577046 – (CVE-2016-3125) <net-ftp/proftpd-1.3.5b: Ignores configured Diffie Hellman parameters and uses risky 1024 bit ones (CVE-2016-3125)

Bug 577046 (CVE-2016-3125) - <net-ftp/proftpd-1.3.5b: Ignores configured Diffie Hellman parameters and uses risky 1024 bit ones (CVE-2016-3125)

Summary: <net-ftp/proftpd-1.3.5b: Ignores configured Diffie Hellman parameters and use...

Status:	RESOLVED FIXED

Alias:	CVE-2016-3125

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [cve noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-03-11 10:13 UTC by Hanno Böck
Modified:	2016-06-30 23:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2016-03-11 10:13:24 UTC

I discovered a bug in proftpd, it ignores diffie hellman parameters configured by the user with TLSDHParamFile and uses predefined 1024 bit parameters. 1024 bit diffie hellman is considered risky these days and may be breakable by a powerful attacker.

Upstream has fixed this in 1.3.5b.

See
http://bugs.proftpd.org/show_bug.cgi?id=4230

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2016-03-11 21:15:50 UTC

Pushed 1.3.5b addressing the issue as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6870b2269b486c6456bc3402fc4e23d4d31ee6c7

Thank you!

Comment 2 Hanno Böck gentoo-dev

2016-03-23 11:20:52 UTC

Can we start stabilizing?

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-03-24 06:29:46 UTC

@arches, please stabilize:

=net-ftp/proftpd-1.3.5b

Comment 4 Agostino Sarubbo gentoo-dev

2016-03-24 08:57:04 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2016-03-24 08:58:08 UTC

x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2016-03-26 09:06:26 UTC

Stable for HPPA PPC64.

Comment 7 Agostino Sarubbo gentoo-dev

2016-03-27 10:17:08 UTC

ppc stable

Comment 8 Markus Meier gentoo-dev

2016-03-30 18:32:07 UTC

arm stable

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2016-05-20 13:29:39 UTC

Stable on alpha.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 12:48:01 UTC

@maintainer, please cleanup the vulnerable version.

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2016-06-30 20:23:16 UTC

Dropped as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c956361dce86ec2c3fed71e0502d12a53b1cfd

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2016-06-30 23:18:33 UTC

CVE-2016-3125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3125):
  The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does
  not properly handle the TLSDHParamFile directive, which might cause a weaker
  than intended Diffie-Hellman (DH) key to be used and consequently allow
  attackers to have unspecified impact via unknown vectors.

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 23:19:41 UTC

(In reply to Sergei Trofimovich from comment #11)
> Dropped as:
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=a2c956361dce86ec2c3fed71e0502d12a53b1cfd

Thanks!

GLSA Vote: No