The pre 2.0.5 versions of vsftp has a memory leak on an invalid authentication attempt when used in combination with PAM; Since upstream vsftpd prior to 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS.
Upstream vsftpd 2.0.5 changed its behaviour so that 3 (configurable) invalid
password attempts would close the connection (hence allowing easier detection of brute forcing attacks etc), and this therefore also stops any memory leak from leading to a DoS. The backported patch is below:
https://bugzilla.redhat.com/attachment.cgi?id=201051 IDENTIFIER = WIND00127097
WIND00127275.zip for 1.4
WIND00127276.zip for 1.5
WIND00127099.zip for 2.0
1. Unzip the patch under [install_dir]/updates
2. Install the patch CD by entering the patch CD directory and run setup_linux.
3. This is a source only patch so you will have to build the kernel
4. Issue a make fs and make the kernel in a configured directory.
5. Upload the kernel and rootfs into the target and boot it up.