Search This Blog

Sunday, November 01, 2009

[SECURITY] [DSA 1925-1] New proftpd-dfsg packages fix SSL certificate verification weakness

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1925-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
October 31, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : proftpd-dfsg
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-3639

It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon,
does not properly handle a '\0' character in a domain name in the
Subject Alternative Name field of an X.509 client certificate, when the
dNSNameRequired TLS option is enabled.


For the stable distribution (lenny), this problem has been fixed in
version 1.3.1-17lenny4.

For the oldstable distribution (etch), this problem has been fixed in
version 1.3.0-19etch3.

Binaries for the amd64 architecture will be released once they are
available.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.2a-2.


We recommend that you upgrade your proftpd-dfsg packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.tar.gz
Size/MD5 checksum: 1905969 38528feb0ffb9bd88db6f175d6020b8d
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.dsc
Size/MD5 checksum: 872 0bd9359e5bf664360be0c144225649b2

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-19etch3_all.deb
Size/MD5 checksum: 162748 5608f61ea367720d306635309b85d6bc
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-19etch3_all.deb
Size/MD5 checksum: 162748 e16562c92cdc0f0c344ded50f5916d36
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-19etch3_all.deb
Size/MD5 checksum: 162752 98b538acf18e6c6a7fedfcaab1a35dee
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.0-19etch3_all.deb
Size/MD5 checksum: 492828 eb6950dbd7f5a48fea262fa373224d01

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_alpha.deb
Size/MD5 checksum: 997748 b6db8df62a1a19529b8a75cd3965c61c

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_arm.deb
Size/MD5 checksum: 803396 01f586c57a9df10f764b1250182aaf4a

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_hppa.deb
Size/MD5 checksum: 936038 662b6032362df105994979458344e4c5

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_i386.deb
Size/MD5 checksum: 798022 44f0f80e230c4f86e12daf20129ec636

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_ia64.deb
Size/MD5 checksum: 1188390 9e68db2aa07f4f477e050f961e766bd5

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mips.deb
Size/MD5 checksum: 856696 0a9f117d838b1b612d05c88ac76caed4

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mipsel.deb
Size/MD5 checksum: 856038 3b04229098a901c9b4de298443af7aff

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_sparc.deb
Size/MD5 checksum: 830844 08971c1104010e23c01d52b343b11f56

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.dsc
Size/MD5 checksum: 1349 825576201541f76cbc1dcab44bae9e61
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.diff.gz
Size/MD5 checksum: 103691 8b4252ad95f772b66b7dd06d60a1bfa6
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz
Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny4_all.deb
Size/MD5 checksum: 1256500 001a1754365940758a4ec97ead34fb34
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny4_all.deb
Size/MD5 checksum: 195088 1951485bf96a4a688495c5ebfa050749

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_alpha.deb
Size/MD5 checksum: 215366 e95e97a49984acf80828d18da59c72e9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_alpha.deb
Size/MD5 checksum: 783554 921f2efef6cc2fc8688bcbb6ca9d8b59
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_alpha.deb
Size/MD5 checksum: 204746 ab8e55b37a646a496bb122e32d90b067
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_alpha.deb
Size/MD5 checksum: 204640 5e3dc3781500c2c5a577e39ec4446d75

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_arm.deb
Size/MD5 checksum: 214036 187789bcd2eb7d18e6ff207b296011db
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_arm.deb
Size/MD5 checksum: 203356 c6ac828e324d4cd79675d893b2b9af4c
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_arm.deb
Size/MD5 checksum: 203202 465de4f3bc6b6532208a22ba96a2a7f9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_arm.deb
Size/MD5 checksum: 699814 f463140d95df55d8cd301c567878e397

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_armel.deb
Size/MD5 checksum: 213884 8b1501c1cfa5a61c6af8ca3c121dddda
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_armel.deb
Size/MD5 checksum: 705542 f03e97c4a517b1b44af58eeba70d9db3
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_armel.deb
Size/MD5 checksum: 203634 68c067db2619d26b9544688d1e9e7e8b
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_armel.deb
Size/MD5 checksum: 203526 43efcc97292d5d0545748c6210a32689

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_hppa.deb
Size/MD5 checksum: 216732 a718ff67e4b488ef3052e6a1045c89f5
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_hppa.deb
Size/MD5 checksum: 764824 fe6033f5797b6a163ed8ce552eb7182a
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_hppa.deb
Size/MD5 checksum: 205296 a675af7ef1807e1e7f8cdacabf28a9c9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_hppa.deb
Size/MD5 checksum: 205144 3644789a8d2e181cfdac74a2a80ac85e

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_i386.deb
Size/MD5 checksum: 203274 aaebf117359a3d9da24ad44d54b92370
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_i386.deb
Size/MD5 checksum: 203216 0b22db02bddba0d783049e83311526a5
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_i386.deb
Size/MD5 checksum: 688914 f7088094d696ab673f9e91631adc3bb6
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_i386.deb
Size/MD5 checksum: 212408 262af8522ecd16b57c11af409db528cb

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_ia64.deb
Size/MD5 checksum: 980974 8ab9bfd7088b9740a27a54760059b3e9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_ia64.deb
Size/MD5 checksum: 222164 3ac1225c263d2678563fe0fa63a37cde
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_ia64.deb
Size/MD5 checksum: 207428 c2a8edc2d5f2943034ccadf0c6d67c21
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_ia64.deb
Size/MD5 checksum: 207274 0c4d9685cfe8479fcb24ef7eb86f301d

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_mips.deb
Size/MD5 checksum: 212246 f90b614ab734af4e75cb15d45d7571bd
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mips.deb
Size/MD5 checksum: 691796 c2caa9adce6dd3d44c53a91e6c7b7e88
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_mips.deb
Size/MD5 checksum: 203262 f4947609b2a1e3b1016ff6a9b7c21d4c
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mips.deb
Size/MD5 checksum: 203344 27701f545ffd35ec7fccf456a91a34ce

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_mipsel.deb
Size/MD5 checksum: 203266 566d885e4619eae83a3986cac1a28ad7
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mipsel.deb
Size/MD5 checksum: 203412 62a1ae565c42e326ae2a129add355155
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mipsel.deb
Size/MD5 checksum: 689126 f87ca4149400a5ac5bc3e17f149170b8
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_mipsel.deb
Size/MD5 checksum: 211804 6a32fca4e5b5cb68821670a0f59aa5ad

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_sparc.deb
Size/MD5 checksum: 203744 e11aedfb13f8c65a7866b3aa35a35780
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_sparc.deb
Size/MD5 checksum: 701992 1bb07d6070f54a0f84d237bb353c1149
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_sparc.deb
Size/MD5 checksum: 203486 583c76972206a115b83c6af5f700727a
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_sparc.deb
Size/MD5 checksum: 213718 59f82a39914654ba2a32ce50613dc83a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrta9wACgkQ62zWxYk/rQeDUgCfdLL9M9AYk3FihGSfLQxT5sGK
gcAAoLdYCFgKXMySMt5m7+4Gu0zH9sVE
=4qQL
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: