Date: Tue, 3 Feb 2015 15:23:37 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: scarybeasts@...il.com Subject: Re: vsftpd problem in deny_hosts On Tue, Feb 03, 2015 at 12:45:24PM +0300, Solar Designer wrote: > On Tue, Feb 03, 2015 at 09:28:36AM +0100, Marcus Meissner wrote: > > IBM reported to us a problem in vsftpd deny_hosts problem. > > > > CVE-2015-1419 > > > > https://bugzilla.novell.com/show_bug.cgi?id=915522 > > > > Description; > > Set the option "deny_file" in /etc/vsftpd.conf on a top-directory (for example "deny_file=/home/*") > > Then log in with ftp and try to cd to "/home/" first, which will fail, then try to cd to "/./home/" which will succeed! > > The latter case shouldn't be possible as well! > > What does upstream say about this? (CC'ing.) Due to internal communication troubles we had not contacted upstream. Sorry for that. :( Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ