This sounds rather serious:
I don't know how widespread the use of the mod_copy module is. There is no upstream release with the fix yet (and it's been a week since this was publicly fixed...), probably should be backported.
This took hours. For starters
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index 526ee3a..879dee2 100644
is not necessary in a patch for gentoo. Files mod_copy.c &
doc/contrib/mod_copy.html it seems have been patched by other commits since the release of proftpd-1.3.5, added to portage (16 May 2014). Attempting backporting, they had to be completely re-based. The file tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm took as it came with the patch.
Since they were made in different styles, the final sec patch comes in 2 patches.
~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl" ebuild proftpd-1.3.5-
>>> Source compiled.
*proftpd-1.3.5-r2 (27 May 2015)
27 May 2015; Ian Delaney <firstname.lastname@example.org> +files/CVE-2015-3306-test.patch,
revbump; security patch (split into 2) wrt bug #546644, address qa issues by
repoman for deps requiring slot operator
This would now require fast track stabilising.
Arches: ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
> ~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl" ebuild
> r2.ebuild compile
> >>> Source compiled.
You need USE=copy as well: bug #550644
Upstream release a new version with a fix.
> - Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by
>*proftpd-1.3.5a (30 May 2015)
> 30 May 2015; Sergei Trofimovich <email@example.com> +proftpd-1.3.5a.ebuild:
> Version bump: fixes security bug #546644 aka CVE-2015-3306: Unauthenticated
> copying of files via SITE CPFR/CPTO in mod_copy (USE=copy).
Please stabilize for:
alpha amd64 arm hppa ia64 pc64 ppc sparc x86
Arches, please test and mark stable:
Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and
write to arbitrary files via the site cpfr and site cpto commands.
(In reply to Yury German from comment #5)
You forgot something.
Stable for HPPA.
Stable for PPC64.
GLSA vote: no.
Cleaned all old versions as:
> 25 Jul 2015; Sergei Trofimovich <firstname.lastname@example.org>
> -files/proftpd-1.3.5-netaddr-segv.patch, -proftpd-1.3.4d.ebuild,
> -proftpd-1.3.4e.ebuild, -proftpd-1.3.5-r1.ebuild, -proftpd-1.3.5.ebuild:
> Clean old vulnerabe versions (bug #546644).
GLSA Vote: No
Thank you all. Closing as noglsa.