Bug 861573 (CVE-2014-1693) - VUL-0: CVE-2014-1693: erlang: FTP Command Injection vulnerability
Summary: VUL-0: CVE-2014-1693: erlang: FTP Command Injection vulnerability
Status: VERIFIED FIXED
Alias: CVE-2014-1693
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-03-05
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:57123:low maint:release...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-31 15:21 UTC by Alexander Bergmann
Modified: 2014-06-23 10:51 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-01-31 15:21:28 UTC 
OSS:11944

This has been reported to erlang-bugs mailing list:
http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html

There is an FTP Command Injection vulnerability in the "ftp" module.

CVE-2014-1693 was assigned to this issue. 

References:
http://comments.gmane.org/gmane.comp.security.oss.general/11944
Comment 1 Swamp Workflow Management 2014-02-03 23:00:14 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2014-02-19 10:37:18 UTC 
The SWAMPID for this issue is 56298.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-05.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 SMASH SMASH 2014-02-19 10:40:12 UTC 
Affected packages:

SLE-11-SP3-PRODUCTS: erlang
SLE-11-SP3: erlang
SLE-11-SP2-PRODUCTS: erlang
SLE-11-SP2: erlang
Comment 4 Vincent Untz 2014-02-19 21:27:30 UTC 
(In reply to comment #3)
> Affected packages:
> 
> SLE-11-SP3-PRODUCTS: erlang
> SLE-11-SP3: erlang
> SLE-11-SP2-PRODUCTS: erlang
> SLE-11-SP2: erlang

For the record, the SP2 package is out-of-maintenance (was only used for Cloud 1.0).

Nanuk: can you handle this security issue?
Comment 5 Marcus Meissner 2014-03-19 12:06:38 UTC 
ping? _release_ deadline is today :/ (submission deadline was 2 weeks ago)
Comment 6 Marcus Meissner 2014-03-19 12:20:26 UTC 
No fix available yet upstream. on CLOUD (and openSUSE currently).

Currently not puhsing for an update.
Comment 7 Nanuk Krinner 2014-04-15 13:23:20 UTC 
Fix submitted and accepted with https://build.suse.de/request/show/36347
Comment 8 Nanuk Krinner 2014-04-15 13:52:19 UTC 
Created sr#36358 for the update.
Comment 13 Swamp Workflow Management 2014-05-15 13:46:58 UTC 
Update released for: erlang
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 14 Swamp Workflow Management 2014-05-15 17:11:06 UTC 
SUSE-SU-2014:0659-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 861573
CVE References: CVE-2014-1693
Sources used:
SUSE Cloud 3 (src):    erlang-R14B-0.14.3
Comment 15 Johannes Segitz 2014-06-23 10:51:33 UTC 
all packages fixed