========================================================================== Ubuntu Security Notice USN-7297-1 February 25, 2025 ProFTPD vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in proftpd-dfsg. Software Description: - proftpd-dfsg: Versatile, virtual-hosting FTP daemon Details: Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that the transport protocol implementation in ProFTPD had weak integrity checks. An attacker could use this vulnerability to bypass security features like encryption and integrity checks. (CVE-2023-48795) Martin Mirchev discovered that ProFTPD did not properly validate user input over the network. An attacker could use this vulnerability to crash ProFTPD or execute arbitrary code. (CVE-2023-51713) Brian Ristuccia discovered that ProFTPD incorrectly inherited groups from the parent process. An attacker could use this vulnerability to elevate privileges. (CVE-2024-48651) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 proftpd-core 1.3.8.b+dfsg-2ubuntu1.24.10.1 Ubuntu 24.04 LTS proftpd-core 1.3.8.b+dfsg-1ubuntu0.1 Ubuntu 22.04 LTS proftpd-basic 1.3.7c+dfsg-1ubuntu0.1 proftpd-core 1.3.7c+dfsg-1ubuntu0.1 Ubuntu 20.04 LTS proftpd-basic 1.3.6c-2ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7297-1 CVE-2023-48795, CVE-2023-51713, CVE-2024-48651 Package Information: https://launchpad.net/ubuntu/+source/proftpd-dfsg/1.3.8.b+dfsg-2ubuntu1.24.10.1 https://launchpad.net/ubuntu/+source/proftpd-dfsg/1.3.8.b+dfsg-1ubuntu0.1 https://launchpad.net/ubuntu/+source/proftpd-dfsg/1.3.7c+dfsg-1ubuntu0.1 https://launchpad.net/ubuntu/+source/proftpd-dfsg/1.3.6c-2ubuntu0.1