Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities
Hi,
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> _______________________________________________________________________
>
> Mandriva Linux Security Advisory MDKSA-2006:217
> http://www.mandriva.com/security/
> _______________________________________________________________________
>
> Package : proftpd
> Date : November 20, 2006
> Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
> _______________________________________________________________________
>
> Problem Description:
>
> As disclosed by an exploit (vd_proftpd.pm) and a related vendor bugfix,
> a Denial of Service (DoS) vulnerability exists in the FTP server
> ProFTPD, up to and including version 1.3.0. The flaw is due to both a
> potential bus error and a definitive buffer overflow in the code which
> determines the FTP command buffer size limit. The vulnerability can be
> exploited only if the "CommandBufferSize" directive is explicitly used
> in the server configuration, which is not the case in the default
> configuration of ProFTPD.
Just a little note - I am not sure where it came from bug vd_proftpd.pm exploit
is not related to "CommandBufferSize" bug.
Regards,
-evgeny