- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                             https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: oftpd DoS vulnerability
      Date: March 29, 2004
      Bugs: #45738
        ID: 200403-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
A remotely-exploitable overflow exists in oftpd, allowing an attacker
to crash the oftpd daemon.

Background
=========
Quote from 
"oftpd is designed to be as secure as an anonymous FTP server can
possibly be. It runs as non-root for most of the time, and uses the
Unix chroot() command to hide most of the systems directories from
external users - they cannot change into them even if the server is
totally compromised! It contains its own directory change code, so that
it can run efficiently as a threaded server, and its own directory
listing code (most FTP servers execute the system "ls" command to list
files)."

Affected packages
================
    -------------------------------------------------------------------
     Package        /   Vulnerable   /                      Unaffected
    -------------------------------------------------------------------
     net-ftp/oftpd       <= 0.3.6                             >= 0.3.7

Description
==========
Issuing a port command with a number higher than 255 causes the server
to crash. The port command may be issued before any authentication
takes place, meaning the attacker does not need to know a valid
username and password in order to exploit this vulnerability.

Impact
=====
This exploit causes a denial of service.

Workaround
=========
While a workaround is not currently known for this issue, all users are
advised to upgrade to the latest version of the affected package.

Resolution
=========
All users should upgrade to the current version of the affected
package:

    # emerge sync

    # emerge -pv ">=net-ftp/oftpd-0.3.7"
    # emerge ">=net-ftp/oftpd-0.3.7"

References
=========
  [ 1 ] 
Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org/.

Gentoo: GLSA-200403-08: oftpd DoS vulnerability

A remotely-exploitable overflow exists in oftpd, allowing an attacker to crash the oftpd daemon.

Summary

Gentoo Linux Security Advisory GLSA 200403-08 https://security.gentoo.org/ Severity: Normal Title: oftpd DoS vulnerability Date: March 29, 2004 Bugs: #45738 ID: 200403-08

Synopsis ======= A remotely-exploitable overflow exists in oftpd, allowing an attacker to crash the oftpd daemon.
Background ========= Quote from "oftpd is designed to be as secure as an anonymous FTP server can possibly be. It runs as non-root for most of the time, and uses the Unix chroot() command to hide most of the systems directories from external users - they cannot change into them even if the server is totally compromised! It contains its own directory change code, so that it can run efficiently as a threaded server, and its own directory listing code (most FTP servers execute the system "ls" command to list files)."
Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- net-ftp/oftpd <= 0.3.6 >= 0.3.7
========== Issuing a port command with a number higher than 255 causes the server to crash. The port command may be issued before any authentication takes place, meaning the attacker does not need to know a valid username and password in order to exploit this vulnerability.
Impact ===== This exploit causes a denial of service.
Workaround ========= While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of the affected package.
Resolution ========= All users should upgrade to the current version of the affected package:
# emerge sync
# emerge -pv ">=net-ftp/oftpd-0.3.7" # emerge ">=net-ftp/oftpd-0.3.7"
References ========= [ 1 ] Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org/.

Resolution

References

Availability

Concerns

Severity

Synopsis

Background

Affected Packages

Impact

Workaround

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved