;-(
> -----Original Message-----
> From: research@xxxxxxxx [mailto:research@xxxxxxxx]
> Sent: Tuesday, November 21, 2006 5:50 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [ MDKSA-2006:217 ] - Updated proftpd packages
> fix vulnerabilities
>
> Hi,
>
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> ______________________________________________________________
> _________
> >
> > Mandriva Linux Security Advisory
> MDKSA-2006:217
> >
> >
> ______________________________________________________________
> _________
> >
> > Package : proftpd
> > Date : November 20, 2006
> > Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
> >
> ______________________________________________________________
> _________
> >
> > Problem Description:
> >
> > As disclosed by an exploit (vd_proftpd.pm) and a related
> vendor bugfix,
> > a Denial of Service (DoS) vulnerability exists in the FTP server
> > ProFTPD, up to and including version 1.3.0. The flaw is
> due to both a
> > potential bus error and a definitive buffer overflow in
> the code which
> > determines the FTP command buffer size limit. The
> vulnerability can be
> > exploited only if the "CommandBufferSize" directive is
> explicitly used
> > in the server configuration, which is not the case in the default
> > configuration of ProFTPD.
>
> Just a little note - I am not sure where it came from bug
> vd_proftpd.pm exploit
> is not related to "CommandBufferSize" bug.
>
> Regards,
> -evgeny
>
>
