=========================================================== Ubuntu Security Notice USN-1098-1 March 29, 2011 vsftpd vulnerability CVE-2011-0762 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: vsftpd 2.0.4-0ubuntu4.1 Ubuntu 8.04 LTS: vsftpd 2.0.6-1ubuntu1.2 Ubuntu 9.10: vsftpd 2.2.0-1ubuntu2.1 Ubuntu 10.04 LTS: vsftpd 2.2.2-3ubuntu6.1 Ubuntu 10.10: vsftpd 2.3.0~pre2-4ubuntu2.2 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that vsftpd incorrectly handled certain glob expressions. A remote authenticated user could use a crafted glob expression to cause vftpd to consume all resources, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1.diff.gz Size/MD5: 9002 71b3cbf76635b427b4882c4c80aa3339 http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1.dsc Size/MD5: 1277 eb89a19684ca4c38ff9ff16278d79ade http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4.orig.tar.gz Size/MD5: 154857 c0bf8c7b8e15ab15827172786fc56115 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_amd64.deb Size/MD5: 119970 068a70313805b914a4b1c0bfeba61fb6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_i386.deb Size/MD5: 110500 dfb2a6973a94b9891d468d653d8d7a99 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_powerpc.deb Size/MD5: 117490 02e03e478f3e03c3d86248039132ef9f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_sparc.deb Size/MD5: 111108 f2630543cd6ba8b6bc3643be72d06e8c Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2.diff.gz Size/MD5: 11180 d1ed48f225877212cb77e0b0faf61f5d http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2.dsc Size/MD5: 1418 01ec1fb79564c14b946f43af13806e4d http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6.orig.tar.gz Size/MD5: 158516 f7a742690d7f86e356fb66d3840079c7 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_amd64.deb Size/MD5: 104834 40195c8e19f1d547407d402218e68c13 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_i386.deb Size/MD5: 97206 f3a925236ba7ac4fb80732281f7e06bb lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_lpia.deb Size/MD5: 97298 431ace81717f43a19c747ffbb8925e30 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_powerpc.deb Size/MD5: 105878 2903a8a4b2e395a4be84f24b88ee78a7 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_sparc.deb Size/MD5: 97652 ab5a49a21b1451ea6a2fbeef253d4e88 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1.diff.gz Size/MD5: 21979 313708203c8a095a998ddaf8f835050b http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1.dsc Size/MD5: 1953 d2e3c06692c03cfbc97c6d154ebd804c http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0.orig.tar.gz Size/MD5: 184700 e4eb190af270ae65d57a84274a38ec31 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_amd64.deb Size/MD5: 144212 a6f6bacfa55446f4c7552da42816bda7 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_i386.deb Size/MD5: 137924 40d99dfde4d2ecbb52e4398a4fcf5f3e armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_armel.deb Size/MD5: 135058 9e22d8f4fb674b757c4c0cc1f67f5391 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_lpia.deb Size/MD5: 138408 ce579c05abec4d76e65d977fa6967eeb powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_powerpc.deb Size/MD5: 139100 fae9351b1ecd642bf5ae9c1663f171c6 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_sparc.deb Size/MD5: 135316 92915b3f9daac21d8fcfed46b0ec7bb7 Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1.diff.gz Size/MD5: 24759 ab91412b742d3129a4bd2d87acac1a88 http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1.dsc Size/MD5: 1994 0c12dbb079cbb09ce7b80cee3c80f5ce http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2.orig.tar.gz Size/MD5: 185562 6d6bc136af14c23f8fef6f1a51f55418 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_amd64.deb Size/MD5: 147882 268df4d7bba12afd02c98089d1e3d3ed i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_i386.deb Size/MD5: 140214 f7fee3386f51cfc74d9f1972026a6252 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_armel.deb Size/MD5: 136656 98c9ae3905bd8290657939e09153c055 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_powerpc.deb Size/MD5: 142378 705cf88f8dccda1261987aaee5953d92 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_sparc.deb Size/MD5: 139754 aec69b77168d0d4d5676eaff074f3672 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2.diff.gz Size/MD5: 27388 8d1e15962d04e68ba85b093f77516677 http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2.dsc Size/MD5: 2093 4b8d29d52fed0b5d79f7f0e2ffa30a9a http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2.orig.tar.gz Size/MD5: 186992 eb62ab1b8a5d2ff7ac13ef1611d76812 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_amd64.deb Size/MD5: 123208 19ac767ac528eef1a729d8552e130a1d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_i386.deb Size/MD5: 116584 b4eaa00eefc414d79fa57fe6e239d229 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_armel.deb Size/MD5: 114500 1d4f3be5a98fc14330ab3b9602153931 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_powerpc.deb Size/MD5: 117482 d1288d20949967d95c0ae6cf7c787683