CVE-2019-19269
MEDIUMProFTPD through 1.3.6b - Denial of Service via NULL Pointer Dereference in TLS CRL Verification
Title source: llmDescription
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
References (7)
Core 7
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/proftpd/proftpd/issues/861
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/11/msg00039.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-35
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Scores
CVSS v3
4.9
EPSS
0.0164
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-476
Status
published
Products (5)
debian/debian_linux
8.0
fedoraproject/fedora
30
fedoraproject/fedora
31
proftpd/proftpd
1.3.6 (7 CPE variants)
proftpd/proftpd
< 1.3.5e
Published
Nov 30, 2019
Tracked Since
Feb 18, 2026