[Frugalware-security] [ FSA-98 ] proftpd
voroskoi
noreply at frugalware.org
Tue Jan 16 12:07:47 CET 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frugalware Security Advisory FSA-98
Date: 2007-01-16
Package: proftpd
Vulnerable versions: <= 1.3.0-4siwenna1
Unaffected versions: >= 1.3.0-5siwenna1
Related bugreport: http://bugs.frugalware.org/task/1538
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6563
Description
===========
Alfredo Ortega has reported a vulnerability in the mod_ctrls module for ProFTPD, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to a boundary error within the "pr_ctrls_recv_request()" function in src/ctrls.c and can be exploited to cause a buffer overflow by sending specially crafted control messages to the module.
Successful exploitation may allow to execute arbitrary code with escalated privileges, but requires that the mod_ctrl module is used and that ACLs allow the attacker to access the module.
Updated Packages
================
Check if you have proftpd installed:
# pacman -Q proftpd
If found, then you should upgrade to the latest version:
# pacman -Sy proftpd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info
iD8DBQFFrLICZ7NElSD1VhkRApNJAJ9ECfs9ybwpVUItAXHGy9Bq109KkwCfb/c4
+w4f+R62/M7EZEtISXObPwk=
=vWkJ
-----END PGP SIGNATURE-----
More information about the Frugalware-security
mailing list