Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0762 to
the following vulnerability:
The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3
allows remote authenticated users to cause a denial of service (CPU
consumption and process slot exhaustion) via crafted glob expressions
in STAT commands in multiple FTP sessions, a different vulnerability
Created attachment 481947 [details]
relevant bits extracted from 2.3.2/2.3.3 diff
This should be the relevant bits from the diff of upstream 2.3.2 and 2.3.3 versions, and should correct the flaw.
(In reply to comment #1)
> This should be the relevant bits from the diff of upstream 2.3.2 and 2.3.3
> versions, and should correct the flaw.
Looking at the 2.3.3 -> 2.3.4 diff, described in the changelog as:
- Fix compile. Extreme suckage.
Failed compile is related to this fix, so 2.3.2 -> 2.3.4 diff is what we should be using.
Created attachment 482013 [details]
2.3.2 -> 2.3.4 changes relevant to this issue.
Created vsftpd tracking bugs for this issue
Affects: fedora-all [bug 681935]
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0337 https://rhn.redhat.com/errata/RHSA-2011-0337.html
which version of vsftpd fix the vsf_filename_passes_filter Vulnerabilities issue in redhat release?
(In reply to comment #16)
> which version of vsftpd fix the vsf_filename_passes_filter Vulnerabilities
> issue in redhat release?
As noted in comment c#15, the CVE-2011-0762 was corrected in Red Hat Enterprise Linux 4, 5, and 6 via RHSA-2011:0337 advisory. See https://rhn.redhat.com/errata/RHSA-2011-0337.html for concrete package versions for particular system / release.
Jan iankko Lieskovsky / Red Hat Security Response Team