Bug 646169 (CVE-2009-5011)

Summary: CVE-2009-5011 pyftpdlib: Race condition in the FTPHandler class
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:15:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 646178    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-24 18:58:51 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5011 to
the following vulnerability:

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib
before 0.5.2 allows remote attackers to cause a denial of service
(daemon outage) by establishing and then immediately closing a TCP
connection, leading to the getpeername function having an ENOTCONN
error, a different vulnerability than CVE-2010-3494.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5011
[2] http://code.google.com/p/pyftpdlib/issues/detail?id=100
[3] http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
[4] http://code.google.com/p/pyftpdlib/source/detail?r=543
[5] http://code.google.com/p/pyftpdlib/source/diff?spec=svn543&r=543&format=side&path=/trunk/pyftpdlib/ftpserver.py

Affected versions:
This issue affects the version of the pyftpdlib package, as shipped
with Fedora release of 12.

This issue does NOT affect the version of the pyftpdlib package, as
shipped with Fedora release of 13 (relevant code part is already
updated).
Comment 1 Jan Lieskovsky 2010-10-24 19:43:53 UTC 
Created pyftpdlib tracking bugs for this issue

Affects: fedora-12 [bug 646178]
Comment 2 Silas Sewell 2010-12-30 05:20:53 UTC 
This should be fixed by 646178