advisories/20640.adv

type: security
subject: Updated proftpd packages fix security vulnerability
CVE:
 - CVE-2017-7418
src:
  5:
   core:
     - proftpd-1.3.5e-1.mga5
description: |
  ProFTPD before 1.3.5e controls whether the home directory of a user could
  contain a symbolic link through the AllowChrootSymlinks configuration
  option, but checks only the last path component when enforcing
  AllowChrootSymlinks. Attackers with local access could bypass the
  AllowChrootSymlinks control by replacing a path component (other than the
  last one) with a symbolic link. The threat model includes an attacker who
  is not granted full filesystem access by a hosting provider, but can
  reconfigure the home directory of an FTP user (CVE-2017-7418).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=20640
 - http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e
ID: MGASA-2017-0115
1	type: security
2	subject: Updated proftpd packages fix security vulnerability
3	CVE:
4	- CVE-2017-7418
5	src:
6	5:
7	core:
8	- proftpd-1.3.5e-1.mga5
9	description: \|
10	ProFTPD before 1.3.5e controls whether the home directory of a user could
11	contain a symbolic link through the AllowChrootSymlinks configuration
12	option, but checks only the last path component when enforcing
13	AllowChrootSymlinks. Attackers with local access could bypass the
14	AllowChrootSymlinks control by replacing a path component (other than the
15	last one) with a symbolic link. The threat model includes an attacker who
16	is not granted full filesystem access by a hosting provider, but can
17	reconfigure the home directory of an FTP user (CVE-2017-7418).
18	references:
19	- https://bugs.mageia.org/show_bug.cgi?id=20640
20	- http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e
21	ID: MGASA-2017-0115