- ---------------------------------------------------------------------                   Red Hat Security Advisory

Synopsis:          Moderate: gftp security update
Advisory ID:       RHSA-2005:410-01
Advisory URL:      https://access.redhat.com/errata/RHSA-2005:410.html
Issue date:        2005-06-13
Updated on:        2005-06-13
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-0372
- ---------------------------------------------------------------------1. Summary:

An updated gFTP package that fixes a directory traversal issue is now
available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

gFTP is a multi-threaded FTP client for the X Window System.

A directory traversal bug was found in gFTP. If a user can be tricked into
downloading a file from a malicious ftp server, it is possible to overwrite
arbitrary files owned by the victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0372 to
this issue.

Users of gftp should upgrade to this updated package, which contains a
backported fix for this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

149109 - CAN-2005-0372 directory traversal issue in gftp


6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
9ad04edd854e04b291b8ad13cdbb1329  gftp-2.0.8-5.src.rpm

i386:
43668a3d9304b5bd3e1c10089e0d1aad  gftp-2.0.8-5.i386.rpm

ia64:
f6d35d6320d0c829994dfbfd2059acd8  gftp-2.0.8-5.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
9ad04edd854e04b291b8ad13cdbb1329  gftp-2.0.8-5.src.rpm

ia64:
f6d35d6320d0c829994dfbfd2059acd8  gftp-2.0.8-5.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
9ad04edd854e04b291b8ad13cdbb1329  gftp-2.0.8-5.src.rpm

i386:
43668a3d9304b5bd3e1c10089e0d1aad  gftp-2.0.8-5.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
9ad04edd854e04b291b8ad13cdbb1329  gftp-2.0.8-5.src.rpm

i386:
43668a3d9304b5bd3e1c10089e0d1aad  gftp-2.0.8-5.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
b1f1c96f874c88ca7876bd4b89ea84d8  gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47  gftp-2.0.14-4.i386.rpm

ia64:
25b3c26a26f2ff5f7da7398c76cf1a62  gftp-2.0.14-4.ia64.rpm

ppc:
e8bd14e811c5f61980523908488f517f  gftp-2.0.14-4.ppc.rpm

s390:
0c41a94c255a367ca689550da2fc3f61  gftp-2.0.14-4.s390.rpm

s390x:
8d5cd4377701caf95823a616cdaccb01  gftp-2.0.14-4.s390x.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca  gftp-2.0.14-4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
b1f1c96f874c88ca7876bd4b89ea84d8  gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47  gftp-2.0.14-4.i386.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca  gftp-2.0.14-4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
b1f1c96f874c88ca7876bd4b89ea84d8  gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47  gftp-2.0.14-4.i386.rpm

ia64:
25b3c26a26f2ff5f7da7398c76cf1a62  gftp-2.0.14-4.ia64.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca  gftp-2.0.14-4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
b1f1c96f874c88ca7876bd4b89ea84d8  gftp-2.0.14-4.src.rpm

i386:
d70901a39c11289a7062f74bbddbbf47  gftp-2.0.14-4.i386.rpm

ia64:
25b3c26a26f2ff5f7da7398c76cf1a62  gftp-2.0.14-4.ia64.rpm

x86_64:
4f4d275023718ad3999cd454f55ab3ca  gftp-2.0.14-4.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
33d5e9f32fd24288b45d621e02daa0f5  gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6  gftp-2.0.17-5.i386.rpm

ia64:
60fbcc6fd5db5d4b468c680d89b52cf3  gftp-2.0.17-5.ia64.rpm

ppc:
f406c09280eac463ce88e5126bb06715  gftp-2.0.17-5.ppc.rpm

s390:
2c7593bcd854a18c2ee08c15c59c8459  gftp-2.0.17-5.s390.rpm

s390x:
d8956d0266bad37b28a7cba9a1ef636f  gftp-2.0.17-5.s390x.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6  gftp-2.0.17-5.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
33d5e9f32fd24288b45d621e02daa0f5  gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6  gftp-2.0.17-5.i386.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6  gftp-2.0.17-5.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
33d5e9f32fd24288b45d621e02daa0f5  gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6  gftp-2.0.17-5.i386.rpm

ia64:
60fbcc6fd5db5d4b468c680d89b52cf3  gftp-2.0.17-5.ia64.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6  gftp-2.0.17-5.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
33d5e9f32fd24288b45d621e02daa0f5  gftp-2.0.17-5.src.rpm

i386:
9e9c8b22418ac80d805a43e0d6530fc6  gftp-2.0.17-5.i386.rpm

ia64:
60fbcc6fd5db5d4b468c680d89b52cf3  gftp-2.0.17-5.ia64.rpm

x86_64:
4718135258fd4a5334f6de3516972ae6  gftp-2.0.17-5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0372

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

RedHat: Moderate: gftp security update

An updated gFTP package that fixes a directory traversal issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response T...

Summary

gFTP is a multi-threaded FTP client for the X Window System. A directory traversal bug was found in gFTP. If a user can be tricked into downloading a file from a malicious ftp server, it is possible to overwrite arbitrary files owned by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0372 to this issue. Users of gftp should upgrade to this updated package, which contains a backported fix for this issue.

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/):
149109 - CAN-2005-0372 directory traversal issue in gftp

6. RPMs required:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS: 9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm
i386: 43668a3d9304b5bd3e1c10089e0d1aad gftp-2.0.8-5.i386.rpm
ia64: f6d35d6320d0c829994dfbfd2059acd8 gftp-2.0.8-5.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS: 9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm
ia64: f6d35d6320d0c829994dfbfd2059acd8 gftp-2.0.8-5.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS: 9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm
i386: 43668a3d9304b5bd3e1c10089e0d1aad gftp-2.0.8-5.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS: 9ad04edd854e04b291b8ad13cdbb1329 gftp-2.0.8-5.src.rpm
i386: 43668a3d9304b5bd3e1c10089e0d1aad gftp-2.0.8-5.i386.rpm
Red Hat Enterprise Linux AS version 3:
SRPMS: b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm
i386: d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm
ia64: 25b3c26a26f2ff5f7da7398c76cf1a62 gftp-2.0.14-4.ia64.rpm
ppc: e8bd14e811c5f61980523908488f517f gftp-2.0.14-4.ppc.rpm
s390: 0c41a94c255a367ca689550da2fc3f61 gftp-2.0.14-4.s390.rpm
s390x: 8d5cd4377701caf95823a616cdaccb01 gftp-2.0.14-4.s390x.rpm
x86_64: 4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm
Red Hat Desktop version 3:
SRPMS: b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm
i386: d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm
x86_64: 4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS: b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm
i386: d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm
ia64: 25b3c26a26f2ff5f7da7398c76cf1a62 gftp-2.0.14-4.ia64.rpm
x86_64: 4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS: b1f1c96f874c88ca7876bd4b89ea84d8 gftp-2.0.14-4.src.rpm
i386: d70901a39c11289a7062f74bbddbbf47 gftp-2.0.14-4.i386.rpm
ia64: 25b3c26a26f2ff5f7da7398c76cf1a62 gftp-2.0.14-4.ia64.rpm
x86_64: 4f4d275023718ad3999cd454f55ab3ca gftp-2.0.14-4.x86_64.rpm
Red Hat Enterprise Linux AS version 4:
SRPMS: 33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm
i386: 9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm
ia64: 60fbcc6fd5db5d4b468c680d89b52cf3 gftp-2.0.17-5.ia64.rpm
ppc: f406c09280eac463ce88e5126bb06715 gftp-2.0.17-5.ppc.rpm
s390: 2c7593bcd854a18c2ee08c15c59c8459 gftp-2.0.17-5.s390.rpm
s390x: d8956d0266bad37b28a7cba9a1ef636f gftp-2.0.17-5.s390x.rpm
x86_64: 4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS: 33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm
i386: 9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm
x86_64: 4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS: 33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm
i386: 9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm
ia64: 60fbcc6fd5db5d4b468c680d89b52cf3 gftp-2.0.17-5.ia64.rpm
x86_64: 4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS: 33d5e9f32fd24288b45d621e02daa0f5 gftp-2.0.17-5.src.rpm
i386: 9e9c8b22418ac80d805a43e0d6530fc6 gftp-2.0.17-5.i386.rpm
ia64: 60fbcc6fd5db5d4b468c680d89b52cf3 gftp-2.0.17-5.ia64.rpm
x86_64: 4718135258fd4a5334f6de3516972ae6 gftp-2.0.17-5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0372

Package List

Severity

Advisory ID: RHSA-2005:410-01

Advisory URL: https://access.redhat.com/errata/RHSA-2005:410.html

Issued Date: : 2005-06-13

Updated on: 2005-06-13

Product: Red Hat Enterprise Linux

CVE Names: CAN-2005-0372 An updated gFTP package that fixes a directory traversal issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.