<HTML>
<HEAD>
<TITLE>Re: [Full-disclosure] [ GLSA 200801-17 ] Netkit FTP Server: Denial of Service</TITLE>
</HEAD>
<BODY>
<FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Unsubscribe full-disclosure<BR>
<BR>
<BR>
On 29/01/08 4:09 PM, "Raphael Marichez" <falco@gentoo.org> wrote:<BR>
<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
Gentoo Linux Security Advisory GLSA 200801-17<BR>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
<a href="http://security.gentoo.org/">http://security.gentoo.org/</a><BR>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
<BR>
Severity: Normal<BR>
Title: Netkit FTP Server: Denial of Service<BR>
Date: January 29, 2008<BR>
Bugs: #199206<BR>
ID: 200801-17<BR>
<BR>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<BR>
<BR>
Synopsis<BR>
========<BR>
<BR>
Netkit FTP Server contains a Denial of Service vulnerability.<BR>
<BR>
Background<BR>
==========<BR>
<BR>
net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL<BR>
support.<BR>
<BR>
Affected packages<BR>
=================<BR>
<BR>
-------------------------------------------------------------------<BR>
Package / Vulnerable / Unaffected<BR>
-------------------------------------------------------------------<BR>
1 net-ftp/netkit-ftpd < 0.17-r7 >= 0.17-r7<BR>
<BR>
Description<BR>
===========<BR>
<BR>
Venustech AD-LAB discovered that an FTP client connected to a<BR>
vulnerable server with passive mode and SSL support can trigger an<BR>
fclose() function call on an uninitialized stream in ftpd.c.<BR>
<BR>
Impact<BR>
======<BR>
<BR>
A remote attacker can send specially crafted FTP data to a server with<BR>
passive mode and SSL support, causing the ftpd daemon to crash.<BR>
<BR>
Workaround<BR>
==========<BR>
<BR>
Disable passive mode or SSL.<BR>
<BR>
Resolution<BR>
==========<BR>
<BR>
All Netkit FTP Server users should upgrade to the latest version:<BR>
<BR>
# emerge --sync<BR>
# emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"<BR>
<BR>
References<BR>
==========<BR>
<BR>
[ 1 ] CVE-2007-6263<BR>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6263">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6263</a><BR>
<BR>
Availability<BR>
============<BR>
<BR>
This GLSA and any updates to it are available for viewing at<BR>
the Gentoo Security Website:<BR>
<BR>
<a href="http://security.gentoo.org/glsa/glsa-200801-17.xml">http://security.gentoo.org/glsa/glsa-200801-17.xml</a><BR>
<BR>
Concerns?<BR>
=========<BR>
<BR>
Security is a primary focus of Gentoo Linux and ensuring the<BR>
confidentiality and security of our users machines is of utmost<BR>
importance to us. Any security concerns should be addressed to<BR>
security@gentoo.org or alternatively, you may file a bug at<BR>
<a href="http://bugs.gentoo.org.">http://bugs.gentoo.org.</a><BR>
<BR>
License<BR>
=======<BR>
<BR>
Copyright 2008 Gentoo Foundation, Inc; referenced text<BR>
belongs to its owner(s).<BR>
<BR>
The contents of this document are licensed under the<BR>
Creative Commons - Attribution / Share Alike license.<BR>
<BR>
<a href="http://creativecommons.org/licenses/by-sa/2.5">http://creativecommons.org/licenses/by-sa/2.5</a><BR>
<BR>
</SPAN></FONT></FONT></BLOCKQUOTE>
</BODY>
</HTML>