oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: remote DoS via CPU exhaustion in anon FTP server glob expansion

From: Russ Cox <rsc () swtch com>
Date: Mon, 8 May 2017 09:10:12 -0400
On Mon, Apr 24, 2017 at 10:06 AM, Russ Cox <rsc () swtch com> wrote:

Due to the widespread but limited ("only" CPU exhaustion) nature of

the problem, I have not attempted any embargoed prenotification.
I will forward this note directly to product-security () apple com and
bugs () pureftpd org. I filled out the "DWF Open Source Request Form v2"
for a CVE number for the generic problem, and I will reply here when
I receive the number.


FYI, over the weekend I received notification (two weeks after applying)
that DWF has declined to issue a CVE number for this general problem.
Interested parties will have to obtain their own CVE numbers for specific
products.

Russ
Previous By Date Next
Previous By Thread Next

Current thread: