Debian Bug report logs - #622741
vsftpd: upgrade stable to fix remote DoS (CVE-2011-0762)

version graph

Package: vsftpd; Maintainer for vsftpd is Daniel Baumann <mail@daniel-baumann.ch>; Source for vsftpd is src:vsftpd.

Reported by: Dario Vieli <dario@wuala.com>

Date: Thu, 14 Apr 2011 10:42:08 UTC

Severity: important

Tags: security

Found in version vsftpd/2.3.2-3

Fixed in versions 2.3.4-1, vsftpd/2.3.2-3+squeeze2, vsftpd/2.0.7-1+lenny1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#622741; Package vsftpd. (Thu, 14 Apr 2011 10:42:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dario Vieli <dario@wuala.com>:
New Bug report received and forwarded. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Thu, 14 Apr 2011 10:42:16 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dario Vieli <dario@wuala.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vsftpd: upgrade stable to fix remote DoS (CVE-2011-0762)
Date: Thu, 14 Apr 2011 11:39:09 +0200
Package: vsftpd
Version: 2.3.2-3
Severity: important

>From http://securityreason.com/securityalert/8109:
Topic :
vsftpd 2.3.2 remote denial-of-service
SecurityAlert : 8109
Arrow  CVE : CVE-2011-0762
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes

fix: ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/Changelog



-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Added tag(s) security. Request was from Mike O'Connor <stew@debian.org> to control@bugs.debian.org. (Thu, 16 Jun 2011 15:09:02 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Thu, 08 Sep 2011 19:09:15 GMT) Full text and rfc822 format available.

Notification sent to Dario Vieli <dario@wuala.com>:
Bug acknowledged by developer. (Thu, 08 Sep 2011 19:09:15 GMT) Full text and rfc822 format available.

Message #12 received at 622741-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 622741-done@bugs.debian.org
Subject: fixed in 2.3.4-1
Date: Thu, 8 Sep 2011 20:54:52 +0200
[Message part 1 (text/plain, inline)]
Version: 2.3.4-1


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Wed, 21 Sep 2011 19:57:07 GMT) Full text and rfc822 format available.

Notification sent to Dario Vieli <dario@wuala.com>:
Bug acknowledged by developer. (Wed, 21 Sep 2011 19:57:08 GMT) Full text and rfc822 format available.

Message #17 received at 622741-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 622741-close@bugs.debian.org
Subject: Bug#622741: fixed in vsftpd 2.3.2-3+squeeze2
Date: Wed, 21 Sep 2011 19:55:18 +0000
Source: vsftpd
Source-Version: 2.3.2-3+squeeze2

We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:

vsftpd_2.3.2-3+squeeze2.diff.gz
  to main/v/vsftpd/vsftpd_2.3.2-3+squeeze2.diff.gz
vsftpd_2.3.2-3+squeeze2.dsc
  to main/v/vsftpd/vsftpd_2.3.2-3+squeeze2.dsc
vsftpd_2.3.2-3+squeeze2_amd64.deb
  to main/v/vsftpd/vsftpd_2.3.2-3+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622741@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vsftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 07 Sep 2011 20:39:59 +0000
Source: vsftpd
Binary: vsftpd
Architecture: source amd64
Version: 2.3.2-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Daniel Baumann <daniel@lists.debian-maintainers.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 vsftpd     - lightweight, efficient FTP server written for security
Closes: 622741
Changes: 
 vsftpd (2.3.2-3+squeeze2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Disable network isolation due to a problem with cleaning up network
     namespaces fast enough in kernels < 2.6.35 (CVE-2011-2189).
     Thanks Ben Hutchings for the patch!
   * Fix possible DoS via globa expressions in STAT commands by
     limiting the matching loop (CVE-2011-0762; Closes: #622741).
Checksums-Sha1: 
 7234c9761cbc32be34ce79278dddb7138538db9b 1328 vsftpd_2.3.2-3+squeeze2.dsc
 d525974514ecf61cbbf9cb51066aa68d5a52033b 187229 vsftpd_2.3.2.orig.tar.gz
 9a9a24aca0c4bf7863d0ae4bd95d1337bfb30b9d 25312 vsftpd_2.3.2-3+squeeze2.diff.gz
 f732447cd5ffe8a0e3c2bc1687f455448b51ca53 148166 vsftpd_2.3.2-3+squeeze2_amd64.deb
Checksums-Sha256: 
 83b3537ae8c5e4137fd2636b8282d0f5e0b9cd17848e09435b3a103aa930d654 1328 vsftpd_2.3.2-3+squeeze2.dsc
 a4e04836d8e271f361030e6a679ad001046c3e37f59e9fee5114189f9e065336 187229 vsftpd_2.3.2.orig.tar.gz
 21c48a68b73926bfa28925db8472d811da77032f115b8961c195481387316586 25312 vsftpd_2.3.2-3+squeeze2.diff.gz
 e839fc8cd741b76572f90b7c363932daef6fb6bc26fefad497046328b912ba30 148166 vsftpd_2.3.2-3+squeeze2_amd64.deb
Files: 
 080129573f1482cb2530cbd4e0f78175 1328 net extra vsftpd_2.3.2-3+squeeze2.dsc
 bad7b117d737a738738836041edc00db 187229 net extra vsftpd_2.3.2.orig.tar.gz
 3a9eee70c852d49d91102220ce258071 25312 net extra vsftpd_2.3.2-3+squeeze2.diff.gz
 f0e8e5fc8471b574e9bc7a6927db691b 148166 net extra vsftpd_2.3.2-3+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk52fU0ACgkQHYflSXNkfP9xagCgpJMl8AiwDetNf+TKOPYElRNM
ZHEAoIB4QO8aqpOdUTjnaJplWKwlgtai
=UkSH
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Wed, 05 Oct 2011 01:57:04 GMT) Full text and rfc822 format available.

Notification sent to Dario Vieli <dario@wuala.com>:
Bug acknowledged by developer. (Wed, 05 Oct 2011 01:57:04 GMT) Full text and rfc822 format available.

Message #22 received at 622741-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 622741-close@bugs.debian.org
Subject: Bug#622741: fixed in vsftpd 2.0.7-1+lenny1
Date: Wed, 05 Oct 2011 01:55:42 +0000
Source: vsftpd
Source-Version: 2.0.7-1+lenny1

We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:

vsftpd_2.0.7-1+lenny1.diff.gz
  to main/v/vsftpd/vsftpd_2.0.7-1+lenny1.diff.gz
vsftpd_2.0.7-1+lenny1.dsc
  to main/v/vsftpd/vsftpd_2.0.7-1+lenny1.dsc
vsftpd_2.0.7-1+lenny1_amd64.deb
  to main/v/vsftpd/vsftpd_2.0.7-1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622741@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vsftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 08 Sep 2011 19:15:16 +0000
Source: vsftpd
Binary: vsftpd
Architecture: source amd64
Version: 2.0.7-1+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 vsftpd     - The Very Secure FTP Daemon
Closes: 622741
Changes: 
 vsftpd (2.0.7-1+lenny1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix possible DoS via globa expressions in STAT commands by
     limiting the matching loop (CVE-2011-0762; Closes: #622741).
Checksums-Sha1: 
 7f63450f643efc289afcd7b525673239c01ab1ad 1197 vsftpd_2.0.7-1+lenny1.dsc
 760afe849d1ebe10592ef29032b6e00e7f1bbf79 162801 vsftpd_2.0.7.orig.tar.gz
 228c9e3ba291bca1ec3cb3870c97dbd38b245479 10474 vsftpd_2.0.7-1+lenny1.diff.gz
 e230491f1a9941caf5dd6bb19274be12c3b0a148 126780 vsftpd_2.0.7-1+lenny1_amd64.deb
Checksums-Sha256: 
 9bfebb2a05033c11bdc226757daf18978e4f5815691d7b5197347ca09ef1a3b5 1197 vsftpd_2.0.7-1+lenny1.dsc
 5d86a6d627f2d8e35dbdefdbd445f6016d349955107b247076bbcc36cde1046b 162801 vsftpd_2.0.7.orig.tar.gz
 087dcaa43c3e9f7e69b81e4fa5f0fe5034030cfeb0eed201d9e7c402631fb1b2 10474 vsftpd_2.0.7-1+lenny1.diff.gz
 2262c759a9fa39afd01a6726e82fae323f71dfa69964fc47f1c1ac2b61a5e206 126780 vsftpd_2.0.7-1+lenny1_amd64.deb
Files: 
 7c6a797b0d94707b273a009320b575a5 1197 net extra vsftpd_2.0.7-1+lenny1.dsc
 3e39cb7b0bee306ad7df8e3552e15297 162801 net extra vsftpd_2.0.7.orig.tar.gz
 7bbc86393f17d08fd288434546e384da 10474 net extra vsftpd_2.0.7-1+lenny1.diff.gz
 371ba0da1356678ab56b498082abd35d 126780 net extra vsftpd_2.0.7-1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5pFSYACgkQHYflSXNkfP/kngCcCeduoXOutkTQ5JpiJRQ0vmdl
sKsAn3OrI8yfh4pkomvhyhwXrSolQvrJ
=smu+
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 02 Nov 2011 07:36:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:58:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.