Bug 927290 (CVE-2015-3306:) - VUL-0: CVE-2015-3306: proftpd: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
Summary: VUL-0: CVE-2015-3306: proftpd: Unauthenticated copying of files via SITE CPFR...
Status: RESOLVED FIXED
Alias: CVE-2015-3306:
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Sebastian Krahmer
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-15 12:47 UTC by Andreas Stieger
Modified: 2015-06-11 12:05 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-15 12:47:36 UTC 
via oss-sec http://seclists.org/oss-sec/2015/q2/148

When the module mod_copy is enabled one can copy around files on the
server without any authentication.

The openSUSE proftpd packages ship /usr/lib/proftpd/mod_copy.so in 13.1 and 13.2.

References:
http://bugs.proftpd.org/show_bug.cgi?id=4169
https://github.com/proftpd/proftpd/pull/109
https://github.com/proftpd/proftpd/commit/35b65aaf7219be474f621a874ec77c85d9ec794d
https://cxsecurity.com/issue/WLB-2015040075
http://seclists.org/oss-sec/2015/q2/148
Comment 1 Swamp Workflow Management 2015-04-15 22:00:34 UTC 
bugbot adjusting priority
Comment 2 Forgotten User Hs6M4GwLmH 2015-04-30 13:42:36 UTC 
(In reply to Andreas Stieger from comment #0)
> via oss-sec http://seclists.org/oss-sec/2015/q2/148
> 
> When the module mod_copy is enabled one can copy around files on the
> server without any authentication.
> 
> The openSUSE proftpd packages ship /usr/lib/proftpd/mod_copy.so in 13.1 and
> 13.2.
> 
> References:
> http://bugs.proftpd.org/show_bug.cgi?id=4169
> https://github.com/proftpd/proftpd/pull/109
> https://github.com/proftpd/proftpd/commit/
> 35b65aaf7219be474f621a874ec77c85d9ec794d
> https://cxsecurity.com/issue/WLB-2015040075
> http://seclists.org/oss-sec/2015/q2/148

Hi:
   Any updates?
Comment 3 Andreas Stieger 2015-04-30 13:54:40 UTC 
(In reply to liu xiaoyong from comment #2)
> Hi:
>    Any updates?

This package is not in SLE. The bug affects openSUSE only, and is assigned to the community package maintainer. 

A source patch is available. No upstream release is available.
There is no further update available at this time.
Comment 4 Forgotten User Hs6M4GwLmH 2015-04-30 14:30:29 UTC 
(In reply to Andreas Stieger from comment #3)
> (In reply to liu xiaoyong from comment #2)
> > Hi:
> >    Any updates?
> 
> This package is not in SLE. The bug affects openSUSE only, and is assigned
> to the community package maintainer. 
> 
> A source patch is available. No upstream release is available.
> There is no further update available at this time.

So, both sles11 sp1 and sles11 sp3 are not affected by this. thank you .
Comment 6 Christian Wittmer 2015-05-31 19:08:11 UTC 
ongoing work ...
Comment 7 Bernhard Wiedemann 2015-05-31 20:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (927290) was mentioned in
https://build.opensuse.org/request/show/309478 Factory / proftpd
Comment 8 Bernhard Wiedemann 2015-06-01 00:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (927290) was mentioned in
https://build.opensuse.org/request/show/309515 Factory / proftpd
Comment 9 Bernhard Wiedemann 2015-06-02 00:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (927290) was mentioned in
https://build.opensuse.org/request/show/309709 13.2+13.1 / proftpd
Comment 10 Christian Wittmer 2015-06-02 11:26:15 UTC 
package updated and submitted ... for Factory, 13.1 and 13.2
Comment 11 Swamp Workflow Management 2015-06-11 12:05:50 UTC 
openSUSE-SU-2015:1031-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 927290
CVE References: CVE-2013-4359,CVE-2015-3306
Sources used:
openSUSE 13.2 (src):    proftpd-1.3.5a-3.1
openSUSE 13.1 (src):    proftpd-1.3.5a-7.1