Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5012 to the following vulnerability: ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5012 [2] http://code.google.com/p/pyftpdlib/issues/detail?id=114 [3] http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY [4] http://code.google.com/p/pyftpdlib/source/detail?r=596 [5] http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py Affected versions: This issue affects the version of the pyftpdlib package, as shipped with Fedora release of 12. This issue does NOT affect the version of the pyftpdlib package, as shipped with Fedora release of 13 (relevant code part is already updated).
Created pyftpdlib tracking bugs for this issue Affects: fedora-12 [bug 646178]