Debian Bug report logs -
#947869
pure-ftpd: CVE-2019-20176
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 1 Jan 2020 08:15:02 UTC
Severity: important
Tags: security, upstream
Found in versions pure-ftpd/1.0.47-3, pure-ftpd/1.0.49-1, pure-ftpd/1.0.36-3.2, pure-ftpd/1.0.43-3
Fixed in version pure-ftpd/1.0.49-2
Done: Stefan Hornburg (Racke) <racke@linuxia.de>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#947869; Package src:pure-ftpd.
(Wed, 01 Jan 2020 08:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>.
(Wed, 01 Jan 2020 08:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pure-ftpd
Version: 1.0.49-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for pure-ftpd.
CVE-2019-20176[0]:
| In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
| listdir function in ls.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20176
[1] https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions pure-ftpd/1.0.47-3.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Wed, 01 Jan 2020 15:33:02 GMT) (full text, mbox, link).
Marked as found in versions pure-ftpd/1.0.43-3.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Wed, 01 Jan 2020 15:33:02 GMT) (full text, mbox, link).
Marked as found in versions pure-ftpd/1.0.36-3.2.
Request was from "Stefan Hornburg (Racke)" <racke@linuxia.de>
to control@bugs.debian.org.
(Wed, 01 Jan 2020 15:33:03 GMT) (full text, mbox, link).
Reply sent
to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility.
(Wed, 01 Jan 2020 16:09:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 01 Jan 2020 16:09:07 GMT) (full text, mbox, link).
Message #16 received at 947869-close@bugs.debian.org (full text, mbox, reply):
Source: pure-ftpd
Source-Version: 1.0.49-2
We believe that the bug you reported is fixed in the latest version of
pure-ftpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 947869@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated pure-ftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Jan 2020 16:21:21 +0100
Source: pure-ftpd
Architecture: source
Version: 1.0.49-2
Distribution: unstable
Urgency: medium
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Closes: 947869
Changes:
pure-ftpd (1.0.49-2) unstable; urgency=medium
.
* Fix stack exhaustion issue: CVE-2019-20176 (Closes: #947869)
Checksums-Sha1:
e833e6041c621db2a7e02a5d4ecf59fcd905553e 2221 pure-ftpd_1.0.49-2.dsc
a2ec455a0cc4ee9c2bce15c81ccd939ae69461b4 45016 pure-ftpd_1.0.49-2.debian.tar.xz
f819bf46b24dde662a569bdb7aaf22ade92ed547 9607 pure-ftpd_1.0.49-2_amd64.buildinfo
Checksums-Sha256:
4713df7b7cad91497ceb50505d523cea93afb805b2c19ea90693f60f9afcb6a8 2221 pure-ftpd_1.0.49-2.dsc
701e0fc0c5b2d86e927c0fa3c7ec0b57645b379de46ba0052ff7c03444f2ede0 45016 pure-ftpd_1.0.49-2.debian.tar.xz
5a4e5b7056a4045fc3f33fd7630cac01b5f2cbe32118e6bf287e836d023c5926 9607 pure-ftpd_1.0.49-2_amd64.buildinfo
Files:
3fb6d4e6625abe0b9bba85b0419836ec 2221 net optional pure-ftpd_1.0.49-2.dsc
d4035c7c2001c0278820f2396fb22c87 45016 net optional pure-ftpd_1.0.49-2.debian.tar.xz
98b20a021be875a8cc61ef278b03065e 9607 net optional pure-ftpd_1.0.49-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl4MvGcRHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPjlshAAvX0INJ4FI2jk1djq6nSgd+c8Ddyepvkp
EH7jFewo1iusKjNaQPwSS7qgFCIZxWOE52KO3dNtxrwmgNZzCB9a+vI7h+yoYYcf
ODxFx5GJUcG+II6MK3Wv9IH9rH9qV7zc0H/HzzQpWUSQ4+uo+D1aFAfEu2wMgIKG
aX6YnMt6EMEPeJvElliLJspLyAsoSQbPUPDJhld5UxKCoU49RbWX+d7Vi94LHZlB
+J1NA9NBOJFHeRZPB11X50yDjS33gEd9WyVajokVET5WDwEBBkbZpKHP0mRq7+JW
STGoJrtnnLhrX48kSl90hY6z9No6FjqM5TzjSDBVsvRQzewSDzz+vmEY0xMIO+qa
nk9OPvUu+UfLhVq8//cPDNdpOeL9YfQVJ0qW2BGAC9C3nCLrmAfIVmNwurFToHC8
S88wc4tcSSdJyvqCbUSukx35/VMpONxwTP338aKCZJysPsuPxb0igaEoM8Fywkv2
GSEGncvTT/4S5w6lp9bfgeZNO3TWy7Rw2v8wX5hngWsrEw5ZFMkVIuzAbqXbbk3s
9cfy7dcmGPaVJfCKnohEZQjIQRH4XTdks0840tFwxC5E0xfdfh/YPhdkgIc2RoCr
azx0rz9xwNndCkcDIQms2+XP7L7If9yQJu8y7NDqJkurBWZUWv8YZIBMLEE2/6vt
Zpztg9UXTk0=
=53Sa
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 2 07:38:41 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon