Jump to content

Security Advisory (MDKSA-2003:095-1): proftpd

aru

By aru
in Mandriva Security Advisories

 Share

Recommended Posts

aru Mandriva Guru

aru

Posted
Posted

MandrakeSoft Security Advisory MDKSA-2003:095-1 : proftpd

 

December 31st, 2003

Updated proftpd packages fix remote root vulnerability

 

A vulnerability was discovered by X-Force Research at ISS in ProFTPD's handling of ASCII translation. An attacker, by downloading a carefully crafted file, can remotely exploit this bug to create a root shell.

 

The ProFTPD team encourages all users to upgrade to version 1.2.7 or higher. The problematic code first appeared in ProFTPD 1.2.7rc1, and the provided packages are all patched by the ProFTPD team to protect against this vulnerability.

 

Update:

 

The previous update had a bug where the new packages would terminate with a SIGNAL 11 when the command "NLST -alL" was performed in certain cases, such as if the size of the output of the command was greater than 1024 bytes.

 

These updated packages have a fix applied to prevent this crash.

 

 

The released versions of Mandrake GNU/Linux affected are:

  • 9.1
  • 9.2
  • 9.2/AMD64

Full information about this advisory, including the updated packages, is available at:

www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:095-1

 

Other references:

http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0831

http://xforce.iss.net/xforce/alerts/id/154

http://bugs.proftpd.org/show_bug.cgi?id=2194

 

Posted automatically by aru (mdksec2mub v0.0.7)

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...