CVE-2017-7418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7418): ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
Pushed two releases that fix this CVE: 1.3.5.e and 1.3.6 as https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e06b831037753f343442c645c66d2ab29a41d75
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
We are ready to stabilize =net-ftp/proftpd-1.3.5e on the following arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
arm ppc64 stable.
ppc stable.
Stable on alpha.
sparc stable
Arches, Thank you for your work. All security supported arches done. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Dropped old as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eecb6564211d3fcd2ad7063f53ac04c2da41bf3
Maintainer(s), Thank you for your work.