Red Hat 9062 Published by

A gftp security update is available for Red Hat Enterprise Linux

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Moderate: gftp security update
Advisory ID: RHSA-2005:410-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-410.html
Issue date: 2005-06-13
Updated on: 2005-06-13
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0372
----------------------------------------------------------------------

1. Summary:

An updated gFTP package that fixes a directory traversal issue is now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64



3. Problem description:

gFTP is a multi-threaded FTP client for the X Window System.

A directory traversal bug was found in gFTP. If a user can be tricked into downloading a file from a malicious ftp server, it is possible to overwrite arbitrary files owned by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0372 to this issue.

Users of gftp should upgrade to this updated package, which contains a backported fix for this issue.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

149109 - CAN-2005-0372 directory traversal issue in gftp


6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/gftp-2.0.8-5.src.rpm
9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm

i386:
43668a3d9304b5bd3e1c10089e0d1aad gftp-2.0.8-5.i386.rpm

ia64:
f6d35d6320d0c829994dfbfd2059acd8 gftp-2.0.8-5.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/gftp-2.0.8-5.src.rpm
9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm

ia64:
f6d35d6320d0c829994dfbfd2059acd8 gftp-2.0.8-5.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/gftp-2.0.8-5.src.rpm
9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm

i386:
43668a3d9304b5bd3e1c10089e0d1aad gftp-2.0.8-5.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/gftp-2.0.8-5.src.rpm
9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm

i386:
43668a3d9304b5bd3e1c10089e0d1aad gftp-2.0.8-5.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gftp-2.0.14-4.src.rpm
b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm

ia64:
25b3c26a26f2ff5f7da7398c76cf1a62 gftp-2.0.14-4.ia64.rpm

ppc:
e8bd14e811c5f61980523908488f517f gftp-2.0.14-4.ppc.rpm

s390:
0c41a94c255a367ca689550da2fc3f61 gftp-2.0.14-4.s390.rpm

s390x:
8d5cd4377701caf95823a616cdaccb01 gftp-2.0.14-4.s390x.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gftp-2.0.14-4.src.rpm
b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gftp-2.0.14-4.src.rpm
b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm

ia64:
25b3c26a26f2ff5f7da7398c76cf1a62 gftp-2.0.14-4.ia64.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gftp-2.0.14-4.src.rpm
b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm

ia64:
25b3c26a26f2ff5f7da7398c76cf1a62 gftp-2.0.14-4.ia64.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gftp-2.0.17-5.src.rpm
33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm

ia64:
60fbcc6fd5db5d4b468c680d89b52cf3 gftp-2.0.17-5.ia64.rpm

ppc:
f406c09280eac463ce88e5126bb06715 gftp-2.0.17-5.ppc.rpm

s390:
2c7593bcd854a18c2ee08c15c59c8459 gftp-2.0.17-5.s390.rpm

s390x:
d8956d0266bad37b28a7cba9a1ef636f gftp-2.0.17-5.s390x.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gftp-2.0.17-5.src.rpm
33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gftp-2.0.17-5.src.rpm
33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm

ia64:
60fbcc6fd5db5d4b468c680d89b52cf3 gftp-2.0.17-5.ia64.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gftp-2.0.17-5.src.rpm
33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm

ia64:
60fbcc6fd5db5d4b468c680d89b52cf3 gftp-2.0.17-5.ia64.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0372

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.