On Sat, Feb 08, 2014 at 11:06:33AM +0400, Sergei Golovan wrote: > Hi Moritz, > > On Sat, Feb 8, 2014 at 10:01 AM, Sergei Golovan <sgolo...@nes.ru> wrote: > > Hi Moritz! > > > > On Sat, Feb 8, 2014 at 2:52 AM, Moritz Muehlenhoff <j...@debian.org> wrote: > >> > >> Hi, > >> please see http://seclists.org/oss-sec/2014/q1/163 for details. > >> > >> This doesn't warrant a DSA, but can be fixed in a point update. > > > > As far as I can see this bug is already reported upstream, but still > > isn't fixed in GIT. I'll try to prepare a fix myself. > > Looking further, I'm not sure now if it's a security bug at all. It's > a bug in a client, which accidentally may send several commands into > the FTP control socket at once instead of one. I wonder why it got CVE > number?
The attack scenario is written down in the link above: ---- A web server allow users to navigate and download documents. Internally the web server connects to a private ftp server using OTP "ftp" module. An attacker might take advantage of the vulnerability to execute actions that aren't supposed to be exposed. E.g. delete a directory by requesting: http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs ---- But I agree that it's fairly far-fetched. Hence my comment about not warranting a DSA. Maybe we can simply queue it up in case there's a more severe erlang issue affecting wheezy in the future. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
