Bug 970890 (CVE-2016-3125) - VUL-0: CVE-2016-3125: proftpd: [TLSDHParamFile directive ignored]
Summary: VUL-0: CVE-2016-3125: proftpd: [TLSDHParamFile directive ignored]
Status: RESOLVED FIXED
Alias: CVE-2016-3125
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Victor Pereira
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/163170/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-14 08:35 UTC by Victor Pereira
Modified: 2016-06-28 16:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-03-14 08:35:48 UTC 
CVE-2016-3125

The ProFTPD daemon supports TLS encrypted connections via the mod_tls
module. This module has a configuration option
TLSDHParamFile
to specify user-defined Diffie Hellman parameters.

Versions older than 1.3.5b / 1.3.6rc2 had a bug that would cause the
software to ignore the parameters and use Diffie Hellman key exchanges
with 1024 bit:
http://bugs.proftpd.org/show_bug.cgi?id=4230

The release notes[1] are confusing, as they mention only problems with
keys smaller than 2048 bit, but I was also able to reproduce this issue
with 4096 bit keys. But anyway, it is fixed in the latest versions for
all key sizes I have tested.

As 1024 bit DH is considered dangerously small these days and breakable
by a powerful attacker I think this should be considered a security
vulnerability.

[1] http://proftpd.org/docs/RELEASE_NOTES-1.3.5b


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3125
http://seclists.org/oss-sec/2016/q1/612
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3125.html
http://bugs.proftpd.org/show_bug.cgi?id=4097
Comment 1 Swamp Workflow Management 2016-03-14 23:00:24 UTC 
bugbot adjusting priority
Comment 2 Christian Wittmer 2016-05-08 19:36:03 UTC 
ongoing work
Comment 3 Bernhard Wiedemann 2016-05-08 20:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (970890) was mentioned in
https://build.opensuse.org/request/show/394270 Factory / proftpd
https://build.opensuse.org/request/show/394274 13.2+42.1 / proftpd
Comment 4 Christian Wittmer 2016-05-08 20:27:18 UTC 
For Factory:
https://build.opensuse.org/request/show/394270

Maintenance for Leap and 13.2:
https://build.opensuse.org/request/show/394274

Maintenance for Evergreen 13.1:
https://build.opensuse.org/request/show/394276
Comment 5 Swamp Workflow Management 2016-05-18 12:15:31 UTC 
openSUSE-SU-2016:1334-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 970890
CVE References: CVE-2016-3125
Sources used:
openSUSE Leap 42.1 (src):    proftpd-1.3.5b-4.1
openSUSE 13.2 (src):    proftpd-1.3.5b-6.1
Comment 6 Bernhard Wiedemann 2016-05-31 19:00:33 UTC 
This is an autogenerated message for OBS integration:
This bug (970890) was mentioned in
https://build.opensuse.org/request/show/399274 13.1 / proftpd
Comment 7 Swamp Workflow Management 2016-06-11 20:10:16 UTC 
openSUSE-SU-2016:1558-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 970890
CVE References: CVE-2016-3125
Sources used:
openSUSE 13.1 (src):    proftpd-1.3.5b-10.1
Comment 8 Bernhard Wiedemann 2016-06-23 22:00:53 UTC 
This is an autogenerated message for OBS integration:
This bug (970890) was mentioned in
https://build.opensuse.org/request/show/404332 42.2 / proftpd
Comment 9 Christian Wittmer 2016-06-28 16:26:43 UTC 
can we close this ?