Detections
Analytics

Mandriva Linux Security Advisory : proftpd (MDVSA-2009:337)

medium Nessus Plugin ID 43393

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

A vulnerability has been identified and corrected in proftpd :

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue (CVE-2009-3555).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

This update fixes this vulnerability.

Solution

Update the affected packages.

See Also

http://bugs.proftpd.org/show_bug.cgi?id=3324

Plugin Details

Severity: Medium

ID: 43393

File Name: mandriva_MDVSA-2009-337.nasl

Version: 1.19

Type: local

Published: 12/23/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

Vulnerability Information

CPE: cpe:/o:mandriva:linux:2009.1, p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_file, p-cpe:/a:mandriva:linux:proftpd-mod_site_misc, p-cpe:/a:mandriva:linux:proftpd-mod_wrap_file, p-cpe:/a:mandriva:linux:proftpd-mod_shaper, p-cpe:/a:mandriva:linux:proftpd-mod_ratio, p-cpe:/a:mandriva:linux:proftpd-mod_sftp, p-cpe:/a:mandriva:linux:proftpd-mod_ldap, p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_ldap, p-cpe:/a:mandriva:linux:proftpd-mod_radius, p-cpe:/a:mandriva:linux:proftpd-mod_ifsession, p-cpe:/a:mandriva:linux:proftpd-mod_sql_postgres, p-cpe:/a:mandriva:linux:proftpd-mod_time, p-cpe:/a:mandriva:linux:proftpd-mod_sql_mysql, p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_sql, p-cpe:/a:mandriva:linux:proftpd-devel, cpe:/o:mandriva:linux:2010.0, cpe:/o:mandriva:linux:2008.0, p-cpe:/a:mandriva:linux:proftpd-mod_ban, p-cpe:/a:mandriva:linux:proftpd-mod_tls, p-cpe:/a:mandriva:linux:proftpd-mod_quotatab_radius, p-cpe:/a:mandriva:linux:proftpd-mod_quotatab, p-cpe:/a:mandriva:linux:proftpd-mod_rewrite, p-cpe:/a:mandriva:linux:proftpd, p-cpe:/a:mandriva:linux:proftpd-mod_gss, p-cpe:/a:mandriva:linux:proftpd-mod_load, p-cpe:/a:mandriva:linux:proftpd-mod_ctrls_admin, p-cpe:/a:mandriva:linux:proftpd-mod_vroot, p-cpe:/a:mandriva:linux:proftpd-mod_autohost, p-cpe:/a:mandriva:linux:proftpd-mod_case, p-cpe:/a:mandriva:linux:proftpd-mod_wrap, p-cpe:/a:mandriva:linux:proftpd-mod_wrap_sql, p-cpe:/a:mandriva:linux:proftpd-mod_sql, cpe:/o:mandriva:linux:2009.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/22/2009

Reference Information

CVE: CVE-2009-3555

BID: 36935

CWE: 310

MDVSA: 2009:337