lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1164120609.456312215fefc@cp55.agava.net>
Date: Tue, 21 Nov 2006 17:50:09 +0300
From: research@...g.net
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities

Hi,

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>  _______________________________________________________________________
>
>  Mandriva Linux Security Advisory                         MDKSA-2006:217
>  http://www.mandriva.com/security/
>  _______________________________________________________________________
>
>  Package : proftpd
>  Date    : November 20, 2006
>  Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
>  _______________________________________________________________________
>
>  Problem Description:
>
>  As disclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix,
>  a Denial of Service (DoS) vulnerability exists in the FTP server
>  ProFTPD, up to and including version 1.3.0.  The flaw is due to both a
>  potential bus error and a definitive buffer overflow in the code which
>  determines the FTP command buffer size limit. The vulnerability can be
>  exploited only if the "CommandBufferSize" directive is explicitly used
>  in the server configuration, which is not the case in the default
>  configuration of ProFTPD.

Just a little note - I am not sure where it came from bug vd_proftpd.pm exploit
is not related to "CommandBufferSize" bug.

Regards,
-evgeny

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ