Debian Bug report logs -
#622741
vsftpd: upgrade stable to fix remote DoS (CVE-2011-0762)
Reported by: Dario Vieli <dario@wuala.com>
Date: Thu, 14 Apr 2011 10:42:08 UTC
Severity: important
Tags: security
Found in version vsftpd/2.3.2-3
Fixed in versions 2.3.4-1, vsftpd/2.3.2-3+squeeze2, vsftpd/2.0.7-1+lenny1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#622741; Package vsftpd.
(Thu, 14 Apr 2011 10:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Dario Vieli <dario@wuala.com>:
New Bug report received and forwarded. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>.
(Thu, 14 Apr 2011 10:42:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vsftpd
Version: 2.3.2-3
Severity: important
>From http://securityreason.com/securityalert/8109:
Topic :
vsftpd 2.3.2 remote denial-of-service
SecurityAlert : 8109
Arrow CVE : CVE-2011-0762
Arrow SecurityRisk : Medium Security Risk Medium (About)
Arrow Remote Exploit : Yes
fix: ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/Changelog
-- System Information:
Debian Release: wheezy/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Added tag(s) security.
Request was from Mike O'Connor <stew@debian.org>
to control@bugs.debian.org.
(Thu, 16 Jun 2011 15:09:02 GMT) (full text, mbox, link).
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Thu, 08 Sep 2011 19:09:15 GMT) (full text, mbox, link).
Notification sent
to Dario Vieli <dario@wuala.com>:
Bug acknowledged by developer.
(Thu, 08 Sep 2011 19:09:15 GMT) (full text, mbox, link).
Message #12 received at 622741-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.3.4-1
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Wed, 21 Sep 2011 19:57:07 GMT) (full text, mbox, link).
Notification sent
to Dario Vieli <dario@wuala.com>:
Bug acknowledged by developer.
(Wed, 21 Sep 2011 19:57:08 GMT) (full text, mbox, link).
Message #17 received at 622741-close@bugs.debian.org (full text, mbox, reply):
Source: vsftpd
Source-Version: 2.3.2-3+squeeze2
We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:
vsftpd_2.3.2-3+squeeze2.diff.gz
to main/v/vsftpd/vsftpd_2.3.2-3+squeeze2.diff.gz
vsftpd_2.3.2-3+squeeze2.dsc
to main/v/vsftpd/vsftpd_2.3.2-3+squeeze2.dsc
vsftpd_2.3.2-3+squeeze2_amd64.deb
to main/v/vsftpd/vsftpd_2.3.2-3+squeeze2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 622741@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vsftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 07 Sep 2011 20:39:59 +0000
Source: vsftpd
Binary: vsftpd
Architecture: source amd64
Version: 2.3.2-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Daniel Baumann <daniel@lists.debian-maintainers.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
vsftpd - lightweight, efficient FTP server written for security
Closes: 622741
Changes:
vsftpd (2.3.2-3+squeeze2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Disable network isolation due to a problem with cleaning up network
namespaces fast enough in kernels < 2.6.35 (CVE-2011-2189).
Thanks Ben Hutchings for the patch!
* Fix possible DoS via globa expressions in STAT commands by
limiting the matching loop (CVE-2011-0762; Closes: #622741).
Checksums-Sha1:
7234c9761cbc32be34ce79278dddb7138538db9b 1328 vsftpd_2.3.2-3+squeeze2.dsc
d525974514ecf61cbbf9cb51066aa68d5a52033b 187229 vsftpd_2.3.2.orig.tar.gz
9a9a24aca0c4bf7863d0ae4bd95d1337bfb30b9d 25312 vsftpd_2.3.2-3+squeeze2.diff.gz
f732447cd5ffe8a0e3c2bc1687f455448b51ca53 148166 vsftpd_2.3.2-3+squeeze2_amd64.deb
Checksums-Sha256:
83b3537ae8c5e4137fd2636b8282d0f5e0b9cd17848e09435b3a103aa930d654 1328 vsftpd_2.3.2-3+squeeze2.dsc
a4e04836d8e271f361030e6a679ad001046c3e37f59e9fee5114189f9e065336 187229 vsftpd_2.3.2.orig.tar.gz
21c48a68b73926bfa28925db8472d811da77032f115b8961c195481387316586 25312 vsftpd_2.3.2-3+squeeze2.diff.gz
e839fc8cd741b76572f90b7c363932daef6fb6bc26fefad497046328b912ba30 148166 vsftpd_2.3.2-3+squeeze2_amd64.deb
Files:
080129573f1482cb2530cbd4e0f78175 1328 net extra vsftpd_2.3.2-3+squeeze2.dsc
bad7b117d737a738738836041edc00db 187229 net extra vsftpd_2.3.2.orig.tar.gz
3a9eee70c852d49d91102220ce258071 25312 net extra vsftpd_2.3.2-3+squeeze2.diff.gz
f0e8e5fc8471b574e9bc7a6927db691b 148166 net extra vsftpd_2.3.2-3+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk52fU0ACgkQHYflSXNkfP9xagCgpJMl8AiwDetNf+TKOPYElRNM
ZHEAoIB4QO8aqpOdUTjnaJplWKwlgtai
=UkSH
-----END PGP SIGNATURE-----
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Wed, 05 Oct 2011 01:57:04 GMT) (full text, mbox, link).
Notification sent
to Dario Vieli <dario@wuala.com>:
Bug acknowledged by developer.
(Wed, 05 Oct 2011 01:57:04 GMT) (full text, mbox, link).
Message #22 received at 622741-close@bugs.debian.org (full text, mbox, reply):
Source: vsftpd
Source-Version: 2.0.7-1+lenny1
We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:
vsftpd_2.0.7-1+lenny1.diff.gz
to main/v/vsftpd/vsftpd_2.0.7-1+lenny1.diff.gz
vsftpd_2.0.7-1+lenny1.dsc
to main/v/vsftpd/vsftpd_2.0.7-1+lenny1.dsc
vsftpd_2.0.7-1+lenny1_amd64.deb
to main/v/vsftpd/vsftpd_2.0.7-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 622741@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vsftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 08 Sep 2011 19:15:16 +0000
Source: vsftpd
Binary: vsftpd
Architecture: source amd64
Version: 2.0.7-1+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
vsftpd - The Very Secure FTP Daemon
Closes: 622741
Changes:
vsftpd (2.0.7-1+lenny1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix possible DoS via globa expressions in STAT commands by
limiting the matching loop (CVE-2011-0762; Closes: #622741).
Checksums-Sha1:
7f63450f643efc289afcd7b525673239c01ab1ad 1197 vsftpd_2.0.7-1+lenny1.dsc
760afe849d1ebe10592ef29032b6e00e7f1bbf79 162801 vsftpd_2.0.7.orig.tar.gz
228c9e3ba291bca1ec3cb3870c97dbd38b245479 10474 vsftpd_2.0.7-1+lenny1.diff.gz
e230491f1a9941caf5dd6bb19274be12c3b0a148 126780 vsftpd_2.0.7-1+lenny1_amd64.deb
Checksums-Sha256:
9bfebb2a05033c11bdc226757daf18978e4f5815691d7b5197347ca09ef1a3b5 1197 vsftpd_2.0.7-1+lenny1.dsc
5d86a6d627f2d8e35dbdefdbd445f6016d349955107b247076bbcc36cde1046b 162801 vsftpd_2.0.7.orig.tar.gz
087dcaa43c3e9f7e69b81e4fa5f0fe5034030cfeb0eed201d9e7c402631fb1b2 10474 vsftpd_2.0.7-1+lenny1.diff.gz
2262c759a9fa39afd01a6726e82fae323f71dfa69964fc47f1c1ac2b61a5e206 126780 vsftpd_2.0.7-1+lenny1_amd64.deb
Files:
7c6a797b0d94707b273a009320b575a5 1197 net extra vsftpd_2.0.7-1+lenny1.dsc
3e39cb7b0bee306ad7df8e3552e15297 162801 net extra vsftpd_2.0.7.orig.tar.gz
7bbc86393f17d08fd288434546e384da 10474 net extra vsftpd_2.0.7-1+lenny1.diff.gz
371ba0da1356678ab56b498082abd35d 126780 net extra vsftpd_2.0.7-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk5pFSYACgkQHYflSXNkfP/kngCcCeduoXOutkTQ5JpiJRQ0vmdl
sKsAn3OrI8yfh4pkomvhyhwXrSolQvrJ
=smu+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 02 Nov 2011 07:36:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:56:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon