Bug#624848: marked as done (Glob vulnerability in Pure-FTPd)

[Debian Bug Tracking System]

Your message dated Thu, 05 May 2011 20:58:05 +0000
with message-id <e1qi5cb-0008nz...@franck.debian.org>
and subject line Bug#624848: fixed in pure-ftpd 1.0.32-1
has caused the Debian Bug report #624848,
regarding Glob vulnerability in Pure-FTPd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
624848: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624848
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

package: pure-ftpd, pure-ftpd-mysql, pure-ftpd-postgresql
severity: serious
tag: security

From the author on the Pure-FTPd mailinglist:

--snip--
 A new "0-day" multiple vendors vulnerability in the glob(3) function
has been published.
  A command like STAT {..,..,..}/*/{..,..,..}/*/{..,..,..}/*/ causes
the function to eat plenty of CPU because of the recursion.

  Pure-FTPd built-in glob() function is based on OpenBSD glob(), and
it is affected as well.

  Pure-FTPd automatically kills a client process if glob() is too long
to return a result. But still, script kiddies could use this flaw in
order to make the server crawl under load.
--snap--

This is fixed in the just released version 1.0.32.

Regards
         Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

--- End Message ---

--- Begin Message ---

Source: pure-ftpd
Source-Version: 1.0.32-1

We believe that the bug you reported is fixed in the latest version of
pure-ftpd, which is due to be installed in the Debian FTP archive:

pure-ftpd-common_1.0.32-1_all.deb
  to main/p/pure-ftpd/pure-ftpd-common_1.0.32-1_all.deb
pure-ftpd-ldap_1.0.32-1_amd64.deb
  to main/p/pure-ftpd/pure-ftpd-ldap_1.0.32-1_amd64.deb
pure-ftpd-mysql_1.0.32-1_amd64.deb
  to main/p/pure-ftpd/pure-ftpd-mysql_1.0.32-1_amd64.deb
pure-ftpd-postgresql_1.0.32-1_amd64.deb
  to main/p/pure-ftpd/pure-ftpd-postgresql_1.0.32-1_amd64.deb
pure-ftpd_1.0.32-1.diff.gz
  to main/p/pure-ftpd/pure-ftpd_1.0.32-1.diff.gz
pure-ftpd_1.0.32-1.dsc
  to main/p/pure-ftpd/pure-ftpd_1.0.32-1.dsc
pure-ftpd_1.0.32-1_amd64.deb
  to main/p/pure-ftpd/pure-ftpd_1.0.32-1_amd64.deb
pure-ftpd_1.0.32.orig.tar.gz
  to main/p/pure-ftpd/pure-ftpd_1.0.32.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <ra...@linuxia.de> (supplier of updated pure-ftpd 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 May 2011 06:52:11 +0200
Source: pure-ftpd
Binary: pure-ftpd-common pure-ftpd pure-ftpd-mysql pure-ftpd-postgresql 
pure-ftpd-ldap
Architecture: source all amd64
Version: 1.0.32-1
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <ra...@linuxia.de>
Changed-By: Stefan Hornburg (Racke) <ra...@linuxia.de>
Description: 
 pure-ftpd  - Secure and efficient FTP server
 pure-ftpd-common - Pure-FTPd FTP server (Common Files)
 pure-ftpd-ldap - Secure and efficient FTP server with LDAP user authentication
 pure-ftpd-mysql - Secure and efficient FTP server with MySQL user 
authentication
 pure-ftpd-postgresql - Secure and efficient FTP server with PostgreSQL user 
authenticati
Closes: 624848
Changes: 
 pure-ftpd (1.0.32-1) unstable; urgency=high
 .
   * New upstream release, fixes glob vulnerability (Closes: #624848).
   * Remove custom default stop values.
Checksums-Sha1: 
 d2cf25c4d6a74cf847396640c93f76ffc3dd4a57 1408 pure-ftpd_1.0.32-1.dsc
 634547b7f5aa15da27bb3e7b0d9c3e55c5be54da 568409 pure-ftpd_1.0.32.orig.tar.gz
 699b123b179cfa14812aaf977a2dd9b98af2ccd6 47835 pure-ftpd_1.0.32-1.diff.gz
 417ad11f20c610abc97c3b5db088abba5ed2eb71 181936 
pure-ftpd-common_1.0.32-1_all.deb
 850fb4723b910c3d4a322dc9622b6741b2577468 179696 pure-ftpd_1.0.32-1_amd64.deb
 654b9611e32d5178a4d4cd857ae9e4026ca76f95 213742 
pure-ftpd-mysql_1.0.32-1_amd64.deb
 e0d6752f1442ce60d9f5de806f105b0fd50a7d5d 197262 
pure-ftpd-postgresql_1.0.32-1_amd64.deb
 eef641e44c898a0f4006bea4934e823bbc4876c5 195898 
pure-ftpd-ldap_1.0.32-1_amd64.deb
Checksums-Sha256: 
 ce5dcc7720a43700b7566c48edd9ccc7a8f557e91638ced428b4f74707413820 1408 
pure-ftpd_1.0.32-1.dsc
 3fbfa290d95e57b0c9be816df35bffbce2be389154f12f6f7bccf3f5bc27c1d1 568409 
pure-ftpd_1.0.32.orig.tar.gz
 775032936f3877a5704213fc956f25184f9436640fffa6de9fd6268a42d74abc 47835 
pure-ftpd_1.0.32-1.diff.gz
 5fb924e76c9044eb8a039938aff2b0bbfd6aba693610fa0f68a722dc0837e8a9 181936 
pure-ftpd-common_1.0.32-1_all.deb
 ef128a9362c387199aebdccf5c42cb6f22ea1c6a106743bc9ae1fdd48a5af6ec 179696 
pure-ftpd_1.0.32-1_amd64.deb
 402dec8c7cb9ecc32d1aa0bb4653589175e5463a091fa9543ee95364a0cca5c5 213742 
pure-ftpd-mysql_1.0.32-1_amd64.deb
 166f3bece7d27e544e1fad8dc1b14831305b1418cc6c54a47a19dc4480d686d8 197262 
pure-ftpd-postgresql_1.0.32-1_amd64.deb
 0724c629580ae3d345d00a3ad7c8e57c0d892f49402306e151063b5e7693eb64 195898 
pure-ftpd-ldap_1.0.32-1_amd64.deb
Files: 
 f0eeeb780555ccc789995c35f3d0756b 1408 net optional pure-ftpd_1.0.32-1.dsc
 59df592ce7ee6d05756ebdf92f418b07 568409 net optional 
pure-ftpd_1.0.32.orig.tar.gz
 227ced2f8748ad41fdd6fc0f47e9fcc9 47835 net optional pure-ftpd_1.0.32-1.diff.gz
 0f73fc3d6f0fa0a7b038c687234f1e06 181936 net optional 
pure-ftpd-common_1.0.32-1_all.deb
 fda6e829761cce0f2297648fc3a4a457 179696 net optional 
pure-ftpd_1.0.32-1_amd64.deb
 34a529163e393c84ee5221c0db66809b 213742 net optional 
pure-ftpd-mysql_1.0.32-1_amd64.deb
 f2efac0645de793013037e1fb760aacd 197262 net optional 
pure-ftpd-postgresql_1.0.32-1_amd64.deb
 c99011eed30b75873f873f3d2068d5ba 195898 net optional 
pure-ftpd-ldap_1.0.32-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3DAfcACgkQjgVfE5tya3HLYwCfTJpjqBknTlsIplCqcWMFvRIo
c5cAnRoJkVhV3+sB3tQGkushH/YAmafZ
=5BWH
-----END PGP SIGNATURE-----

--- End Message ---