- Apply "vsftpd-support-dsa-only-setups.patch" to disable the
problematic default setting for rsa_cert_file. Upstream
initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and
vsftpd won't start up if that file does not exist (or if it does
not contain an RSA certificate). Therefore, users who copy a DSA
certificate into that location or properly configure a DSA
certificate via dsa_cert_file without explicitly disabling the
RSA certificate won't be able to start vsftpd. [bsc#975538]
OBS-URL: https://build.opensuse.org/request/show/618293
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=67
problematic default setting for rsa_cert_file. Upstream
initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and
vsftpd won't start up if that file does not exist (or if does not
contain an RSA certificate). Therefore, users who copy a DSA
certificate into that location or properly configure a DSA
certificate via dsa_cert_file without explicitly disabling the
RSA certificate won't be able to start vsftpd. [bsc#975538]
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=131
- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that
would cause SSL protocol errors, aborting the connection, whenever
system errors occurred that were supposed to be non-fatal.
[bsc#1044292]
- Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with
various ftp clients that arose when vsftpd is configured with
option "use_localtime=YES". Basically, it's fine to use local time
stamps in directory listings, but responding to MDTM commands with
any time zone other than UTC directly violates RFC3659 and leads
FTP clients to misinterpret the file's time stamp. [bsc#1024961]
- Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to
append to a file system pipe. [bsc#1048427]
- Add "vsftpd-3.0.3-address_space_limit.patch" to create the new
configuration option "address_space_limit", which determines the
memory limit vsftpd configures for its own process (given in
bytes). The previously hard-coded limit (100 MB) may not be
sufficient for vsftpd servers running with certain PAM modules
enabled, and in such cases administrators may wish to raise the
limit to match their system's requirements. [bsc#1042137]
- Don't rely on the vsf_findlibs.sh script to figure out the list
of libraries the build needs to link. The script is wildly
unreliable and it's hard to predict what results it will produce.
Also, the results it *does* produce are invisble in the build
log. We stumbled across this issue when vsftpd suddendly had
build failures on i586 platforms because the script decided to
try and link "-lnsl" even though the library was neither
installed nor required.
- Drop the explicit specification of the LDFLAGS and LINK variables
from the call to make. The value of LDFLAGS we passed is the
default anyway and giving LINK has no effect since it's not used
OBS-URL: https://build.opensuse.org/request/show/523208
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=62
of libraries the build needs to link. The script is wildly
unreliable and it's hard to predict what results it will produce.
Also, the results it *does* produce are invisble in the build
log. We stumbled across this issue when vsftpd suddendly had
build failures on i586 platforms because the script decided to
try and link "-lnsl" even though the library was neither
installed nor required.
- Drop the explicit specification of the LDFLAGS and LINK variables
from the call to make. The value of LDFLAGS we passed is the
default anyway and giving LINK has no effect since it's not used
anywhere in the Makefile.
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=119
- Version bump to 3.0.3:
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
* Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
* Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
* Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
upstream, se above bullet with mvyskocil's email
OBS-URL: https://build.opensuse.org/request/show/329655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=52
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
* Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
* Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
* Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
upstream, se above bullet with mvyskocil's email
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=89
