OpenPKG Security Advisory OpenPKG-SA-2006.035 - As undisclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix, a Denial of Service (DoS) vulnerability exists in the FTP server ProFTPD, up to and including version 1.3.0. The flaw is due to both a potential bus error and a definitive buffer overflow in the code which determines the FTP command buffer size limit. The vulnerability can be exploited only if the "CommandBufferSize" directive is explicitly used in the server configuration -- which is not the case in OpenPKG's default configuration of ProFTPD.
9ed99273cbfc967a730fd8f826eceea026990c33c2599e4d71b7ba9c01a9b0fd-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory OpenPKG GmbH
http://openpkg.org/security/ http://openpkg.com
OpenPKG-SA-2006.035 2006-11-16
________________________________________________________________________
Package: proftpd
Vulnerability: denial of service
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
E1.0-SOLID <= proftpd-1.3.0-E1.0.0 >= proftpd-1.3.0-E1.0.1
2-STABLE-20061018 <= proftpd-1.3.0-2.20061024 >= proftpd-1.3.0-2.20061116
2-STABLE <= proftpd-1.3.0-2.20061024 >= proftpd-1.3.0-2.20061116
CURRENT <= proftpd-1.3.0-20061024 >= proftpd-1.3.0-20061116
Description:
As undisclosed by an exploit (vd_proftpd.pm) and a related vendor
bugfix [0], a Denial of Sevice (DoS) vulnerability exists in the FTP
server ProFTPD [1], up to and including version 1.3.0. The flaw is
due to both a potential bus error and a definitive buffer overflow
in the code which determines the FTP command buffer size limit.
The vulnerability can be exploited only if the "CommandBufferSize"
directive is explicitly used in the server configuration -- which
is not the case in OpenPKG's default configuration of ProFTPD. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CVE-2006-5815 [2] to the problem.
________________________________________________________________________
References:
[0] http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293
[1] http://www.proftpd.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iD8DBQFFXNuggHWT4GPEy58RAgfXAJ48hhiYbNouQfa0ohPsG/x/VN8/7wCffS2/
1LWaeW/51KsGO7CkNdvKLmI=
=IlcC
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed