Name | CVE-2006-6171 |
Description | ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-1218-1 |
Debian Bugs | 399070 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
proftpd-dfsg (PTS) | bullseye | 1.3.7a+dfsg-12+deb11u2 | fixed |
bullseye (security) | 1.3.7a+dfsg-12+deb11u5 | fixed | |
bookworm, bookworm (security) | 1.3.8+dfsg-4+deb12u4 | fixed | |
trixie | 1.3.8.c+dfsg-4 | fixed | |
forky, sid | 1.3.9~dfsg-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
proftpd | source | sarge | 1.2.10-15sarge2 | DSA-1218-1 | ||
proftpd-dfsg | source | (unstable) | 1.3.0-13 | low | 399070 |