Vulnerability Development: RE: proftp DoS in debian stable?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

RE: proftp DoS in debian stable?

From: "Simon Barr" <simon.barr () chelsing co uk>
Date: Tue, 5 Mar 2002 09:08:35 -0000

-----Original Message-----
From: Joe Dollard [mailto:joed () devel livenote com]
Sent: 28 February 2002 23:20
To: vuln-dev () securityfocus com
Subject: proftp DoS in debian stable?

My system is running debian stable with all patches installed (via apt-get
from security.debian.org).  My proftp daemon (as installed from the debian
deb's - 1.2.0pre10-2.0) still seems vulnerable to the glob DoS attack, as
discovered on the 15th March 2001. i.e. typing
`ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*` results
in 100% of the CPU and memory resources are consumed.
 (more info at http://proftpd.linux.co.uk/critbugs.html).  No fix or work
around seems in place in the debian stable deb's.

Can anyone confirm the same behaviour on their system?


I can confirm this on a Debian potato box I have here.  This box is also
up to date via apt-get as of this morning.

Simon Barr
Systems Engineer

Chelsing Assemblies Ltd
Tel: 01992 554-566
Fax: 01992 553-644
E-mail: simon.barr () chelsing co uk

By Date By Thread

Current thread:

proftp DoS in debian stable? Joe Dollard (Mar 04)
- RE: proftp DoS in debian stable? Simon Barr (Mar 05)
  - Re: proftp DoS in debian stable? Teodor Cimpoesu (Mar 05)
    - RE: proftp DoS in debian stable? Simon Barr (Mar 06)
- Re: proftp DoS in debian stable? Felipe Franciosi (Mar 05)
- Re: proftp DoS in debian stable? Johannes Segitz (Mar 05)