| VID |
16069 |
| Severity |
30 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
A version of oftpd 0.3.6 or older has been detected as running on the host.
oftpd is a freely available FTP server for Unix and Linux operating systems. oftpd version 0.3.6 or older are vulnerable to a denial of service attack. When an affected FTP server receives a port command with a number that is higher than 255, the server crashes and has to be restarted manually. The port command can even be given before the user has given a username and a password.
* References:
http://www.time-travellers.org/oftpd/oftpd-dos.html
http://secunia.com/advisories/11220/
* Platforms Affected:
Shane Kerr, oftpd 0.3.6 or older
Debian Linux 3.0
Gentoo Technologies, Inc., Gentoo Linux Any version
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of oftpd, (0.3.7 or later), available from the oftpd Web page at http://www.time-travellers.org/oftpd/
For Debian/GNU Linux 3.0 (woody):
Upgrade to the latest version of oftpd (0.3.6-6 or later), as listed in Debian Security Advisory DSA-473-1 at http://www.debian.org/security/2004/dsa-473
For Gentoo Linux:
Upgrade to the latest version of oftpd (0.3.7 or later), as listed in Gentoo Linux Security Advisory GLSA 200403-08 at http://www.linuxsecurity.com/advisories/gentoo_advisory-4166.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0376 (CVE) |
| Related URL |
9980 (SecurityFocus) |
| Related URL |
15622 (ISS) |
|
