[Bug 1462311] Re: proftpd mod_copy issue (CVE-2015-3306)

Tyler Hicks tyhicks at canonical.com
Thu Dec 8 01:08:00 UTC 2016 

Hi Brian - Thanks for the debdiffs and your work to improve the security
of Ubuntu. :)

During my review of the debdiffs, I noticed a few minor issues:

1) I had to run the debdiffs through dos2unix to make the patch utility happy
2) I had to add a single newline to the end of the debdiffs to make the patch utility happy
3) I adjusted the precise version from 1.3.4a-2 to 1.3.4a-1ubuntu0.1, as documented in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

As mentioned, these were minor issues and everything else looked good to
me.

As for the backport, I think it was probably a good idea that you left
out the configuration changes. It would have been better if the testing
changes could have been included (assuming that the tests are run at
build time, I haven't checked) but the patch is simple enough that I
have confidence that it is correct.

Thanks again. I'll be uploading these changes soon.

-- 
You received this bug notification because you are a member of ProFTPD
Maintainance Team, which is subscribed to proftpd-dfsg in Ubuntu.
https://bugs.launchpad.net/bugs/1462311

Title:
  proftpd mod_copy issue (CVE-2015-3306)

Status in Proftpd Dfsg:
  Fix Released
Status in proftpd-dfsg package in Ubuntu:
  Confirmed
Status in proftpd-dfsg source package in Precise:
  Confirmed
Status in proftpd-dfsg source package in Trusty:
  Confirmed

Bug description:
  The CVE-2015-3306 problem is arround for some time now and is not fixed in 12.04 and 14.04 LTS versions.
  http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3306.html

  I also tested it with telnet.
  I can copy files without any authentication if mod_copy is enabled (mod_copy is per default enabled!)
  The module is very usefull. I would be happy if I can re enable it on my servers.

  Debian and other distributions have already fix this in their systems.
  http://bugs.proftpd.org/show_bug.cgi?id=4169
  https://security-tracker.debian.org/tracker/CVE-2015-3306
  https://www.debian.org/security/2015/dsa-3263

  Is there a special reason why this still not fixed on the LTS versions
  of Ubuntu?

To manage notifications about this bug go to:
https://bugs.launchpad.net/proftpd-dfsg/+bug/1462311/+subscriptions

More information about the Pkg-proftpd-maintainers mailing list