Accepting request 618293 from network

- Apply "vsftpd-support-dsa-only-setups.patch" to disable the problematic default setting for rsa_cert_file. Upstream initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and vsftpd won't start up if that file does not exist (or if it does not contain an RSA certificate). Therefore, users who copy a DSA certificate into that location or properly configure a DSA certificate via dsa_cert_file without explicitly disabling the RSA certificate won't be able to start vsftpd. [bsc#975538] OBS-URL: https://build.opensuse.org/request/show/618293 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=67
2018-06-25 09:34:14 +00:00 · 2018-06-25 09:34:14 +00:00 · 5d9eefaf8c
commit 5d9eefaf8c
parent 0ff270757a 4f5d42bc19
3 changed files with 32 additions and 0 deletions
--- a/vsftpd-support-dsa-only-setups.patch
+++ b/vsftpd-support-dsa-only-setups.patch
@ -0,0 +1,18 @@
+Index: vsftpd-3.0.3/vsftpd.conf
+===================================================================
+--- vsftpd-3.0.3.orig/vsftpd.conf	2018-06-21 11:01:12.125258812 +0000
+++ vsftpd-3.0.3/vsftpd.conf	2018-06-21 11:04:43.355979116 +0000
+@@ -188,8 +188,12 @@ listen=NO
+ # Make sure, that one of the listen options is commented !!
+ listen_ipv6=YES
+ #
+-# Set to ssl_enable=YES if you want to enable SSL
+# Set "ssl_enable=YES" to enable SSL support and configure the location of
+# your local certificate (RSA, DSA, or both). Note that vsftpd won't start
+# if either of the "xxx_cert_file" options sets a path that doesn't exist.
+ ssl_enable=NO
+rsa_cert_file=
+dsa_cert_file=
+ #
+ # Limit passive ports to this range to assis firewalling
+ pasv_min_port=30000
--- a/vsftpd.changes
+++ b/vsftpd.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Jun 21 11:06:33 UTC 2018 - psimons@suse.com
+
+- Apply "vsftpd-support-dsa-only-setups.patch" to disable the
+  problematic default setting for rsa_cert_file. Upstream
+  initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and
+  vsftpd won't start up if that file does not exist (or if it does
+  not contain an RSA certificate). Therefore, users who copy a DSA
+  certificate into that location or properly configure a DSA
+  certificate via dsa_cert_file without explicitly disabling the
+  RSA certificate won't be able to start vsftpd. [bsc#975538]
+
 -------------------------------------------------------------------
 Wed May 16 15:25:02 UTC 2018 - psimons@suse.com

--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -83,6 +83,7 @@ Patch28:        vsftpd-die-with-session.patch
 Patch29:        vsftpd-append-seek-pipe.patch
 Patch30:        vsftpd-3.0.3-address_space_limit.patch
 Patch31:        vsftpd-enable-syscalls-needed-by-sle15.patch
+Patch32:        vsftpd-support-dsa-only-setups.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel
@ -146,6 +147,7 @@ tests.
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
+%patch32 -p1

 %build
 %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP