[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] [ GLSA 200801-17 ] Netkit FTP Server: Denial
From: Jamie Haggett <JHaggett () compugen ! com>
Date: 2008-01-30 15:49:43
Message-ID: C3C5EAA7.1646B%JHaggett () compugen ! com
[Download RAW message or body]
Unsubscribe full-disclosure
On 29/01/08 4:09 PM, "Raphael Marichez" <falco@gentoo.org> wrote:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200801-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Netkit FTP Server: Denial of Service
Date: January 29, 2008
Bugs: #199206
ID: 200801-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Netkit FTP Server contains a Denial of Service vulnerability.
Background
==========
net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL
support.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-ftp/netkit-ftpd < 0.17-r7 >= 0.17-r7
Description
===========
Venustech AD-LAB discovered that an FTP client connected to a
vulnerable server with passive mode and SSL support can trigger an
fclose() function call on an uninitialized stream in ftpd.c.
Impact
======
A remote attacker can send specially crafted FTP data to a server with
passive mode and SSL support, causing the ftpd daemon to crash.
Workaround
==========
Disable passive mode or SSL.
Resolution
==========
All Netkit FTP Server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"
References
==========
[ 1 ] CVE-2007-6263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6263
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200801-17.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[Attachment #3 (text/html)]
<HTML>
<HEAD>
<TITLE>Re: [Full-disclosure] [ GLSA 200801-17 ] Netkit FTP Server: Denial of Service</TITLE>
</HEAD>
<BODY>
<FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN \
STYLE='font-size:11pt'>Unsubscribe full-disclosure<BR> <BR>
<BR>
On 29/01/08 4:09 PM, "Raphael Marichez" <falco@gentoo.org> wrote:<BR>
<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, \
Arial"><SPAN STYLE='font-size:11pt'>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \
- - - - - -<BR> Gentoo Linux Security Advisory \
GLSA \
200801-17<BR>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
\
<a \
href="http://security.gentoo.org/">http://security.gentoo.org/</a><BR>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
<BR>
Severity: Normal<BR>
Title: Netkit FTP Server: Denial of Service<BR>
Date: January 29, 2008<BR>
Bugs: #199206<BR>
ID: 200801-17<BR>
<BR>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
<BR>
Synopsis<BR>
========<BR>
<BR>
Netkit FTP Server contains a Denial of Service vulnerability.<BR>
<BR>
Background<BR>
==========<BR>
<BR>
net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL<BR>
support.<BR>
<BR>
Affected packages<BR>
=================<BR>
<BR>
-------------------------------------------------------------------<BR>
Package \
/ \
Vulnerable / \
Unaffected<BR>
-------------------------------------------------------------------<BR>
1 net-ftp/netkit-ftpd < 0.17-r7 \
>= \
0.17-r7<BR> <BR>
Description<BR>
===========<BR>
<BR>
Venustech AD-LAB discovered that an FTP client connected to a<BR>
vulnerable server with passive mode and SSL support can trigger an<BR>
fclose() function call on an uninitialized stream in ftpd.c.<BR>
<BR>
Impact<BR>
======<BR>
<BR>
A remote attacker can send specially crafted FTP data to a server with<BR>
passive mode and SSL support, causing the ftpd daemon to crash.<BR>
<BR>
Workaround<BR>
==========<BR>
<BR>
Disable passive mode or SSL.<BR>
<BR>
Resolution<BR>
==========<BR>
<BR>
All Netkit FTP Server users should upgrade to the latest version:<BR>
<BR>
# emerge --sync<BR>
# emerge --ask --oneshot --verbose \
">=net-ftp/netkit-ftpd-0.17-r7"<BR> <BR>
References<BR>
==========<BR>
<BR>
[ 1 ] CVE-2007-6263<BR>
<a \
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6263">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6263</a><BR>
<BR>
Availability<BR>
============<BR>
<BR>
This GLSA and any updates to it are available for viewing at<BR>
the Gentoo Security Website:<BR>
<BR>
<a href="http://security.gentoo.org/glsa/glsa-200801-17.xml">http://security.gentoo.org/glsa/glsa-200801-17.xml</a><BR>
<BR>
Concerns?<BR>
=========<BR>
<BR>
Security is a primary focus of Gentoo Linux and ensuring the<BR>
confidentiality and security of our users machines is of utmost<BR>
importance to us. Any security concerns should be addressed to<BR>
security@gentoo.org or alternatively, you may file a bug at<BR>
<a href="http://bugs.gentoo.org.">http://bugs.gentoo.org.</a><BR>
<BR>
License<BR>
=======<BR>
<BR>
Copyright 2008 Gentoo Foundation, Inc; referenced text<BR>
belongs to its owner(s).<BR>
<BR>
The contents of this document are licensed under the<BR>
Creative Commons - Attribution / Share Alike license.<BR>
<BR>
<a href="http://creativecommons.org/licenses/by-sa/2.5">http://creativecommons.org/licenses/by-sa/2.5</a><BR>
<BR>
</SPAN></FONT></FONT></BLOCKQUOTE>
</BODY>
</HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0755871933==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic