Date: Thu, 16 Nov 2006 22:44:34 +0100
From: OpenPKG <openpkg@openpkg.org.>
To: [email protected]Subject: [OpenPKG-SA-2006.035] OpenPKG Security Advisory (proftpd)
Message-ID: <OpenPKG-SA-2006.035@openpkg.org.>
Reply-To: [email protected]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Organization: The OpenPKG Project, http://www.openpkg.org/
User-Agent: Mutt/1.5.11 OpenPKG/2-STABLE
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory OpenPKG GmbH
http://openpkg.org/security/ http://openpkg.com
OpenPKG-SA-2006.035 2006-11-16
________________________________________________________________________
Package: proftpd
Vulnerability: denial of service
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
E1.0-SOLID <= proftpd-1.3.0-E1.0.0 >= proftpd-1.3.0-E1.0.1
2-STABLE-20061018 <= proftpd-1.3.0-2.20061024 >= proftpd-1.3.0-2.20061116
2-STABLE <= proftpd-1.3.0-2.20061024 >= proftpd-1.3.0-2.20061116
CURRENT <= proftpd-1.3.0-20061024 >= proftpd-1.3.0-20061116
Description:
As undisclosed by an exploit (vd_proftpd.pm) and a related vendor
bugfix [0], a Denial of Sevice (DoS) vulnerability exists in the FTP
server ProFTPD [1], up to and including version 1.3.0. The flaw is
due to both a potential bus error and a definitive buffer overflow
in the code which determines the FTP command buffer size limit.
The vulnerability can be exploited only if the "CommandBufferSize"
directive is explicitly used in the server configuration -- which
is not the case in OpenPKG's default configuration of ProFTPD. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CVE-2006-5815 [2] to the problem.
________________________________________________________________________
References:
[0] http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293
[1] http://www.proftpd.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org.>" (ID 63C4CB9F) which
you can retrieve from http://openpkg.org/openpkg.org.pgp. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org.>
iD8DBQFFXNuggHWT4GPEy58RAgfXAJ48hhiYbNouQfa0ohPsG/x/VN8/7wCffS2/
1LWaeW/51KsGO7CkNdvKLmI=
=IlcC
-----END PGP SIGNATURE-----
