53116 – net-ftp/vsftpd: new version fixes a risk of DoS

Bug 53116 - net-ftp/vsftpd: new version fixes a risk of DoS

Summary: net-ftp/vsftpd: new version fixes a risk of DoS

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	ftp://vsftpd.beasts.org/users/cevans/...
Whiteboard:	C3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2004-06-06 00:45 UTC by Brice Arnould (un_brice)
Modified:	2011-10-30 22:38 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	condordes: Assigned_To? (condordes)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brice Arnould (un_brice) 2004-06-06 00:45:14 UTC

The author of vsftpd just released a new minor version which "fixes a listener
hang/crash which a few sites [those who don't use inetd] see under heavy
connect/disconnect load".

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-06-07 05:03:50 UTC

rajiv: this needs an ebuild bump to 1.2.2...

Comment 2 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-06-08 12:39:39 UTC

I'll work on a GLSA draft for this.

Comment 3 Priit Laes (IRC: plaes) 2004-06-11 12:42:47 UTC

Could we bump it without glsa? :P

Comment 4 Chris White (RETIRED) gentoo-dev

2004-06-15 01:07:56 UTC

It's been found by the CondorDes, jaervosz, and myself that a quick version bump is all that's required.  Waiting for solar to commit the new ebuild and all will be good.

Comment 5 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-06-15 01:13:17 UTC

Thanks to solar for bumping the ebuild.

Arches: Please test net-ftp/vsftpd-1.2.2 and mark stable.  Thanks.

Comment 6 Bryan Østergaard (RETIRED) gentoo-dev

2004-06-15 12:55:41 UTC

Stable on alpha.

Comment 7 Jason Wever (RETIRED) gentoo-dev

2004-06-15 16:35:35 UTC

Stable on sparc

Comment 8 Brandon Hale (RETIRED) gentoo-dev

2004-06-15 19:15:32 UTC

Stable on x86.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2004-06-16 01:03:14 UTC

Security : time for a GLSA decision. I would vote for no GLSA on this one.

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2004-06-16 01:24:27 UTC

jaervosz also votes for no GLSA, this is hardly exploitable.
CondorDes, this one is yours... If you agree for no GLSA, please close.

Comment 11 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-06-16 01:29:34 UTC

Hmmm, it does seem fairly trivial.  Closing without GLSA.

Comment 12 Tom Gall (RETIRED) gentoo-dev

2004-07-13 20:00:10 UTC

stable on ppc64