First Last Prev Next    This bug is not in your last search results.
Bug 1142281 - (CVE-2019-12815) VUL-0: CVE-2019-12815: proftpd: arbitrary file copy in mod_copy allows for remote code execution and information disclosure without authentication
(CVE-2019-12815)
VUL-0: CVE-2019-12815: proftpd: arbitrary file copy in mod_copy allows for r...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Christian Wittmer
Security Team bot
https://smash.suse.de/issue/237778/
obs:running:11781:important
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-22 05:22 UTC by Alexandros Toptsoglou
Modified: 2020-01-13 23:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-07-22 05:22:24 UTC 
CVE-2019-12815

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows
for remote code execution and information disclosure without authentication, a
related issue to CVE-2015-3306.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12815
http://www.cvedetails.com/cve/CVE-2019-12815/
http://bugs.proftpd.org/show_bug.cgi?id=4372
https://github.com/proftpd/proftpd/pull/816
https://tbspace.de/cve201912815proftpd.html
Comment 1 Alexandros Toptsoglou 2019-07-22 05:23:21 UTC 
OpenSUSE ships 1.3.5d which is also seems affected. The pull request for the fix is located at [1] 



[1] https://github.com/proftpd/proftpd/pull/816/commits/71cd49ea82313f78d52a52d0c628a3770dc96608
Comment 2 Christian Wittmer 2019-07-22 11:19:52 UTC 
ongoing work
trying to find out if the patch (master branch) is also applicable for 1.3.5/1.3.6 branch ... or if we should wait for release updates.
Comment 3 Christian Wittmer 2019-08-02 14:01:51 UTC 
backported patch from 1.3.6 branch for 1.3.5e

taken from here:
http://bugs.proftpd.org/show_bug.cgi?id=4372

refers to commit:
https://github.com/proftpd/proftpd/commit/a73dbfe3b61459e7c2806d5162b12f0957990cb3

waiting for 1.3.6 Release update with patch included
Comment 4 Swamp Workflow Management 2019-08-02 15:50:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1142281) was mentioned in
https://build.opensuse.org/request/show/720689 15.0+15.1+Backports:SLE-15 / proftpd
Comment 5 Swamp Workflow Management 2019-08-08 13:10:31 UTC 
openSUSE-SU-2019:1836-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1142281
CVE References: CVE-2017-7418,CVE-2019-12815
Sources used:
openSUSE Leap 15.1 (src):    proftpd-1.3.5e-lp151.3.3.1
openSUSE Leap 15.0 (src):    proftpd-1.3.5e-lp150.2.3.1
openSUSE Backports SLE-15 (src):    proftpd-1.3.5e-bp150.3.3.1
Comment 6 Swamp Workflow Management 2019-08-14 10:11:32 UTC 
openSUSE-SU-2019:1870-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1142281
CVE References: CVE-2017-7418,CVE-2019-12815
Sources used:
openSUSE Backports SLE-15-SP1 (src):    proftpd-1.3.5e-bp151.4.3.1
Comment 7 Swamp Workflow Management 2019-11-03 21:20:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1142281) was mentioned in
https://build.opensuse.org/request/show/745042 Factory / proftpd
Comment 8 Christian Wittmer 2019-12-28 20:07:53 UTC 
Hi Alexandros,

can we close this ???
Comment 9 Alexandros Toptsoglou 2020-01-07 08:12:55 UTC 
(In reply to Christian Wittmer from comment #8)
> Hi Alexandros,
> 
> can we close this ???

Sure. Thanks for pointing out.
First Last Prev Next    This bug is not in your last search results.