[SECURITY] [DLA 2123-1] pure-ftpd security update

2020-02-2800:01:17

lists.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.013 Low

EPSS

Percentile

85.6%

JSON

Package : pure-ftpd
Version : 1.0.36-3.2+deb8u1
CVE ID : CVE-2020-9274
Debian Bug : 925666

An uninitialized pointer vulnerability was discovered in pure-ftpd, a
secure and efficient FTP server, which could result in an out-of-bounds
memory read and potential information disclosure.

For Debian 8 "Jessie", this problem has been fixed in version
1.0.36-3.2+deb8u1.

We recommend that you upgrade your pure-ftpd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian8armelpure-ftpd-ldap< 1.0.36-3.2+deb8u1pure-ftpd-ldap_1.0.36-3.2+deb8u1_armel.deb
Debian8armelpure-ftpd-postgresql< 1.0.36-3.2+deb8u1pure-ftpd-postgresql_1.0.36-3.2+deb8u1_armel.deb
Debian8armhfpure-ftpd-postgresql< 1.0.36-3.2+deb8u1pure-ftpd-postgresql_1.0.36-3.2+deb8u1_armhf.deb
Debian8allpure-ftpd< 1.0.36-3.2+deb8u1pure-ftpd_1.0.36-3.2+deb8u1_all.deb
Debian8i386pure-ftpd-mysql< 1.0.36-3.2+deb8u1pure-ftpd-mysql_1.0.36-3.2+deb8u1_i386.deb
Debian8armhfpure-ftpd-ldap< 1.0.36-3.2+deb8u1pure-ftpd-ldap_1.0.36-3.2+deb8u1_armhf.deb
Debian8amd64pure-ftpd-mysql< 1.0.36-3.2+deb8u1pure-ftpd-mysql_1.0.36-3.2+deb8u1_amd64.deb
Debian8amd64pure-ftpd-postgresql< 1.0.36-3.2+deb8u1pure-ftpd-postgresql_1.0.36-3.2+deb8u1_amd64.deb
Debian8armelpure-ftpd< 1.0.36-3.2+deb8u1pure-ftpd_1.0.36-3.2+deb8u1_armel.deb
Debian8armhfpure-ftpd< 1.0.36-3.2+deb8u1pure-ftpd_1.0.36-3.2+deb8u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armel	pure-ftpd-ldap	< 1.0.36-3.2+deb8u1	pure-ftpd-ldap_1.0.36-3.2+deb8u1_armel.deb
Debian	8	armel	pure-ftpd-postgresql	< 1.0.36-3.2+deb8u1	pure-ftpd-postgresql_1.0.36-3.2+deb8u1_armel.deb
Debian	8	armhf	pure-ftpd-postgresql	< 1.0.36-3.2+deb8u1	pure-ftpd-postgresql_1.0.36-3.2+deb8u1_armhf.deb
Debian	8	all	pure-ftpd	< 1.0.36-3.2+deb8u1	pure-ftpd_1.0.36-3.2+deb8u1_all.deb
Debian	8	i386	pure-ftpd-mysql	< 1.0.36-3.2+deb8u1	pure-ftpd-mysql_1.0.36-3.2+deb8u1_i386.deb
Debian	8	armhf	pure-ftpd-ldap	< 1.0.36-3.2+deb8u1	pure-ftpd-ldap_1.0.36-3.2+deb8u1_armhf.deb
Debian	8	amd64	pure-ftpd-mysql	< 1.0.36-3.2+deb8u1	pure-ftpd-mysql_1.0.36-3.2+deb8u1_amd64.deb
Debian	8	amd64	pure-ftpd-postgresql	< 1.0.36-3.2+deb8u1	pure-ftpd-postgresql_1.0.36-3.2+deb8u1_amd64.deb
Debian	8	armel	pure-ftpd	< 1.0.36-3.2+deb8u1	pure-ftpd_1.0.36-3.2+deb8u1_armel.deb
Debian	8	armhf	pure-ftpd	< 1.0.36-3.2+deb8u1	pure-ftpd_1.0.36-3.2+deb8u1_armhf.deb