Bugzilla – Bug 843444
VUL-0: CVE-2013-4359: proftpd: remote denial of service
Last modified: 2015-02-19 01:33:02 UTC
public via cve db CVE-2013-4359 Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authe ntication request, which triggers a large memory allocation. Reference: MLIST: http://www.openwall.com/lists/oss-security/2013/09/17/6 Reference: MISC: http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/ Reference: CONFIRM: http://bugs.proftpd.org/show_bug.cgi?id=3973
bugbot adjusting priority
ongoing work
created request id 202094 for network/proftpd
Request 202094 accepted and forwarded to openSUSE:Factory / proftpd (request 202095) Created maintenance release request for 12.2, 12.3
This is an autogenerated message for OBS integration: This bug (843444) was mentioned in https://build.opensuse.org/request/show/202095 Factory / proftpd https://build.opensuse.org/request/show/202096 12.2+12.3 / proftpd
christian, I do not think the systemd changes done for factory and 12.3 will work in 12.2. :/ I can of course accept the update and we will check, but its unlikely. How do you want to proceed?
hmm, not really familiar with systemd. Can you check it ? I do not have a 12.2 system. I need to setup one first to check it.
seems to work on my 12.2 / systemd... lets try
released
openSUSE-SU-2013:1563-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 787884,811793,843444 CVE References: CVE-2013-4359 Sources used: openSUSE 12.3 (src): proftpd-1.3.4d-4.4.5 openSUSE 12.2 (src): proftpd-1.3.4d-2.5.1