| Package | pure-ftpd |
|---|---|
| Version | 1.0.47-3+deb10u1 (buster) |
| Related CVEs | CVE-2019-20176 CVE-2020-9274 CVE-2020-9365 CVE-2021-40524 |
Multiple vulnerabilities were discovered in pure-ftpd, a secure and efficient FTP server, that could lead to data corruption, information disclosure or program crash.
CVE-2019-20176:
Stack exhaustion in the listdir function in ls.c.
CVE-2020-9274:
Uninitialized pointer in the diraliases linked list.
CVE-2020-9365:
Out-of-bounds (OOB) read in the pure_strcmp function in utils.c.
CVE-2021-40524:
Incorrect max_filesize quota mechanism in the server allows adversaries to
upload files of unbounded size.
For Debian 10 buster, these problems have been fixed in version 1.0.47-3+deb10u1.
We recommend that you upgrade your pure-ftpd packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.