Multiple libc/glob(3) flaws were reported [1] that affect various *BSD libc implementations. In particular, globs containing braces could lead to resource exhaustion. One such vulnerable application is Pure-FTPd. This has been corrected in upstream version 1.0.32, where support for braces expansion in directory listings was disabled. [1] http://securityreason.com/achievement_securityalert/97 [2] http://www.pureftpd.org/project/pure-ftpd/news
Created pure-ftpd tracking bugs for this issue Affects: fedora-all [bug 704285] Affects: epel-all [bug 704286]
Fedora currently ships the fixed 1.0.32 in each supported release. EPEL5 is not corrected (1.0.29) and EPEL6 is not corrected (1.0.30).