FEDORA-EPEL-2015-0ec0c87b3a created by pghmcfc 5 years ago for Fedora EPEL 7
stable

Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes. The mod_sftp module currently places no bounds/length limitations when reading these SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, and allocate more memory than is necessary, causing excessive resource usage or the FTP daemon to crash.

This update limits the amount of memory allocated to handle these extensions.

This update has been submitted for testing by pghmcfc.

5 years ago

This update has been pushed to testing.

5 years ago

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

5 years ago

This update has been submitted for stable by pghmcfc.

5 years ago

This update has been pushed to stable.

5 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
BZ#1286977 proftpd: unbounded SFTP extended attribute key/values
0
0
BZ#1286979 proftpd: unbounded SFTP extended attribute key/values [epel-all]
0
0

Automated Test Results