Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200407-04 ] Pure-FTPd: Potential DoS when maximum connections is reached
Date: Sun, 04 Jul 2004 19:46:39
Message-Id: 40E85E56.4020205@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200407-04
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Pure-FTPd: Potential DoS when maximum connections is
12 reached
13 Date: July 04, 2004
14 Bugs: #54590
15 ID: 200407-04
16
17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19 Synopsis
20 ========
21
22 Pure-FTPd contains a bug potentially allowing a Denial of Service
23 attack when the maximum number of connections is reached.
24
25 Background
26 ==========
27
28 Pure-FTPd is a fast, production-quality and standards-compliant FTP
29 server.
30
31 Affected packages
32 =================
33
34 -------------------------------------------------------------------
35 Package / Vulnerable / Unaffected
36 -------------------------------------------------------------------
37 1 net-ftp/pure-ftpd <= 1.0.18 >= 1.0.18-r1
38
39 Description
40 ===========
41
42 Pure-FTPd contains a bug in the accept_client function handling the
43 setup of new connections.
44
45 Impact
46 ======
47
48 When the maximum number of connections is reached an attacker could
49 exploit this vulnerability to perform a Denial of Service attack.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time. All users are encouraged to
55 upgrade to the latest available version.
56
57 Resolution
58 ==========
59
60 All Pure-FTPd users should upgrade to the latest stable version:
61
62 # emerge sync
63
64 # emerge -pv ">=net-ftp/pure-ftpd-1.0.18-r1"
65 # emerge ">=net-ftp/pure-ftpd-1.0.18-r1"
66
67 References
68 ==========
69
70 [ 1 ] Pure-FTPd website
71 http://www.pureftpd.org
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 http://security.gentoo.org/glsa/glsa-200407-04.xml
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 http://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2004 Gentoo Technologies, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/1.0
100
101 -----BEGIN PGP SIGNATURE-----
102 Version: GnuPG v1.2.4 (GNU/Linux)
103 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
104
105 iD8DBQFA6F5WvcL1obalX08RAvu6AJ9YGZ55W44TfnJ04d6SW/zynBLAUwCfRXkx
106 fq1wAuhM5oqWwrCtSc25hNk=
107 =Pzab
108 -----END PGP SIGNATURE-----