diff mbox series

[meta-oe,6/9] proftpd: ignore CVE-2021-47865

Message ID 20260202163714.2359370-6-skandigraun@gmail.com
State Under Review
Headers show
Series [meta-gnome,1/9] gimp: mark CVE-2025-15059 patched | expand

Commit Message

Gyorgy Sarvari Feb. 2, 2026, 4:37 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865

This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.

The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.

See also discussion in the Github issue.

It seems that it won't be fixed, because there is nothing to fix.

[1]: https://github.com/proftpd/proftpd/issues/1298

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb
index 65dd2f9561..d64e0a0495 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb
@@ -25,6 +25,7 @@  UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+\w?))"
 CVE_VERSION_SUFFIX = "alphabetical"
 
 CVE_STATUS[CVE-2001-0027] = "fixed-version: version 1.2.0rc3 removed affected module"
+CVE_STATUS[CVE-2021-47865] = "upstream-wontfix: it is not a vulnerability but inproper configuration"
 
 EXTRA_OECONF += "--enable-largefile INSTALL=install"