Security update for pure-ftpd (important)

2011-09-08T23:08:14
ID SUSE-SU-2011:1029-1
Type suse
Reporter Suse
Modified 2011-09-08T23:08:14

Description

The OES Netware add-ons in pure-ftpd had a security problem and some bugs, which are fixed by this update.

A local attacker could overwrite local files when the OES remote server feature of pure-ftpd is enabled due to a directory traversal. ( CVE-2011-3171)

Additionally the following bugs have been fixed:

  • bnc#699300 - FTP remote server navigation does not always succeed
  • bnc#685447 - pure-ftpd does not throw an error when the name resolution fails during remote server navigation
  • bnc#700335 - put files into NCP volumes fails
  • bnc#703035 - remote_server feature opens a vulnerability with directory traversal & file overwriting