Wind River Support Network

HomeOther DownloadsVsftpd - security advisory - CVE-2008-2375
Recommended Type: Patch

Vsftpd - security advisory - CVE-2008-2375

Released: Jul 16, 2008     Updated: Jul 16, 2008


The pre 2.0.5 versions of vsftp has a memory leak on an invalid authentication attempt when used in combination with PAM; Since upstream vsftpd prior to 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS.

Upstream vsftpd 2.0.5 changed its behaviour so that 3 (configurable) invalid
password attempts would close the connection (hence allowing easier detection of brute forcing attacks etc), and this therefore also stops any memory leak from leading to a DoS. The backported patch is below: IDENTIFIER = WIND00127097

Product Version

Linux Platforms 2.0, Linux Platforms 1.x


Installation Notes

Installation Notes for 1.4 for 1.5 for 2.0

1. Unzip the patch under [install_dir]/updates

2. Install the patch CD by entering the patch CD directory and run setup_linux.

3. This is a source only patch so you will have to build the kernel

4. Issue a make fs and make the kernel in a configured directory.

5. Upload the kernel and rootfs into the target and boot it up.

Live chat