UbuntuUpdates.org

Package "atftpd"

Name: atftpd

Description:

advanced TFTP server

Latest version: 0.7.git20120829-3.1ubuntu0.1
Release: focal (20.04)
Level: security
Repository: universe
Head package: atftp

Links


Download "atftpd"


Other versions of "atftpd" in Focal

Repository Area Version
base universe 0.7.git20120829-3.1
updates universe 0.7.git20120829-3.1ubuntu0.1

Changelog

Version: 0.7.git20120829-3.1ubuntu0.1 2023-09-04 09:08:19 UTC

  atftp (0.7.git20120829-3.1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: assertion failure makes the service to crash
    - debian/patches/CVE-2020-6097.patch: returns an error message string for
    unsupported cases instead of calling assert().
    - CVE-2020-6097
  * SECURITY UPDATE: buffer overflow makes the service to crash
    - debian/patches/CVE-2021-41054.patch: ensures that the buffer-size is
    enough for the combination of data, OACK, and other options.
    - CVE-2021-41054
  * SECURITY UPDATE: buffer over-read discloses server-side /etc/group data
    - debian/patches/CVE-2021-46671.patch: prevents argz_next from reading
    past the end of data.
    - CVE-2021-46671

 -- Jorge Sancho Larraz <email address hidden> Wed, 30 Aug 2023 17:27:00 +0200

CVE-2020-6097 An exploitable denial of service vulnerability exists in the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A specially crafted sequenc
CVE-2021-41054 tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and
CVE-2021-46671 options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client.



About   -   Send Feedback to @ubuntu_updates