Aaron Esau

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A double-free issue exists in the Reliable Delivery Service (RDS) implementation of the Linux kernel. When the `iov iter get pages2()` function fails within `rds message zcopy from user()`, the pinned pages are released and the `rm->data.op mmp znotifier` is cleared, but the `rm->data.op nents` variable is not properly reset. Consequently, when `rds message purge()` is subsequently called from `rds sendmsg()`, the cleanup loop iterates over the incorrect non-zero value of `op nents`, leading to a second attempt to free the same resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uftpd FTP server versions 2.10 and earlier **Description** An unauthenticated stack-based buffer overflow vulnerability in common.c's handle PORT can be abused to cause a crash and could potentially lead to remote code execution. **Recommendations** For uftpd FTP server versions 2.10 and earlier, update to a version later than 2.10 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uftpd FTP server versions 2.7 to 2.10 **Description** The issue arises from improper implementation of a chroot jail in the `compose abspath` function in common.c, leading to multiple unauthenticated directory traversal vulnerabilities in different FTP commands. This can be exploited to read or write to arbitrary files on the filesystem, leak process memory, or potentially lead to remote code execution. **Recommendations** For uftpd FTP server versions 2.7 to 2.10, consider disabling the affected FTP commands until a patch is available. Restrict access to the `compose abspath` function in common.c to minimize the risk of exploitation. Avoid using the vulnerable FTP server versions until an update or fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uftpd versions prior to 2.11 **Description** The issue allows an unauthenticated user to perform a directory traversal attack using multiple different FTP commands, enabling them to read and write to arbitrary locations on the filesystem. This is due to the lack of a well-written chroot jail in the `compose abspath()` function. **Recommendations** For versions prior to 2.11, update to version 2.11 to resolve the issue. As a temporary workaround, consider restricting access to the FTP server until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** uftpd versions prior to 2.11 **Description** The issue is caused by a buffer overflow in the handle PORT function in ftpcmd.c. This occurs when a 16-byte buffer is filled with user input via sprintf() using the format specifier string %d.%d.%d.%d. Although the 16-byte size is sufficient for valid IPv4 addresses, the %d format specifier allows for more than 3 digits, leading to a potential overflow. **Recommendations** For versions prior to 2.11, update to version 2.11 to resolve the issue.