ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities



;-(

> -----Original Message-----
> From: research@xxxxxxxx [mailto:research@xxxxxxxx] 
> Sent: Tuesday, November 21, 2006 5:50 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [ MDKSA-2006:217 ] - Updated proftpd packages 
> fix vulnerabilities
> 
> Hi,
> 
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >  
> ______________________________________________________________
> _________
> >
> >  Mandriva Linux Security Advisory                         
> MDKSA-2006:217
> >  http://www.mandriva.com/security/
> >  
> ______________________________________________________________
> _________
> >
> >  Package : proftpd
> >  Date    : November 20, 2006
> >  Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
> >  
> ______________________________________________________________
> _________
> >
> >  Problem Description:
> >
> >  As disclosed by an exploit (vd_proftpd.pm) and a related 
> vendor bugfix,
> >  a Denial of Service (DoS) vulnerability exists in the FTP server
> >  ProFTPD, up to and including version 1.3.0.  The flaw is 
> due to both a
> >  potential bus error and a definitive buffer overflow in 
> the code which
> >  determines the FTP command buffer size limit. The 
> vulnerability can be
> >  exploited only if the "CommandBufferSize" directive is 
> explicitly used
> >  in the server configuration, which is not the case in the default
> >  configuration of ProFTPD.
> 
> Just a little note - I am not sure where it came from bug 
> vd_proftpd.pm exploit
> is not related to "CommandBufferSize" bug.
> 
> Regards,
> -evgeny
> 
> 



 




Copyright © Lexa Software, 1996-2009.