OpenPKG Corporation → Security → Security Advisories

OpenPKG Security Advisory

OpenPKG-SA-2006.035

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2006.035
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2006.035
Advisory Published:      2008-08-07 22:01 UTC

Issue Id (internal):     OpenPKG-SI-20061116.01
Issue First Created:     2006-11-16
Issue Last Modified:     2006-12-15
Issue Revision:          09


Subject Name:            ProFTPD
Subject Summary:         Professional FTP Daemon
Subject Home:            http://www.proftpd.org/
Subject Versions:        * <= 1.3.0a

Vulnerability Id:        CVE-2006-6171, CVE-2006-5815, CVE-2006-6170
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           denial of service

Description:
    Three security issues were fixed in the FTP server ProFTPD [1]:
    
    First, a Denial of Sevice (DoS) vulnerability exists in ProFTPD, up to
    and including version 1.3.0. The flaw is due to both a potential bus
    error and a definitive buffer overflow in the code which determines
    the FTP command buffer size limit. The vulnerability can be exploited
    only if the "CommandBufferSize" directive is explicitly used in the
    server configuration -- which is not the case in OpenPKG's default
    configuration of ProFTPD.
    
    Second, a stack-based buffer overflow in the "sreplace" function of
    ProFTPD 1.3.0 and earlier allows remote attackers to cause a Denial
    of Service, as demonstrated by "vd_proftpd.pm", a "ProFTPD remote
    exploit".
    
    Third, a buffer overflow in the "tls_x509_name_oneline" function in
    the SSL/TLS module "mod_tls", as used in ProFTPD 1.3.0a and earlier,
    and possibly other products, allows remote attackers to execute
    arbitrary code via a large data length argument.

References:
    [0] http://www.proftpd.org/


Primary Package Name:    proftpd
Primary Package Home:    http://openpkg.org/go/package/proftpd

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Enterprise       E1.0-SOLID        proftpd-1.3.0-E1.0.0
OpenPKG Community        2-STABLE-20061018 proftpd-1.3.0-2.20061024
OpenPKG Community        CURRENT           proftpd-1.3.0-20061024

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        proftpd-1.3.0-E1.0.1
OpenPKG Community        2-STABLE-20061018 proftpd-1.3.0-2.20061116
OpenPKG Community        CURRENT           proftpd-1.3.0-20061116

→ Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
→ more...

Validation: XHTML | CSS

Organisations
Products
- OpenPKG Community
- Features
- Technology Pitch
- Package Database
- Registration
  - Registration Overview
  - Registry Service
- Download
  - Download Policy
  - Download Service
- Sales
  - Request
Services
Security
Documentation
- Flyer
- Presentation
- Showcase
- Article
- Thesis
- Tutorial
- Packaging
- F.A.Q
Community
My OpenPKG