[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1301422417.2689.102.camel@mdlinux>
Date: Tue, 29 Mar 2011 14:13:37 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-1098-1] vsftpd vulnerability
===========================================================
Ubuntu Security Notice USN-1098-1 March 29, 2011
vsftpd vulnerability
CVE-2011-0762
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
vsftpd 2.0.4-0ubuntu4.1
Ubuntu 8.04 LTS:
vsftpd 2.0.6-1ubuntu1.2
Ubuntu 9.10:
vsftpd 2.2.0-1ubuntu2.1
Ubuntu 10.04 LTS:
vsftpd 2.2.2-3ubuntu6.1
Ubuntu 10.10:
vsftpd 2.3.0~pre2-4ubuntu2.2
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that vsftpd incorrectly handled certain glob expressions.
A remote authenticated user could use a crafted glob expression to cause
vftpd to consume all resources, leading to a denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1.diff.gz
Size/MD5: 9002 71b3cbf76635b427b4882c4c80aa3339
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1.dsc
Size/MD5: 1277 eb89a19684ca4c38ff9ff16278d79ade
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4.orig.tar.gz
Size/MD5: 154857 c0bf8c7b8e15ab15827172786fc56115
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_amd64.deb
Size/MD5: 119970 068a70313805b914a4b1c0bfeba61fb6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_i386.deb
Size/MD5: 110500 dfb2a6973a94b9891d468d653d8d7a99
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_powerpc.deb
Size/MD5: 117490 02e03e478f3e03c3d86248039132ef9f
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.4-0ubuntu4.1_sparc.deb
Size/MD5: 111108 f2630543cd6ba8b6bc3643be72d06e8c
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2.diff.gz
Size/MD5: 11180 d1ed48f225877212cb77e0b0faf61f5d
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2.dsc
Size/MD5: 1418 01ec1fb79564c14b946f43af13806e4d
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6.orig.tar.gz
Size/MD5: 158516 f7a742690d7f86e356fb66d3840079c7
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_amd64.deb
Size/MD5: 104834 40195c8e19f1d547407d402218e68c13
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_i386.deb
Size/MD5: 97206 f3a925236ba7ac4fb80732281f7e06bb
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_lpia.deb
Size/MD5: 97298 431ace81717f43a19c747ffbb8925e30
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_powerpc.deb
Size/MD5: 105878 2903a8a4b2e395a4be84f24b88ee78a7
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.0.6-1ubuntu1.2_sparc.deb
Size/MD5: 97652 ab5a49a21b1451ea6a2fbeef253d4e88
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1.diff.gz
Size/MD5: 21979 313708203c8a095a998ddaf8f835050b
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1.dsc
Size/MD5: 1953 d2e3c06692c03cfbc97c6d154ebd804c
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0.orig.tar.gz
Size/MD5: 184700 e4eb190af270ae65d57a84274a38ec31
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_amd64.deb
Size/MD5: 144212 a6f6bacfa55446f4c7552da42816bda7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_i386.deb
Size/MD5: 137924 40d99dfde4d2ecbb52e4398a4fcf5f3e
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_armel.deb
Size/MD5: 135058 9e22d8f4fb674b757c4c0cc1f67f5391
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_lpia.deb
Size/MD5: 138408 ce579c05abec4d76e65d977fa6967eeb
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_powerpc.deb
Size/MD5: 139100 fae9351b1ecd642bf5ae9c1663f171c6
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.0-1ubuntu2.1_sparc.deb
Size/MD5: 135316 92915b3f9daac21d8fcfed46b0ec7bb7
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1.diff.gz
Size/MD5: 24759 ab91412b742d3129a4bd2d87acac1a88
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1.dsc
Size/MD5: 1994 0c12dbb079cbb09ce7b80cee3c80f5ce
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2.orig.tar.gz
Size/MD5: 185562 6d6bc136af14c23f8fef6f1a51f55418
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_amd64.deb
Size/MD5: 147882 268df4d7bba12afd02c98089d1e3d3ed
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_i386.deb
Size/MD5: 140214 f7fee3386f51cfc74d9f1972026a6252
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_armel.deb
Size/MD5: 136656 98c9ae3905bd8290657939e09153c055
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_powerpc.deb
Size/MD5: 142378 705cf88f8dccda1261987aaee5953d92
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.2.2-3ubuntu6.1_sparc.deb
Size/MD5: 139754 aec69b77168d0d4d5676eaff074f3672
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2.diff.gz
Size/MD5: 27388 8d1e15962d04e68ba85b093f77516677
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2.dsc
Size/MD5: 2093 4b8d29d52fed0b5d79f7f0e2ffa30a9a
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2.orig.tar.gz
Size/MD5: 186992 eb62ab1b8a5d2ff7ac13ef1611d76812
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_amd64.deb
Size/MD5: 123208 19ac767ac528eef1a729d8552e130a1d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_i386.deb
Size/MD5: 116584 b4eaa00eefc414d79fa57fe6e239d229
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_armel.deb
Size/MD5: 114500 1d4f3be5a98fc14330ab3b9602153931
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/v/vsftpd/vsftpd_2.3.0~pre2-4ubuntu2.2_powerpc.deb
Size/MD5: 117482 d1288d20949967d95c0ae6cf7c787683
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists