vsftpd security update

2011-03-1009:59:53

CentOS Project

lists.centos.org

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.29 Low

EPSS

Percentile

96.8%

JSON

CentOS Errata and Security Advisory CESA-2011:0337

vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP
server for Linux, UNIX, and similar operating systems.

A flaw was discovered in the way vsftpd processed file name patterns. An
FTP user could use this flaw to cause the vsftpd process to use an
excessive amount of CPU time, when processing a request with a
specially-crafted file name pattern. (CVE-2011-0762)

All vsftpd users should upgrade to this updated package, which contains a
backported patch to correct this issue. The vsftpd daemon must be restarted
for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2011-April/079563.html
https://lists.centos.org/pipermail/centos-announce/2011-April/079564.html
https://lists.centos.org/pipermail/centos-announce/2011-March/079432.html
https://lists.centos.org/pipermail/centos-announce/2011-March/079433.html

Affected packages:
vsftpd

Upstream details at:
https://access.redhat.com/errata/RHSA-2011:0337

OSVersionArchitecturePackageVersionFilename
CentOS4x86_64vsftpd< 2.0.1-9.el4vsftpd-2.0.1-9.el4.x86_64.rpm
CentOS4i386vsftpd< 2.0.1-9.el4vsftpd-2.0.1-9.el4.i386.rpm
CentOS5i386vsftpd< 2.0.5-16.el5_6.1vsftpd-2.0.5-16.el5_6.1.i386.rpm
CentOS5x86_64vsftpd< 2.0.5-16.el5_6.1vsftpd-2.0.5-16.el5_6.1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	4	x86_64	vsftpd	< 2.0.1-9.el4	vsftpd-2.0.1-9.el4.x86_64.rpm
CentOS	4	i386	vsftpd	< 2.0.1-9.el4	vsftpd-2.0.1-9.el4.i386.rpm
CentOS	5	i386	vsftpd	< 2.0.5-16.el5_6.1	vsftpd-2.0.5-16.el5_6.1.i386.rpm
CentOS	5	x86_64	vsftpd	< 2.0.5-16.el5_6.1	vsftpd-2.0.5-16.el5_6.1.x86_64.rpm