CVE-2019-19269: Null Pointer Dereference
First published: Tue Nov 26 2019(Updated: )
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Proftpd Proftpd | <=1.3.5e | |
| Proftpd Proftpd | =1.3.6 | |
| Proftpd Proftpd | =1.3.6-alpha | |
| Proftpd Proftpd | =1.3.6-beta | |
| Proftpd Proftpd | =1.3.6-rc1 | |
| Proftpd Proftpd | =1.3.6-rc2 | |
| Proftpd Proftpd | =1.3.6-rc3 | |
| Proftpd Proftpd | =1.3.6-rc4 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Debian Debian Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
- https://github.com/proftpd/proftpd/issues/861
- https://lists.debian.org/debian-lts-announce/2019/11/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/
- https://security.gentoo.org/glsa/202003-35
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/
Frequently Asked Questions
What is CVE-2019-19269?
CVE-2019-19269 is a vulnerability discovered in tls_verify_crl in ProFTPD through 1.3.6b.
How severe is CVE-2019-19269?
CVE-2019-19269 has a severity rating of 4.9, which is considered medium.
Which software versions are affected by CVE-2019-19269?
CVE-2019-19269 affects ProFTPD versions 1.3.5e, 1.3.6, 1.3.6-alpha, 1.3.6-beta, 1.3.6-rc1, 1.3.6-rc2, 1.3.6-rc3.
How can I fix CVE-2019-19269?
To fix CVE-2019-19269, you should update ProFTPD to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2019-19269?
You can find more information about CVE-2019-19269 in the references provided: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html, https://github.com/proftpd/proftpd/issues/861, https://lists.debian.org/debian-lts-announce/2019/11/msg00039.html
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/references
- agent/event
- agent/tags
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- vendor/proftpd
- canonical/proftpd proftpd
- version/proftpd proftpd/1.3.5e
- version/proftpd proftpd/1.3.6
- version/proftpd proftpd/1.3.6-alpha
- version/proftpd proftpd/1.3.6-beta
- version/proftpd proftpd/1.3.6-rc1
- version/proftpd proftpd/1.3.6-rc2
- version/proftpd proftpd/1.3.6-rc3
- version/proftpd proftpd/1.3.6-rc4
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0