Multiple libc/glob(3) flaws were reported  that affect various *BSD libc implementations. In particular, globs containing braces could lead to resource exhaustion.
One such vulnerable application is Pure-FTPd. This has been corrected in upstream version 1.0.32, where support for braces expansion in directory listings was disabled.
Created pure-ftpd tracking bugs for this issue
Affects: fedora-all [bug 704285]
Affects: epel-all [bug 704286]
Fedora currently ships the fixed 1.0.32 in each supported release.
EPEL5 is not corrected (1.0.29) and EPEL6 is not corrected (1.0.30).