[v3.1] vsftpd: problem in deny_hosts (CVE-2015-1419)
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Set the option “deny_file” in /etc/vsftpd.conf on a top-directory (for example “deny_file=/home/*”). Then log in with ftp and try to cd to “/home/” first, which will fail, then try to cd to “/./home/” which will succeed! The latter case shouldn’t be possible as well!
References:
http://seclists.org/oss-sec/2015/q1/389
https://bugzilla.novell.com/show\_bug.cgi?id=915522
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00023.html
http://lists.opensuse.org/opensuse-updates/2015-01/msg00041.html
http://secunia.com/advisories/62415
(from redmine: issue id 3909, created on 2015-02-04, closed on 2015-03-16)
- Relations:
- parent #3905 (closed)
- Changesets:
- Revision 2d519469 by Natanael Copa on 2015-03-11T11:23:40Z:
main/vsftpd: security fix for CVE-2015-1419
fixes #3909