FreeBSD Local Security Checks : FreeBSD Ports: pure-ftpd

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.69765

Categoría: FreeBSD Local Security Checks

Título: FreeBSD Ports: pure-ftpd

Resumen: The remote host is missing an update to the system; as announced in the referenced advisory.

Descripción: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory.

Vulnerability Insight:
The following package is affected: pure-ftpd

CVE-2011-0418
The glob implementation in Pure-FTPd before 1.0.32, and in libc in
NetBSD 5.1, does not properly expand expressions containing curly
brackets, which allows remote authenticated users to cause a denial of
service (memory consumption) via a crafted FTP STAT command.

CVE-2011-1575
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30
does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted FTP
sessions by sending a cleartext command that is processed after TLS is
in place, related to a 'plaintext command injection' attack, a similar
issue to CVE-2011-0411.

Solution:
Update your system with the appropriate patches or
software upgrades.

CVSS Score:
5.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2011-0418
BugTraq ID: 47671
http://www.securityfocus.com/bid/47671
http://www.mandriva.com/security/advisories?name=MDVSA-2011:094
http://securityreason.com/securityalert/8228
http://securityreason.com/achievement_securityalert/97
http://www.vupen.com/english/advisories/2011/1273
Common Vulnerability Exposure (CVE) ID: CVE-2011-1575
http://lists.opensuse.org/opensuse-updates/2011-05/msg00029.html
http://openwall.com/lists/oss-security/2011/04/11/14
http://openwall.com/lists/oss-security/2011/04/11/7
http://openwall.com/lists/oss-security/2011/04/11/8
http://openwall.com/lists/oss-security/2011/04/11/3
http://archives.pureftpd.org/archives.cgi?100:mss:3906:201103:cpeojfkblajnpinkeadd
http://archives.pureftpd.org/archives.cgi?100:mss:3910:201103:cpeojfkblajnpinkeadd
http://secunia.com/advisories/43988
http://secunia.com/advisories/44548
SuSE Security Announcement: SUSE-SR:2011:009 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

Copyright Copyright (C) 2011 E-Soft Inc.

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.69765
Categoría:	FreeBSD Local Security Checks
Título:	FreeBSD Ports: pure-ftpd
Resumen:	The remote host is missing an update to the system; as announced in the referenced advisory.
Descripción:	Summary: The remote host is missing an update to the system as announced in the referenced advisory. Vulnerability Insight: The following package is affected: pure-ftpd CVE-2011-0418 The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command. CVE-2011-1575 The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a 'plaintext command injection' attack, a similar issue to CVE-2011-0411. Solution: Update your system with the appropriate patches or software upgrades. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-0418 BugTraq ID: 47671 http://www.securityfocus.com/bid/47671 http://www.mandriva.com/security/advisories?name=MDVSA-2011:094 http://securityreason.com/securityalert/8228 http://securityreason.com/achievement_securityalert/97 http://www.vupen.com/english/advisories/2011/1273 Common Vulnerability Exposure (CVE) ID: CVE-2011-1575 http://lists.opensuse.org/opensuse-updates/2011-05/msg00029.html http://openwall.com/lists/oss-security/2011/04/11/14 http://openwall.com/lists/oss-security/2011/04/11/7 http://openwall.com/lists/oss-security/2011/04/11/8 http://openwall.com/lists/oss-security/2011/04/11/3 http://archives.pureftpd.org/archives.cgi?100:mss:3906:201103:cpeojfkblajnpinkeadd http://archives.pureftpd.org/archives.cgi?100:mss:3910:201103:cpeojfkblajnpinkeadd http://secunia.com/advisories/43988 http://secunia.com/advisories/44548 SuSE Security Announcement: SUSE-SR:2011:009 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
Copyright	Copyright (C) 2011 E-Soft Inc.