[Buildroot] [PATCH v2, 1/1] package/pure-ftpd: fix CVE-2021-40524

Peter Korsgaard peter at korsgaard.com
Sun Nov 28 13:37:57 UTC 2021


>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:

 > In Pure-FTPd 1.0.49, an incorrect max_filesize quota mechanism in the
 > server allows attackers to upload files of unbounded size, which may
 > lead to denial of service or a server hang. This occurs because a
 > certain greater-than-zero test does not anticipate an initial -1 value.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
 > ---
 > Changes v1 -> v2:
 >  - Add PURE_FTPD_IGNORE_CVES entry

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list