Pure-FTPd: Potential DoS when maximum connections is reached — GLSA 200407-04

Pure-FTPd contains a bug potentially allowing a Denial of Service attack when the maximum number of connections is reached.

Affected packages

Package 	net-ftp/pure-ftpd on all architectures
Affected versions 	<= 1.0.18
Unaffected versions 	>= 1.0.18-r1

Background

Pure-FTPd is a fast, production-quality and standards-compliant FTP server.

Description

Pure-FTPd contains a bug in the accept_client function handling the setup of new connections.

Impact

When the maximum number of connections is reached an attacker could exploit this vulnerability to perform a Denial of Service attack.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest available version.

Resolution

All Pure-FTPd users should upgrade to the latest stable version:

 # emerge sync
 
 # emerge -pv ">=net-ftp/pure-ftpd-1.0.18-r1"
 # emerge ">=net-ftp/pure-ftpd-1.0.18-r1"

References

    Pure-FTPd website
    CVE-2004-0656