2009年12月15日

[installer 2175] Re: ProFTPD 1.3.2c, 1.3.3rc3

神村です。

ftpd で SSL/TLS がどう影響するのかわかりませんが、一応セキュリティの
修正なので転送しておきます。


On Mon, 14 Dec 2009 19:21:48 +0900 (JST)
Koga Youichirou <y-koga@xxxxx> wrote:

> ProFTPD 1.3.2c, 1.3.3rc3 出ています。
>
> SSL/TLS renegotiation の MITM の回避施策が含まれています。
>
> ☆ ProFTPD 1.3.2c
> http://www.proftpd.org/
> ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2c.tar.gz
>
> 1.3.2c - Released 10-Dec-2009
> --------------------------------
> - Bug 3324 - Vulnerability in SSL/TLS protocol during renegotiation
> (CVE-2009-3555).
> - Bug 3328 - Failed database transaction can cause mod_quotatab to loop
> endlessly.
> - Bug 3332 - Segfault in mod_wrap when TCPAccessFiles do not exist and client
> sends USER for account which does not exist.
> - Bug 3337 - <Directory> sections with a trailing directory name of one
> character have <Limit> problems. This is a regression caused by Bug#3146.
> - Bug 3341 - mod_wrap2 segfaults when a valid user retries the USER command.
> - Bug 3350 - Segfault caused by scrubbing zero-length portion of memory.
> - Bug 3347 - mod_auth_file handles 'getgroups' request incorrectly.
> - Bug 3351 - Nonchrooted logins on HPUX do not get proper UID/GID.
>
>
> ☆ ProFTPD 1.3.3rc3
> http://www.proftpd.org/
> ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3rc3.tar.gz
>
> 1.3.3rc3 - Released 10-Dec-2009
> --------------------------------
> - Bug 3303 - FileZilla reports "Server did not properly shut down TLS
> connection" after TimeoutIdle triggered.
> - Bug 3305 - Emulate Solaris 10 syslog "header" on Solaris 10 servers.
> - Bug 3307 - All FTP logins treated as anonymous logins.
> - Bug 3312 - Uploading via SFTP/SCP to FIFO whose reader is closed causes
> session to hang.
> - Bug 3313 - Uploading via SFTP to FIFOs fails due to illegal lseek(2),
> truncate(2) calls.
> - Bug 3314 - Downloading from FIFOs via SFTP/SCP fails.
> - Bug 3315 - Support the %u variable in SFTPAuthorizedUserKeys paths.
> - Bug 3316 - Messages from PAM modules are ignored when authenticating SSH
> clients via 'keyboard-interactive'.
> - Bug 3317 - mod_wrap/libwrap should honor SyslogFacility setting.
> - Bug 3311 - configure script should automatically detect when -ldl is needed
> by OpenSSL.
> - Bug 3324 - Vulnerability in SSL/TLS protocol during renegotiation
> (CVE-2009-3555).
> - Bug 3327 - Clear external SSL session caches on server restart/shutdown.
> - Bug 3326 - Shared memory segment used for session cache should be protected
> via mlock(2).
> - Bug 3322 - Support the "version-select" SFTP extension.
> - Bug 3321 - Support the "check-file-name" and "check-file-handle" SFTP
> extensions.
> - Bug 3320 - Support the "copy-file" SFTP extension.
> - Bug 3328 - Failed database transaction can cause mod_quotatab to loop
> endlessly.
> - Bug 3307 - Transparently handle the X-variant commands when checking <Limit>
> permissions. The fix for this issue has been reimplemented to be more
> transparent; some existing configurations were broken by the previous
> implementation.
> - Bug 3329 - Support the "vendor-id" SFTP extension.
> - Bug 3332 - Segfault in mod_wrap when TCPAccessFiles do not exist and client
> sends USER for account which does not exist.
> - Bug 3333 - mod_sql_mysql should support calling stored procedures better.
> - Bug 3337 - <Directory> sections with a trailing directory name of one
> character have <Limit> problems. This is regression caused by Bug#3146.
> - Bug 3331 - Update bundled libtool to 2.2.4.
> - Bug 3341 - mod_wrap2 segfaults when a valid user retries the USER command.
> - Bug 3342 - FEAT response contains LF without preceding CR.
> - Bug 3306 - ECONNREFUSED while handling SIGHUP.
> - Bug 3345 - mod_sftp returns EACCES rather than ENOENT for an OPEN request
> for a nonexistent file.
> - Bug 3344 - Support SHA256, SHA512 passwords in databases.
> - Bug 3348 - Rewriting of home directories via RewriteHome does not work for
> chrooted sessions.
> - Bug 3349 - SSL_SESSION_cmp not available in OpenSSL 1.0.0 betas.
> - Bug 3350 - Segfault caused by scrubbing zero-length portion of memory.
> - Bug 3347 - mod_auth_file handles 'getgroups' request incorrectly.
> - Bug 3351 - Nonchrooted logins on HPUX do not get proper UID/GID.
> - Bug 3352 - mod_sftp does not reject/close connections that have been rejected
> by mod_wrap.
>
> ----
> こがよういちろう
>
>

--
(株)富士通ソフトウェアテクノロジーズ
インターネットサービスプロダクト事業部
神村 伸(KAMIMURA Shin) skami@xxxxx

投稿者 xml-rpc : 2009年12月15日 09:56
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/91434
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。