Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities

[research () gleg net]

Hi,

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>  _______________________________________________________________________
>
>  Mandriva Linux Security Advisory                         MDKSA-2006:217
>  http://www.mandriva.com/security/
>  _______________________________________________________________________
>
>  Package : proftpd
>  Date    : November 20, 2006
>  Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
>  _______________________________________________________________________
>
>  Problem Description:
>
>  As disclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix,
>  a Denial of Service (DoS) vulnerability exists in the FTP server
>  ProFTPD, up to and including version 1.3.0.  The flaw is due to both a
>  potential bus error and a definitive buffer overflow in the code which
>  determines the FTP command buffer size limit. The vulnerability can be
>  exploited only if the "CommandBufferSize" directive is explicitly used
>  in the server configuration, which is not the case in the default
>  configuration of ProFTPD.

Just a little note - I am not sure where it came from bug vd_proftpd.pm exploit
is not related to "CommandBufferSize" bug.

Regards,
-evgeny

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/