package: pure-ftpd, pure-ftpd-mysql, pure-ftpd-postgresql
severity: serious
tag: security
From the author on the Pure-FTPd mailinglist:
--snip--
A new "0-day" multiple vendors vulnerability in the glob(3) function
has been published.
A command like STAT {..,..,..}/*/{..,..,..}/*/{..,..,..}/*/ causes
the function to eat plenty of CPU because of the recursion.
Pure-FTPd built-in glob() function is based on OpenBSD glob(), and
it is affected as well.
Pure-FTPd automatically kills a client process if glob() is too long
to return a result. But still, script kiddies could use this flaw in
order to make the server crawl under load.
--snap--
This is fixed in the just released version 1.0.32.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
