Synopsis:
proftpd security updateSummary:
An update for proftpd is now available for openEuler-24.03-LTS-SP1Description:
ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included.
Security Fix(es):
mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).(CVE-2026-42167)
In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.(CVE-2026-44331)Topic:
An update for proftpd is now available for openEuler-24.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:
HighAffected Component:
proftpd
1.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp11.3.9a-2.oe2403sp1Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:H8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H