lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1301422417.2689.102.camel@mdlinux>
Date: Tue, 29 Mar 2011 14:13:37 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-1098-1] vsftpd vulnerability

===========================================================
Ubuntu Security Notice USN-1098-1            March 29, 2011
vsftpd vulnerability
CVE-2011-0762
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  vsftpd                          2.0.4-0ubuntu4.1

Ubuntu 8.04 LTS:
  vsftpd                          2.0.6-1ubuntu1.2

Ubuntu 9.10:
  vsftpd                          2.2.0-1ubuntu2.1

Ubuntu 10.04 LTS:
  vsftpd                          2.2.2-3ubuntu6.1

Ubuntu 10.10:
  vsftpd                          2.3.0~pre2-4ubuntu2.2

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that vsftpd incorrectly handled certain glob expressions.
A remote authenticated user could use a crafted glob expression to cause
vftpd to consume all resources, leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1.diff.gz
      Size/MD5:     9002 71b3cbf76635b427b4882c4c80aa3339
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1.dsc
      Size/MD5:     1277 eb89a19684ca4c38ff9ff16278d79ade
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4.orig.tar.gz
      Size/MD5:   154857 c0bf8c7b8e15ab15827172786fc56115

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_amd64.deb
      Size/MD5:   119970 068a70313805b914a4b1c0bfeba61fb6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_i386.deb
      Size/MD5:   110500 dfb2a6973a94b9891d468d653d8d7a99

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_powerpc.deb
      Size/MD5:   117490 02e03e478f3e03c3d86248039132ef9f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_sparc.deb
      Size/MD5:   111108 f2630543cd6ba8b6bc3643be72d06e8c

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2.diff.gz
      Size/MD5:    11180 d1ed48f225877212cb77e0b0faf61f5d
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2.dsc
      Size/MD5:     1418 01ec1fb79564c14b946f43af13806e4d
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6.orig.tar.gz
      Size/MD5:   158516 f7a742690d7f86e356fb66d3840079c7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_amd64.deb
      Size/MD5:   104834 40195c8e19f1d547407d402218e68c13

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_i386.deb
      Size/MD5:    97206 f3a925236ba7ac4fb80732281f7e06bb

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_lpia.deb
      Size/MD5:    97298 431ace81717f43a19c747ffbb8925e30

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_powerpc.deb
      Size/MD5:   105878 2903a8a4b2e395a4be84f24b88ee78a7

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_sparc.deb
      Size/MD5:    97652 ab5a49a21b1451ea6a2fbeef253d4e88

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1.diff.gz
      Size/MD5:    21979 313708203c8a095a998ddaf8f835050b
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1.dsc
      Size/MD5:     1953 d2e3c06692c03cfbc97c6d154ebd804c
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0.orig.tar.gz
      Size/MD5:   184700 e4eb190af270ae65d57a84274a38ec31

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_amd64.deb
      Size/MD5:   144212 a6f6bacfa55446f4c7552da42816bda7

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_i386.deb
      Size/MD5:   137924 40d99dfde4d2ecbb52e4398a4fcf5f3e

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_armel.deb
      Size/MD5:   135058 9e22d8f4fb674b757c4c0cc1f67f5391

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_lpia.deb
      Size/MD5:   138408 ce579c05abec4d76e65d977fa6967eeb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_powerpc.deb
      Size/MD5:   139100 fae9351b1ecd642bf5ae9c1663f171c6

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_sparc.deb
      Size/MD5:   135316 92915b3f9daac21d8fcfed46b0ec7bb7

Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1.diff.gz
      Size/MD5:    24759 ab91412b742d3129a4bd2d87acac1a88
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1.dsc
      Size/MD5:     1994 0c12dbb079cbb09ce7b80cee3c80f5ce
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2.orig.tar.gz
      Size/MD5:   185562 6d6bc136af14c23f8fef6f1a51f55418

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_amd64.deb
      Size/MD5:   147882 268df4d7bba12afd02c98089d1e3d3ed

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_i386.deb
      Size/MD5:   140214 f7fee3386f51cfc74d9f1972026a6252

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_armel.deb
      Size/MD5:   136656 98c9ae3905bd8290657939e09153c055

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_powerpc.deb
      Size/MD5:   142378 705cf88f8dccda1261987aaee5953d92

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_sparc.deb
      Size/MD5:   139754 aec69b77168d0d4d5676eaff074f3672

Updated packages for Ubuntu 10.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2.diff.gz
      Size/MD5:    27388 8d1e15962d04e68ba85b093f77516677
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2.dsc
      Size/MD5:     2093 4b8d29d52fed0b5d79f7f0e2ffa30a9a
    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2.orig.tar.gz
      Size/MD5:   186992 eb62ab1b8a5d2ff7ac13ef1611d76812

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_amd64.deb
      Size/MD5:   123208 19ac767ac528eef1a729d8552e130a1d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_i386.deb
      Size/MD5:   116584 b4eaa00eefc414d79fa57fe6e239d229

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_armel.deb
      Size/MD5:   114500 1d4f3be5a98fc14330ab3b9602153931

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_powerpc.deb
      Size/MD5:   117482 d1288d20949967d95c0ae6cf7c787683




Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ