Overview

File _patchinfo of Package patchinfo.12923

<patchinfo incident="12923">
  <issue tracker="cve" id="2020-14149"/>
  <issue tracker="bnc" id="1172959">VUL-1: CVE-2020-14149: uftpd: handle_CWD in ftpcmd.c mishandled the path provided by the user, causing a NULL pointer dereference</issue>
  <packager>mnhauke</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for uftpd</summary>
  <description>This update for uftpd fixes the following issues:

uftpd was updated to version 2.12.

Changes:

* Use common log message format and log level when user enters
  an invalid path. This unfortunately affects changes introduced
  in v2.11 to increase logging at default log level.

Security fixes:

- CVE-2020-14149: When entering an invalid directory with the FTP
  command CWD, a NULL ptr was deref. in a DBG() message even
  though the log level is set to a value lower than LOG_DEBUG.
  This caused uftpd to crash and cause denial of service.
  Depending on the init/inetd system used this could be
  permanent. (boo#1172959)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places