1 |
type: security |
2 |
subject: Updated proftpd packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2017-7418 |
5 |
src: |
6 |
5: |
7 |
core: |
8 |
- proftpd-1.3.5e-1.mga5 |
9 |
description: | |
10 |
ProFTPD before 1.3.5e controls whether the home directory of a user could |
11 |
contain a symbolic link through the AllowChrootSymlinks configuration |
12 |
option, but checks only the last path component when enforcing |
13 |
AllowChrootSymlinks. Attackers with local access could bypass the |
14 |
AllowChrootSymlinks control by replacing a path component (other than the |
15 |
last one) with a symbolic link. The threat model includes an attacker who |
16 |
is not granted full filesystem access by a hosting provider, but can |
17 |
reconfigure the home directory of an FTP user (CVE-2017-7418). |
18 |
references: |
19 |
- https://bugs.mageia.org/show_bug.cgi?id=20640 |
20 |
- http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5e |
21 |
ID: MGASA-2017-0115 |