SecurityvulnsSECURITYVULNS:DOC:15124[OpenPKG-SA-2006.035] OpenPKG Security Advisory (proftpd)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenPKG Security Advisory OpenPKG GmbH
http://openpkg.org/security/ http://openpkg.com
OpenPKG-SA-2006.035 2006-11-16
Package: proftpd
Vulnerability: denial of service
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
E1.0-SOLID <= proftpd-1.3.0-E1.0.0 >= proftpd-1.3.0-E1.0.1
2-STABLE-20061018 <= proftpd-1.3.0-2.20061024 >= proftpd-1.3.0-2.20061116
2-STABLE <= proftpd-1.3.0-2.20061024 >= proftpd-1.3.0-2.20061116
CURRENT <= proftpd-1.3.0-20061024 >= proftpd-1.3.0-20061116
Description:
As undisclosed by an exploit (vd_proftpd.pm) and a related vendor
bugfix [0], a Denial of Sevice (DoS) vulnerability exists in the FTP
server ProFTPD [1], up to and including version 1.3.0. The flaw is
due to both a potential bus error and a definitive buffer overflow
in the code which determines the FTP command buffer size limit.
The vulnerability can be exploited only if the "CommandBufferSize"
directive is explicitly used in the server configuration – which
is not the case in OpenPKG's default configuration of ProFTPD. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CVE-2006-5815 [2] to the problem.
References:
[0] http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293
[1] http://www.proftpd.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <[email protected]>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[email protected]>
iD8DBQFFXNuggHWT4GPEy58RAgfXAJ48hhiYbNouQfa0ohPsG/x/VN8/7wCffS2/
1LWaeW/51KsGO7CkNdvKLmI=
=IlcC
-----END PGP SIGNATURE-----
Related
