Wind River Support Network

HomeOther DownloadsVsftpd - security advisory - CVE-2008-2375
Recommended Type: Patch

Vsftpd - security advisory - CVE-2008-2375

Released: Jul 16, 2008     Updated: Jul 16, 2008

Description

The pre 2.0.5 versions of vsftp has a memory leak on an invalid authentication attempt when used in combination with PAM; Since upstream vsftpd prior to 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS.

Upstream vsftpd 2.0.5 changed its behaviour so that 3 (configurable) invalid
password attempts would close the connection (hence allowing easier detection of brute forcing attacks etc), and this therefore also stops any memory leak from leading to a DoS. The backported patch is below:

https://bugzilla.redhat.com/attachment.cgi?id=201051 IDENTIFIER = WIND00127097


Product Version

Linux Platforms 2.0, Linux Platforms 1.x

Downloads


Installation Notes

Installation Notes

WIND00127275.zip for 1.4
WIND00127276.zip for 1.5
WIND00127099.zip for 2.0

1. Unzip the patch under [install_dir]/updates

2. Install the patch CD by entering the patch CD directory and run setup_linux.

3. This is a source only patch so you will have to build the kernel

4. Issue a make fs and make the kernel in a configured directory.

5. Upload the kernel and rootfs into the target and boot it up.


Live chat
Online