Scientific Linux Security Update : vsftpd on SL3.x i386/x86_64

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing a security update.

Description :

The version of vsftpd as shipped in Scientific Linux 3 when used in
combination with Pluggable Authentication Modules (PAM) had a memory
leak on an invalid authentication attempt. Since vsftpd prior to
version 2.0.5 allows any number of invalid attempts on the same
connection this memory leak could lead to an eventual DoS.
(CVE-2008-2375)

This update mitigates this security issue by including a backported
patch which terminates a session after a given number of failed log in
attempts. The default number of attempts is 3 and this can be
configured using the 'max_login_fails' directive.

See also :

http://www.nessus.org/u?55537290

Solution :

Update the affected vsftpd package.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60455 ()

Bugtraq ID:

CVE ID: CVE-2008-2375