Bugzilla – Bug 843444
VUL-0: CVE-2013-4359: proftpd: remote denial of service
Last modified: 2015-02-19 01:33:02 UTC
public via cve db
Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authe
ntication request, which triggers a large memory allocation.
Reference: MLIST: http://www.openwall.com/lists/oss-security/2013/09/17/6
Reference: MISC: http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/
Reference: CONFIRM: http://bugs.proftpd.org/show_bug.cgi?id=3973
bugbot adjusting priority
created request id 202094 for network/proftpd
Request 202094 accepted and forwarded to openSUSE:Factory / proftpd (request 202095)
Created maintenance release request for 12.2, 12.3
This is an autogenerated message for OBS integration:
This bug (843444) was mentioned in
https://build.opensuse.org/request/show/202095 Factory / proftpd
https://build.opensuse.org/request/show/202096 12.2+12.3 / proftpd
christian, I do not think the systemd changes done for factory and 12.3 will work in 12.2. :/
I can of course accept the update and we will check, but its unlikely.
How do you want to proceed?
hmm, not really familiar with systemd. Can you check it ?
I do not have a 12.2 system. I need to setup one first to check it.
seems to work on my 12.2 / systemd... lets try
openSUSE-SU-2013:1563-1: An update that solves one vulnerability and has two fixes is now available.
Category: security (moderate)
Bug References: 787884,811793,843444
CVE References: CVE-2013-4359
openSUSE 12.3 (src): proftpd-1.3.4d-4.4.5
openSUSE 12.2 (src): proftpd-1.3.4d-2.5.1