In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.) References: https://github.com/jedisct1/pure-ftpd/pull/158 https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4 https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50
Created gerbv tracking bugs for this issue: Affects: epel-all [bug 2041805] Affects: fedora-all [bug 2041804]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.