Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

Slackware 13.37: SSA:2012-041-05 Critical vsftpd Heap Overflow

slackware
Calendar Grey February 10, 2012
Dist Slackware Esm H88
Important vsftpd security patch released for Slackware resolving glibc heap vulnerability. Immediate update advised.
New vsftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to work around a vulnerability in glibc

Summary

Here are the details from the Slackware 13.37 ChangeLog: patches/packages/vsftpd-2.3.5-i486-1_slack13.37.txz: Upgraded. Minor version bump, this also works around a hard to trigger heap overflow in glibc (glibc zoneinfo caching vuln). For there to be any possibility to trigger the glibc bug within vsftpd, the non-default option "chroot_local_user" must be set in /etc/vsftpd.conf. Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-) Nevertheless: (* Security fix *)

Topics%20covered

Topics Covered

security advisory critical patch heap overflow glibc Slackware vsftpd

Where Find New Packages

Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you.
Updated package for Slackware 11.0:
Updated package for Slackware 12.0:
Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/vsftpd-2.3.5-i486-1_slack12.1.tgz
Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/vsftpd-2.3.5-i486-1_slack12.2.tgz
Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/vsftpd-2.3.5-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/vsftpd-2.3.5-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/vsft...

Read the Full Advisory

MD5 Signatures

Slackware 11.0 package: 57e7a8e7249e5f7ff256e5089204c1b3 vsftpd-2.3.5-i486-1_slack11.0.tgz
Slackware 12.0 package: f8e31f944896414466de6bf67b4ce6e4 vsftpd-2.3.5-i486-1_slack12.0.tgz
Slackware 12.1 package: e01a5f12f75d2c973a252dee7ccfb90e vsftpd-2.3.5-i486-1_slack12.1.tgz
Slackware 12.2 package: 035bf8ca7f57e9b87cbe1d23bbfa448f vsftpd-2.3.5-i486-1_slack12.2.tgz
Slackware 13.0 package: 4d076b4ab6a1540819ac95daaec66b96 vsftpd-2.3.5-i486-1_slack13.0.txz
Slackware x86_64 13.0 package: aa9be4d90e86c4a12b19c4145e7dbfd9 vsftpd-2.3.5-x86_64-1_slack13.0.txz
Slackware 13.1 package: 496775bb9c50507fd92beb99dd189283 vsftpd-2.3.5-i486-1_slack13.1.txz
Slackware x86_64 13.1 package: 3b15394f16c65c7998032a0e5ffb5dd2 vsftpd-2.3.5-x86_64-1_slack13.1.txz
Slackware 13.37 package: 5774d8e93d9af86cf6caa8561205da5d vsftpd-2.3.5-i486-1_slack13.37.txz
Slackware x86_64 13.37 package: a0f2af29cb0c3fb1fc906a3e1bd15fdf vsftpd-2.3.5-x86_64-1_slack13.37.txz
Slackware -current package: e30ad11db30ef7d745ec15b3d5e6d9b2 n/vsftpd-2.3.5-i486-1.txz
Slackware x86_64 -current package: 0d2e9323eec38bd7dc7bc55ef2dd3639 n/vsftpd-2.3.5-x86_64-1.txz

Severity
critical
Lowest
Low
Medium
High
Critical

Topics%20covered

Topics Covered

security advisory critical patch heap overflow glibc Slackware vsftpd

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Installation Instructions

Installation instructions: Upgrade the package as root: # upgradepkg vsftpd-2.3.5-i486-1_slack13.37.txz

Related News

Your message here