Date: Mon, 11 May 2020 14:28:56 -0700 From: Brennan Ashton <btashton@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2020-1939] Apache NuttX optional/example ftpd program NULL pointer bug CVE-2020-1939: Apache NuttX optional/example ftpd program NULL pointer bug Severity: Important Vendor: Apache NuttX (Incubating) Versions Affected: 6.15 to 8.2 (all pre-date NuttX joining the Apache.org Incubator) Description: The Apache NuttX (Incubating) project provides an optional separate "apps" repository which contains various optional components and example programs. One of these, ftpd, had a NULL pointer dereference bug. The NuttX RTOS itself is not affected. Users of the optional apps repository are affected only if they have enabled ftpd. Mitigation: Users of affected versions should upgrade to 9.0.0 or apply the following patch: https://patch-diff.githubusercontent.com/raw/apache/incubator-nuttx-apps/pull/10.patch Credit: This issue was discovered by Jakub Botwicz of Samsung R&D Poland. References: https://bitbucket.org/nuttx/apps-old/issues/15/null-dereference-in-ftp-size-command https://github.com/apache/incubator-nuttx-apps/pull/10 Regards, Brennan Ashton
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.