Vulnerability Development: proftp DoS in debian stable?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

proftp DoS in debian stable?

From: "Joe Dollard" <joed () devel livenote com>
Date: Fri, 1 Mar 2002 10:19:51 +1100

My system is running debian stable with all patches installed (via apt-get
from security.debian.org).  My proftp daemon (as installed from the debian
deb's - 1.2.0pre10-2.0) still seems vulnerable to the glob DoS attack, as
discovered on the 15th March 2001. i.e. typing
`ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*` results
in 100% of the CPU and memory resources are consumed.
 (more info at http://proftpd.linux.co.uk/critbugs.html).  No fix or work
around seems in place in the debian stable deb's.

Can anyone confirm the same behaviour on their system?

I contacted security () debian org about this on the 12th February, a
discussion was entered but no resolution occurred.  Contacted
security () debian org again on the 21st of February and haven't received a
response.

Regards,
Joe Dollard

By Date By Thread

Current thread:

proftp DoS in debian stable? Joe Dollard (Mar 04)
- RE: proftp DoS in debian stable? Simon Barr (Mar 05)
  - Re: proftp DoS in debian stable? Teodor Cimpoesu (Mar 05)
    - RE: proftp DoS in debian stable? Simon Barr (Mar 06)
- Re: proftp DoS in debian stable? Felipe Franciosi (Mar 05)
- Re: proftp DoS in debian stable? Johannes Segitz (Mar 05)