Buffer Overflow vulnerability in Proftpd commit 4017eff8 allows a remote attacker to execute arbitrary code and can cause a Denial of Service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port.
Comment from upstream: https://github.com/proftpd/proftpd/issues/1866#issuecomment-2645976560 I executed all of the provided test cases, and have verified the following: * the test cases which trigger issues do so only for _data transfers_ (file uploaded/downloads, directory listings); data transfers require successfully authentication * the test cases do _not_ require that the `--enable-devel=nodaemon:nofork` configure option be used * the test cases trigger issues with NULL pointer dereferences; I found no sign of the purported "buffer overflow" Thus any "denial of service" is self-inflicted; the process which dies due to the NULL pointer deference is the process handling that particular client connection, and no other clients or connections. At this point, I am inclined to think this advisory was incompetently written/reported, and no one actually bothered to verify this before issuing the (IMHO, spurious and useless) CVE.