[24843] in bugtraq
DoS in debian (potato) proftpd
daemon@ATHENA.MIT.EDU (Joe Dollard)
Tue Mar 26 18:31:27 2002
Date: Tue, 26 Mar 2002 07:14:31 +1100
To: bugtraq@securityfocus.com
Message-ID: <20020326071431.A17363@devel.livenote.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
From: Joe Dollard <joed@devel.livenote.com>
Hi guys,
The version of proftp that is in debian potato (1.2.0pre10 as reported by running 'proftpd -v ') is vulnerable to a glob DoS attack, as discovered on the 15th March 2001. You can verify this bug by logging in to a server running debian stable's proftpd and type "ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*". This results with 100% of the CPU and memory resources being consumed (more info at http://proftpd.linux.co.uk/critbugs.html),
A temporary workaround for this issue is to add DenyFilter \*.*/ into your proftp configuration file.
I notifed security@debian.org on the 12th of February (2002) about this problem and a discussion was entered into but no resolution occurred. I contacted security@debian.org again on the 21st of FEbruary and didn't receive a reply. After posting to vuln-dev@securityfocus.com on the 1st of March, I was told on the 7th of March that the package maintainer was working on a fix. Now, over a year after the bug has been discovered, and over 5 weeks since I first contacted debian about it, no fix is in place in debian potato. Hopefully posting here will speed things up a bit.
Regards,
Joe Dollard
