Full Disclosure mailing list archives
Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities
From: research () gleg net
Date: Tue, 21 Nov 2006 17:50:09 +0300
Hi,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:217 http://www.mandriva.com/security/ _______________________________________________________________________ Package : proftpd Date : November 20, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: As disclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix, a Denial of Service (DoS) vulnerability exists in the FTP server ProFTPD, up to and including version 1.3.0. The flaw is due to both a potential bus error and a definitive buffer overflow in the code which determines the FTP command buffer size limit. The vulnerability can be exploited only if the "CommandBufferSize" directive is explicitly used in the server configuration, which is not the case in the default configuration of ProFTPD.
Just a little note - I am not sure where it came from bug vd_proftpd.pm exploit is not related to "CommandBufferSize" bug. Regards, -evgeny _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities research (Nov 21)