USN-1098-1: vsftpd vulnerability

29 March 2011

vsftpd vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.10
  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Summary

An attacker could send crafted input to vsftpd and cause it to crash.

Software Description

  • vsftpd - lightweight, efficient FTP server written for security

Details

It was discovered that vsftpd incorrectly handled certain glob expressions. A remote authenticated user could use a crafted glob expression to cause vftpd to consume all resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
vsftpd - 2.3.0~pre2-4ubuntu2.2
Ubuntu 10.04 LTS
vsftpd - 2.2.2-3ubuntu6.1
Ubuntu 9.10
vsftpd - 2.2.0-1ubuntu2.1
Ubuntu 8.04 LTS
vsftpd - 2.0.6-1ubuntu1.2
Ubuntu 6.06 LTS
vsftpd - 2.0.4-0ubuntu4.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References