Pure-FTPd: Potential DoS when maximum connections is reached — GLSA 200407-04

Pure-FTPd contains a bug potentially allowing a Denial of Service attack when the maximum number of connections is reached.

Affected Packages

net-ftp/pure-ftpd on all architectures
Affected versions <= 1.0.18
Unaffected versions >= 1.0.18-r1

Background

Pure-FTPd is a fast, production-quality and standards-compliant FTP server.

Description

Pure-FTPd contains a bug in the accept_client function handling the setup of new connections.

Impact

When the maximum number of connections is reached an attacker could exploit this vulnerability to perform a Denial of Service attack.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest available version.

Resolution

All Pure-FTPd users should upgrade to the latest stable version:

 # emerge sync
 
 # emerge -pv ">=net-ftp/pure-ftpd-1.0.18-r1"
 # emerge ">=net-ftp/pure-ftpd-1.0.18-r1"

References

Release Date
July 04, 2004

Latest Revision
May 22, 2006: 02

Severity
normal

Exploitable
remote

Bugzilla entries