Executive Summary

Summary
Title vsftpd vulnerability
Informations
NameUSN-1288-1First vendor Publication2011-12-07
VendorUbuntuLast vendor Modification2011-12-07
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score7.8Attack RangeNetwork
Cvss Impact Score6.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Vsftpd or other applications could be made to crash if vsftpd received
specially crafted network traffic.

Software Description:
- vsftpd: FTP server written for security

Details:

It was discovered that the 2.6.35 and earlier Linux kernel does not
properly handle a high rate of creation and cleanup of network namespaces,
which makes it easier for remote attackers to cause a denial of service
(memory consumption) in applications that require a separate namespace per
connection, like vsftpd. This update adjusts vsftpd to only use network
namespaces on kernels that are known to be not affected.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
vsftpd 2.3.2-3ubuntu5.1

Ubuntu 11.04:
vsftpd 2.3.2-3ubuntu4.1

Ubuntu 10.10:
vsftpd 2.3.0~pre2-4ubuntu2.3

Ubuntu 10.04 LTS:
vsftpd 2.2.2-3ubuntu6.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1288-1
CVE-2011-2189

Package Information:
https://launchpad.net/ubuntu/+source/vsftpd/2.3.2-3ubuntu5.1
https://launchpad.net/ubuntu/+source/vsftpd/2.3.2-3ubuntu4.1
https://launchpad.net/ubuntu/+source/vsftpd/2.3.0~pre2-4ubuntu2.3
https://launchpad.net/ubuntu/+source/vsftpd/2.2.2-3ubuntu6.3


Original Source

Url : http://www.ubuntu.com/usn/USN-1288-1

CWE : Common Weakness Enumeration

idName
CWE-399Resource Management Errors

CPE : Common Platform Enumeration

TypeDescriptionCount
Os539

OpenVAS Exploits

DateDescription
2011-12-09Name : Ubuntu Update for vsftpd USN-1288-1
File : nvt/gb_ubuntu_USN_1288_1.nasl
2011-10-16Name : Debian Security Advisory DSA 2305-1 (vsftpd)
File : nvt/deb_2305_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
76805Linux Kernel net/core/net_namespace.c Network Namespace Cleanup Weakness Remo...

Nessus® Vulnerability Scanner

DateDescription
2011-12-07Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1288-1.nasl - Type : ACT_GATHER_INFO
2011-09-20Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2305.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:59:22
  • Multiple Updates