New pure-ftpd version fix STARTTLS issues (CVE-2011-1575).
Pure-ftpd is vulnerable to the STARTTLS command injection
issue similar to CVE-2011-0411 of postfix. CVE-2011-1575
has been assigned to this issue.
-
Submitted by
Adrian Schröter (adrianSuSE)
- Version 4353
Fixed bugs
bnc#686590
VUL-0: CVE-2011-1575: new pure-ftpd version fix STARTTLS issues similar to CVE-2011-0411
CVE#CVE-2011-1575
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after
