This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.
The remote Fedora host is missing a security update.
This is an update to the current upstream maintenance release, which
addresses two security issues that can be exploited by malicious users
to manipulate certain data and compromise a vulnerable system.
- A logic error in the code for processing user input
containing the Telnet IAC (Interpret As Command) escape
sequence can be exploited to cause a stack-based buffer
overflow by sending specially crafted input to the FTP
or FTPS service. Successful exploitation may allow
execution of arbitrary code. This has been assigned the
name CVE-2010-4221. More details can be found at
- An input validation error within the 'mod_site_misc'
module can be exploited to e.g. create and delete
directories, create symlinks, and change the time of
files located outside a writable directory. Only
configurations using 'mod_site_misc', which is not
enabled by default, and where the attacker has write
access to a directory, are vulnerable to this issue,
which has been assigned CVE-2010-3867. More details can
be found at http://bugs.proftpd.org/show_bug.cgi?id=3519
The update from 1.3.2d to 1.3.3c also includes a large number of
non-security bugfixes and a number of additional loadable modules for
enhanced functionality :
There is also a new utility 'ftpscrub' for scrubbing the scoreboard
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
See also :
Update the affected proftpd package.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.7
Public Exploit Available : true