CVE-2019-18217

NameCVE-2019-18217
DescriptionProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1974-1, DSA-4559-1
NVD severitymedium
Debian Bugs942831

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
proftpd-dfsg (PTS)jessie1.3.5-1.1+deb8u2vulnerable
jessie (security)1.3.5e+r1.3.5-2+deb8u4fixed
stretch1.3.5b-4+deb9u1vulnerable
stretch (security)1.3.5b-4+deb9u2fixed
buster, buster (security)1.3.6-4+deb10u2fixed
bullseye, sid1.3.6b-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
proftpd-dfsgsource(unstable)1.3.6a-2942831
proftpd-dfsgsourcebuster1.3.6-4+deb10u2DSA-4559-1
proftpd-dfsgsourcejessie1.3.5e+r1.3.5-2+deb8u4DLA-1974-1
proftpd-dfsgsourcestretch1.3.5b-4+deb9u2DSA-4559-1

Notes

https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4
https://github.com/proftpd/proftpd/issues/846

Search for package or bug name: Reporting problems