CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247): ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h http://securitytracker.com/alerts/2008/Sep/1020945.html
Created attachment 169490 [details, diff] netkit-ftpd-0.17-CVE-2008-4247.patch CVS commits backported to netkit
added with netkit-ftpd-0.17-r8
Arches, please test and mark stable: =net-ftp/netkit-ftpd-0.17-r8 Target keywords : "alpha amd64 arm ia64 ppc s390 sh sparc x86"
amd64/x86 stable
alpha/ia64/sparc stable
ppc stable
Ready for vote, I vote YES.
I vote NO on this issue, exploit scenarios are unlikely.
voting NO too, and closing.