vsftpd 2.3.4 is out, please bump at the time of writing, current version is 2.3.2-r1, which features excessive CPU consumption bug caused by unlimited (but not infinite) recursion in pattern matching routine; see $URL for more info
On tree. @Security feel free to call arches at any time. Seems like a simple bugfix release
(In reply to comment #1) > On tree. @Security feel free to call arches at any time. Seems like a simple > bugfix release > Great, thank you. Arches, please test and mark stable: =net-ftp/vsftpd-2.3.4 Target keywords : "alpha amd64 arm ia64 ppc ppc64 s390 sh sparc x86"
Looks good to go here on x86.
As proxy maintainer I guess I should mention that a version bump (and changing epatch paths) works for me as well (tried amd64,x86).
amd64 done
x86 done. Thanks Andreas.
ppc done
ppc64 stable
alpha/arm/ia64/s390/sh/sparc stable
Thanks, folks. GLSA Vote: yes.
CVE-2011-0762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0762): The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
Vote: YES. New GLSA request filed.
This issue was resolved and addressed in GLSA 201110-07 at http://security.gentoo.org/glsa/glsa-201110-07.xml by GLSA coordinator Tobias Heinlein (keytoaster).