Security update for pure-ftpd, pure-ftpd-debuginfo (important)

2011-09-08T22:08:20
ID SUSE-SU-2011:1028-1
Type suse
Reporter Suse
Modified 2011-09-08T22:08:20

Description

The OES Netware add-ons in pure-ftpd had a security problem and some bugs, which are fixed by this update.

A local attacker could overwrite local files when the OES remote server feature of pure-ftpd is enabled due to a directory traversal. (CVE-2011-3171)

Additionally the following bugs have been fixed:

  • bnc#699300 - FTP remote server navigation does not always succeed
  • bnc#685447 - pure-ftpd does not throw an error when the name resolution fails during remote server navigation
  • bnc#700335 - put files into NCP volumes fails
  • bnc#703035 - remote_server feature opens a vulnerability with directory traversal & file overwriting