On Thursday, 2006-11-30 at 13:49:44 +0100, Stefan Fritsch wrote: > Oh, that's bad. You don't have ftps enabled explicitly either?
No, just plain ftp. > This probably means that there is at least some exploit to DoS sarge's 1.2.x. As I said, the FTP access from "outside" is disabled now. So I can't test without mod_delay, and can't check if this is distinct from the effect described in 308313 and 301275. But I doubt that. > >> There is a thread about this at > >> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html > > CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when > > configured to use the CommandBufferSize directive ...". This directive > > is not in the default Debian Config file, I believe, and it isn't in the > > one on that machine. > This description is wrong. There was some confusion about what > CVE-2006-5815 is. It is really about a flaw in sreplace(). There is more > info about this confusion later in the thread above, e.g. > http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000990.html > or at > http://bugs.proftpd.org/show_bug.cgi?id=2858 > The CommandBufferSize issue was fixed by DSA-1218-1. CommandBufferSize isn't used, so it couldn't be that in any case. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
