Security Advisory Moderate: vsftpd security update

Advisory: RHSA-2008:0579-2
Type: Security Advisory
Severity: Moderate
Issued on: 2008-07-24
Last updated on: 2008-07-24
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
OVAL: com.redhat.rhsa-20080579.xml
CVEs (cve.mitre.org): CVE-2008-2375

Details

An updated vsftpd package that fixes a security issue is now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP
server for Linux and Unix-like systems.

The version of vsftpd as shipped in Red Hat Enterprise Linux 3 when used in
combination with Pluggable Authentication Modules (PAM) had a memory leak
on an invalid authentication attempt. Since vsftpd prior to version 2.0.5
allows any number of invalid attempts on the same connection this memory
leak could lead to an eventual DoS. (CVE-2008-2375)

This update mitigates this security issue by including a backported patch
which terminates a session after a given number of failed log in attempts.
The default number of attempts is 3 and this can be configured using the
"max_login_fails" directive.

All vsftpd users should upgrade to this updated package, which addresses
this vulnerability.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Enterprise Linux AS (v. 3)
SRPMS:
vsftpd-1.2.1-3E.16.src.rpm     dbc9b027484630271ea8de3a10c7df2c
 
IA-32:
vsftpd-1.2.1-3E.16.i386.rpm     39bd4bfafa751bd53c7a005fe0772ef5
 
IA-64:
vsftpd-1.2.1-3E.16.ia64.rpm     85b48274a85bf1490d7aabe6832fc21d
 
PPC:
vsftpd-1.2.1-3E.16.ppc.rpm     83188fdbba1cb46ba5b4c84abb8e8696
 
s390:
vsftpd-1.2.1-3E.16.s390.rpm     bb91dbac822bee27233397ea852477e6
 
s390x:
vsftpd-1.2.1-3E.16.s390x.rpm     29c7ef1a1b35282d83ea2a44bd39f2a6
 
x86_64:
vsftpd-1.2.1-3E.16.x86_64.rpm     72ba8fe873db9bb8644e46b7a3858663
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
vsftpd-1.2.1-3E.16.src.rpm     dbc9b027484630271ea8de3a10c7df2c
 
IA-32:
vsftpd-1.2.1-3E.16.i386.rpm     39bd4bfafa751bd53c7a005fe0772ef5
 
IA-64:
vsftpd-1.2.1-3E.16.ia64.rpm     85b48274a85bf1490d7aabe6832fc21d
 
x86_64:
vsftpd-1.2.1-3E.16.x86_64.rpm     72ba8fe873db9bb8644e46b7a3858663
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

453376 - CVE-2008-2375 older vsftpd authentication memory leak


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2375
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/