Package: proftpd-basic Version: 1.3.5b-4 Severity: grave Tags: security Justification: renders package unusable
Dear Maintainer, Debian Security has been notified. The proftpd in Debian stable has memory leaks in it. A malicious user, who has a valid username and password into the SSL-enabled proftpd server (even if just an anonymous user, if allowed), merely needs to upload a "Calibre Library" folder, containing a bunch of small ebooks, large to cause the server to a freeze. In my case, with 512MB RAM, my Calibre Library folder needed to be only 13GB in size to cause the server to have a total hardware freeze. The package proftpd-mod-vroot 0.9.4-1 might also have memory leaks in it, which I also have installed. These memory leaks have been known about for a long time, but it seems I'm the first one to point out that it constitutes a DOS attack. I believe these memory leaks got fixed in proftpd 1.3.5d: https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713 ...however the version of proftpd in Debian stable is currently 1.3.5b-4. Please also see here for more details, which is where this DOS attack was first discovered and announced publicly by me: https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment&comment=73069 Note: downstream of proftpd is the OpenMediaVault project. I'm an OpenMediaVault user, that's how I ran into this being a DOS. -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: arm64 (aarch64) Foreign Architectures: armhf Kernel: Linux 4.19.20-sunxi64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages proftpd-basic depends on: ii adduser 3.115 ii debianutils 4.8.1.1 ii libacl1 2.2.52-3+b1 ii libc6 2.24-11+deb9u4 ii libcap2 1:2.25-1 ii libmemcached11 1.0.18-4.1 ii libmemcachedutil2 1.0.18-4.1 ii libncurses5 6.0+20161126-1+deb9u2 ii libpam-runtime 1.1.8-3.6 ii libpam0g 1.1.8-3.6 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2q-1~deb9u1 ii libtinfo5 6.0+20161126-1+deb9u2 ii libwrap0 7.6.q-26 ii lsb-base 9.20161125 ii netbase 5.4 ii sed 4.4-1 ii ucf 3.0036 ii zlib1g 1:1.2.8.dfsg-5 proftpd-basic recommends no packages. Versions of packages proftpd-basic suggests: pn openbsd-inetd | inet-superserver <none> ii openssl 1.1.0j-1~deb9u1 pn proftpd-doc <none> pn proftpd-mod-geoip <none> pn proftpd-mod-ldap <none> pn proftpd-mod-mysql <none> pn proftpd-mod-odbc <none> pn proftpd-mod-pgsql <none> pn proftpd-mod-sqlite <none> -- no debconf information
