Wietse Venema and Victor Duchovni discovered and reported an issue that could lead to a potential information disclosure.
An unencrypted FTP command immediately following STARTTLS request would get buffered and processed prior to SSL/TLS handshake, resulting in potential authentication bypass in case a client certificate authentication was configured to provide user identity.
A report of similar issue that was originally discovered in Postfix MTA contains further technical details and discusses possible impact: http://www.postfix.org/CVE-2011-0411.html
Users of pure-ftpd are advised to install this updated package which contains a fix for the issue.
Please login to add feedback.