_facts.html#FactsOptions + Fixed build errors on Tru64, AIX, Cygwin. - add Source Signatuire (.asc) file - add noBuildDate patch - add lang pkg * --enable-nls - add configure option * --enable-openssl, --with-lastlog Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-778 - openSUSE 12.2: zypper in -t patch openSUSE-2013-778 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): proftpd-1.3.4d-4.4.5 proftpd-debuginfo-1.3.4d-4.4.5 proftpd-debugsource-1.3.4d-4.4.5 proftpd-devel-1.3.4d-4.4.5 proftpd-doc-1.3.4d-4.4.5 proftpd-ldap-1.3.4d-4.4.5 proftpd-ldap-debuginfo-1.3.4d-4.4.5 proftpd-mysql-1.3.4d-4.4.5 proftpd-mysql-debuginfo-1.3.4d-4.4.5 proftpd-pgsql-1.3.4d-4.4.5 proftpd-pgsql-debuginfo-1.3.4d-4.4.5 proftpd-radius-1.3.4d-4.4.5 proftpd-radius-debuginfo-1.3.4d-4.4.5 proftpd-sqlite-1.3.4d-4.4.5 proftpd-sqlite-debuginfo-1.3.4d-4.4.5 - openSUSE 12.3 (noarch): proftpd-lang-1.3.4d-4.4.5 - openSUSE 12.2 (i586 x86_64): proftpd-1.3.4d-2.5.1 proftpd-debuginfo-1.3.4d-2.5.1 proftpd-debugsource-1.3.4d-2.5.1 proftpd-devel-1.3.4d-2.5.1 proftpd-doc-1.3.4d-2.5.1 proftpd-ldap-1.3.4d-2.5.1 proftpd-ldap-debuginfo-1.3.4d-2.5.1 proftpd-mysql-1.3.4d-2.5.1 proftpd-mysql-debuginfo-1.3.4d-2.5.1 proftpd-pgsql-1.3.4d-2.5.1 proftpd-pgsql-debuginfo-1.3.4d-2.5.1 proftpd-radius-1.3.4d-2.5.1 proftpd-radius-debuginfo-1.3.4d-2.5.1 proftpd-sqlite-1.3.4d-2.5.1 proftpd-sqlite-debuginfo-1.3.4d-2.5.1 - openSUSE 12.2 (noarch): proftpd-lang-1.3.4d-2.5.1 References: http://support.novell.com/security/cve/CVE-2013-4359.html https://bugzilla.novell.com/787884 https://bugzilla.novell.com/811793 https://bugzilla.novell.com/843444