Debian Security Advisory
DSA-029-2 proftpd -- remote DOS & potential buffer overflow
- Date Reported:
- 11 Feb 2001
- Affected Packages:
-
proftpd
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2001-0318, CVE-2001-0136.
- More information:
- The following problems have been reported for the version
of proftpd in Debian 2.2 (potato):
- There is a memory leak in the SIZE command which can result in a
denial of service, as reported by Wojciech Purczynski. This is only a
problem if proftpd cannot write to its scoreboard file; the default
configuration of proftpd in Debian is not vulnerable.
- A similar memory leak affects the USER command, also as reported by
Wojciech Purczynski. The proftpd in Debian 2.2 is susceptible to this
vulnerability; an attacker can cause the proftpd daemon to crash by
exhausting its available memory.
- There were some format string vulnerabilities reported by Przemyslaw
Frasunek. These are not known to have exploits, but have been corrected
as a precaution.
All three of the above vulnerabilities have been corrected in
proftpd-1.2.0pre10-2potato1. We recommend you upgrade your proftpd
package immediately.
- Fixed in:
-
DSA-032-1