SB2019112926 - Fedora 30 update for proftpd

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019112926

SB2019112926 - Fedora 30 update for proftpd

Published: November 29, 2019 Updated: April 25, 2025

Security Bulletin ID SB2019112926
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) NULL pointer dereference (CVE-ID: CVE-2019-19269)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference in tls_verify_crl() function in ProFTPD while processing data, returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. A remote attacker can trigger the NULL pointer dereference error when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

Successful exploitation of the vulnerability will result in a denial of service condition.


2) Improper Certificate Validation (CVE-ID: CVE-2019-19270)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.


Remediation

Install update from vendor's website.

References