as shown in the following two emails to the pure-ftpd mailing list (list@pureftpd.org), there is a denial of service attack possible against pureftpd. http://scriptkitchen.com/pureftpd/pure-ml1.txt http://scriptkitchen.com/pureftpd/pure-ml2.txt (Sorry, I don't know of any mailing list archives that have this, these are from my server) Fix: upgrade to 1.0.19. I'd submit a patch, but there were quite a few changes between the two versions, and I'm not sure which one(s) is(are) applicable. I don't think this happens in inetd mode (not confirmed), but since gentoo's pure-ftpd uses daemon mode, it applies here. Not sure if this is the entire thing, but assuming based on what the ChangeLog says, this is a patch that should encompass the change (for backporting purposes, etc) http://scriptkitchen.com/pureftpd/pure-ftpd-glsa.patch I applied it against my pure-ftpd 1.0.18 source with patch -p1, and it built properly and was functional. Reproducible: Always Steps to Reproduce:
err... duh. Sorry, I switched gears mid-post and decided to submit a patch, but didn't change the "I'd submit a patch" part. my bad :)
raker, I could not get this one to bump local with the USE=ldap flag or apply the patch. Not sure if others are having (will have) that problem or not.
No response from maintainer within the initial 48 hrs, so I'm adding what I have to portage as is. (pure-ftpd-1.0.18-r1.ebuild) KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64" QA problems with ldap flag can be handled by another team.
Compiled fine on alpha with USE=ldap. Marked stable.
Stable on sparc cause we're cool like that :)
Missing x86, ppc, hppa, ia64 stable on 1.0.18-r1. Removing amd64 as their stable is not needed on this one.
marked x86/hppa stable
all set on ia64
Stable on ppc.
GLSA 200407-04