vsftpd 2.3.4 is out, please bump
at the time of writing, current version is 2.3.2-r1, which features excessive CPU consumption bug caused by unlimited (but not infinite) recursion in pattern matching routine; see $URL for more info
On tree. @Security feel free to call arches at any time. Seems like a simple bugfix release
(In reply to comment #1)
> On tree. @Security feel free to call arches at any time. Seems like a simple
> bugfix release
Great, thank you.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm ia64 ppc ppc64 s390 sh sparc x86"
Looks good to go here on x86.
As proxy maintainer I guess I should mention that a version bump (and changing epatch paths) works for me as well (tried amd64,x86).
x86 done. Thanks Andreas.
GLSA Vote: yes.
The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3
allows remote authenticated users to cause a denial of service (CPU
consumption and process slot exhaustion) via crafted glob expressions in
STAT commands in multiple FTP sessions, a different vulnerability than
Vote: YES. New GLSA request filed.
This issue was resolved and addressed in
GLSA 201110-07 at http://security.gentoo.org/glsa/glsa-201110-07.xml
by GLSA coordinator Tobias Heinlein (keytoaster).