Security update for uftpd
This update for uftpd fixes the following issues:
uftpd was updated to version 2.12.
Changes:
* Use common log message format and log level when user enters
an invalid path. This unfortunately affects changes introduced
in v2.11 to increase logging at default log level.
Security fixes:
- CVE-2020-14149: When entering an invalid directory with the FTP
command CWD, a NULL ptr was deref. in a DBG() message even
though the log level is set to a value lower than LOG_DEBUG.
This caused uftpd to crash and cause denial of service.
Depending on the init/inetd system used this could be
permanent. (boo#1172959)
-
Submitted by
Martin Hauke (mnhauke)
Fixed bugs
bnc#1172959
VUL-1: CVE-2020-14149: uftpd: handle_CWD in ftpcmd.c mishandled the path provided by the user, causing a NULL pointer dereference
