From a55fbc4786a452a38020352e3a5345051f9960973bcf201457f873b199b072fd Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 29 Jun 2021 09:15:03 +0000 Subject: [PATCH 1/2] update to 3.0.4 OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=149 --- vsftpd-3.0.3.tar.gz | 3 -- vsftpd-3.0.3.tar.gz.asc | 7 ---- vsftpd-3.0.4.tar.gz | 3 ++ vsftpd-3.0.4.tar.gz.asc | 17 ++++++++++ vsftpd.changes | 61 ++++++++++++++++++++------------- vsftpd.keyring | 74 +++++++++++++++++++++++++++-------------- vsftpd.spec | 6 ++-- 7 files changed, 108 insertions(+), 63 deletions(-) delete mode 100644 vsftpd-3.0.3.tar.gz delete mode 100644 vsftpd-3.0.3.tar.gz.asc create mode 100644 vsftpd-3.0.4.tar.gz create mode 100644 vsftpd-3.0.4.tar.gz.asc diff --git a/vsftpd-3.0.3.tar.gz b/vsftpd-3.0.3.tar.gz deleted file mode 100644 index 0aba8cd..0000000 --- a/vsftpd-3.0.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9d4d2bf6e6e2884852ba4e69e157a2cecd68c5a7635d66a3a8cf8d898c955ef7 -size 196649 diff --git a/vsftpd-3.0.3.tar.gz.asc b/vsftpd-3.0.3.tar.gz.asc deleted file mode 100644 index 1351ac6..0000000 --- a/vsftpd-3.0.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlWy7z8ACgkQqmLsRjwOdRyg1QCgp6fVazIhibmgmlefKPEVBUEM -yDMAnibP6iavxih4przbfR+Fd3LgsARM -=G+eX ------END PGP SIGNATURE----- diff --git a/vsftpd-3.0.4.tar.gz b/vsftpd-3.0.4.tar.gz new file mode 100644 index 0000000..90902d4 --- /dev/null +++ b/vsftpd-3.0.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b9421bd27e8a6cdeed5b31154f294a20b003a11a26c09500715a0a6b1b86a26 +size 197637 diff --git a/vsftpd-3.0.4.tar.gz.asc b/vsftpd-3.0.4.tar.gz.asc new file mode 100644 index 0000000..afb0f50 --- /dev/null +++ b/vsftpd-3.0.4.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJKBAABCAA0FiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmCyzAAWHHNjYXJ5YmVh +c3RzQGdtYWlsLmNvbQAKCRB7iQEbyuHP6m3ND/wKyb9Jjg6yggpZhn1tQU4rUbIc +7/FjSVIRqUasLuC7vGF4fRCsC3Vi7pLX+HB/6C+PrONIS1OkhEZuzNAG531Oedi1 +jlh3L2qhq55N+vVAm7SPonRKxfraljE1AWpg2aUSK1sgW2/d53XHX6quN8qh415H +Eu91H06SoZdJbQn94EiowT97RNlFjdcyU6GYeGA7LwrhTEPsJ+CnvER/sE6pDx5F +RrHpajiBC8cLrhpV6Qkpo8KnVOx2CQHUqqjs1x4h7ItFiIhUvyN4bRwA3Q6sty2q +rb15JCGngatwf93qXP91vBugY5kqfWWnqRnc8b47QXzPB2H6JPq9VQX3yjaITCHF +YaiQ7a7wzkADTleAG0TNdYzNk4RAzqf6TL+gsMR5ewLYalpy2dtROheWzTlG8kSz +Z1bgUnA/WSijdKWKua8qjGSexBIA/yDR2zFHKU6Wp5DsrC7R5m71TL9rX30NQp7J +R32r5DXWuftygxDVYWH6hzD/P0A7wyE7Kz6HcIeCXncSgonuCsLmsWNYVLKwKcmt +JlnfBlZ3QjLVyL8+Rdo3swO9BLzDMVnocDBSC96/ixbLRnqMMMv5l11ZrLtbc633 +CpnCug3EawYmA1h6UMF1nIbYqhRmCCnk5fXjC9Akl5ymh0D9WjQ6T+77lFD9kZ+8 +lbA2AOPGnY8m3uHQkg== +=TLc+ +-----END PGP SIGNATURE----- diff --git a/vsftpd.changes b/vsftpd.changes index 024e809..c8ffd07 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons + +- Update to version 3.0.4. + * Fix runtime SIGSYS crashes (seccomp sandbox policy tweaks). + * Reject HTTP verbs pre-login. + * Disable TLS prior to v1.2 by default. + * Close the control connection after 10 unknown commands pre-login. + * Reject any TLS ALPN advertisement that's not 'ftp'. + * Add ssl_sni_hostname option to require a match on incoming SNI hostname. + +- Upstream has a new GPG key (7B89011BCAE1CFEA). + ------------------------------------------------------------------- Thu Dec 3 11:20:20 UTC 2020 - Ismail Dönmez @@ -121,7 +134,7 @@ Thu Sep 7 12:24:26 UTC 2017 - psimons@suse.com log. We stumbled across this issue when vsftpd suddendly had build failures on i586 platforms because the script decided to try and link "-lnsl" even though the library was neither - installed nor required. + installed nor required. - Drop the explicit specification of the LDFLAGS and LINK variables from the call to make. The value of LDFLAGS we passed is the @@ -160,7 +173,7 @@ Mon Sep 19 11:39:04 UTC 2016 - psimons@suse.com where files uploaded by an anonymous user could not be chown()ed to the desired UID as specified in the daemon's configuration file. [bnc#996370] - + ------------------------------------------------------------------- Wed Aug 31 17:21:04 UTC 2016 - dimstar@opensuse.org @@ -206,7 +219,7 @@ Mon Sep 21 11:34:46 UTC 2015 - tchvatal@suse.com ------------------------------------------------------------------- Mon Sep 21 11:14:59 UTC 2015 - joop.boonen@opensuse.org -- Brought back additional systemv support so it also builds for SLES 10 and 11 +- Brought back additional systemv support so it also builds for SLES 10 and 11 ------------------------------------------------------------------- Tue Sep 8 10:57:55 UTC 2015 - tchvatal@suse.com @@ -439,7 +452,7 @@ Tue Nov 20 09:21:17 UTC 2012 - dimstar@opensuse.org ------------------------------------------------------------------- Mon Oct 22 13:38:57 UTC 2012 - mvyskocil@suse.com -- update to 3.0.2 (bnc#786024) +- update to 3.0.2 (bnc#786024) * Fix some seccomp related build errors on certain CentOS and Debian versions. * Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort() opens and maps /proc/meminfo but only for larger item counts? @@ -557,12 +570,12 @@ Fri Dec 23 17:48:04 UTC 2011 - andreas.stieger@gmx.de ------------------------------------------------------------------- Sat Nov 26 16:31:20 UTC 2011 - crrodriguez@opensuse.org -- fis copy/paste error in previous change +- fis copy/paste error in previous change ------------------------------------------------------------------- Fri Nov 25 22:14:14 UTC 2011 - crrodriguez@opensuse.org -- Add systemd unit +- Add systemd unit ------------------------------------------------------------------- Thu Sep 22 11:17:04 UTC 2011 - mvyskocil@suse.cz @@ -579,14 +592,14 @@ Fri Feb 25 01:37:38 UTC 2011 - crrodriguez@opensuse.org - Avoid consuming excessive CPU when matching filenames to patterns. Thanks to Maksymilian Arciemowicz . - Some bugfixes from Raphaël Rigo -- good bugs but -no apparent security impact. +no apparent security impact. ------------------------------------------------------------------- Tue Sep 21 16:31:39 UTC 2010 - cristian.rodriguez@opensuse.org - Update to version 2.3.2 - Fix silly regression re: log files being overwritten from the start. -- Rename a few file-open functions to make it clearer what they do +- Rename a few file-open functions to make it clearer what they do ------------------------------------------------------------------- Tue Aug 10 04:55:16 UTC 2010 - cristian.rodriguez@opensuse.org @@ -606,12 +619,12 @@ truncating it. the transmission of plaintext passwords by buggy clients. - Fix failure to transmit a large ASCII file over SSL, if it contains \n -> \r\n fixups. - + ------------------------------------------------------------------- Tue May 25 13:05:30 UTC 2010 - cristian.rodriguez@opensuse.org -- $remote_fs --> network-remotefs +- $remote_fs --> network-remotefs ------------------------------------------------------------------- Sun Feb 21 19:28:29 UTC 2010 - mseben@novell.com @@ -647,7 +660,7 @@ Mon Sep 15 14:52:05 CEST 2008 - hvogel@suse.de ------------------------------------------------------------------- Mon Sep 8 15:30:43 CEST 2008 - hvogel@suse.de -- version 2.0.7 +- version 2.0.7 * Fix man page typo * Enhance logging for debug_ssl * Shutdown the SSL data connections properly @@ -677,7 +690,7 @@ Wed Apr 30 11:58:17 CEST 2008 - hvogel@suse.de Tue Apr 1 16:23:57 CEST 2008 - mkoenig@suse.de - remove dir /usr/share/omc/svcinfo.d as it is provided now - by filesystem + by filesystem ------------------------------------------------------------------- Tue Mar 11 20:56:47 CET 2008 - crrodriguez@suse.de @@ -715,17 +728,17 @@ data connection. Still does not seem to coax lftp to retry :( - Recognize OPTS pre-login. - A whole ton of SSL improvements, including ability to force requirement of a client cert; data and control channel client cert cross checking. Ability -to require fully valid / authentic client certs. No cert-based auth yet. +to require fully valid / authentic client certs. No cert-based auth yet. ------------------------------------------------------------------- Tue Mar 27 14:45:11 CEST 2007 - mskibbe@suse.de -- change path to firewall script (#247352) +- change path to firewall script (#247352) ------------------------------------------------------------------- Fri Mar 2 10:34:33 CET 2007 - mskibbe@suse.de -- change path to firewall script (#247352) +- change path to firewall script (#247352) ------------------------------------------------------------------- Wed Feb 28 08:46:47 CET 2007 - mskibbe@suse.de @@ -747,12 +760,12 @@ Fri Jan 12 09:39:24 CET 2007 - mskibbe@suse.de ------------------------------------------------------------------- Thu Jan 11 09:54:07 CET 2007 - mskibbe@suse.de -- change path to xml service document (fate #301713) +- change path to xml service document (fate #301713) ------------------------------------------------------------------- Mon Jan 8 10:31:52 CET 2007 - mskibbe@suse.de -- fix Bug #230220 - vsftp no debuginfo +- fix Bug #230220 - vsftp no debuginfo ------------------------------------------------------------------- Mon Jan 8 09:27:36 CET 2007 - mskibbe@suse.de @@ -762,7 +775,7 @@ Mon Jan 8 09:27:36 CET 2007 - mskibbe@suse.de ------------------------------------------------------------------- Wed Dec 6 12:03:32 CET 2006 - mskibbe@suse.de -- add service xml document (fate #301713 ) +- add service xml document (fate #301713 ) ------------------------------------------------------------------- Mon Oct 23 09:42:05 CEST 2006 - mskibbe@suse.de @@ -781,7 +794,7 @@ Fri Jul 14 10:57:58 CEST 2006 - mskibbe@suse.de o IE should now show the login dialog again o configurable login attempt limits and delays were added o a bad intereaction with DMAPI filesystems was fixed and chained - certs should now work. + certs should now work. ------------------------------------------------------------------- Fri May 26 11:50:07 CEST 2006 - schwab@suse.de @@ -792,7 +805,7 @@ Fri May 26 11:50:07 CEST 2006 - schwab@suse.de Thu Apr 20 18:03:29 CEST 2006 - hvogel@suse.de - revert the rename to vsftp for the xinetd config file. chkconfig - knows on for init and xinetd. So this wasnt a bug but a misusage + knows on for init and xinetd. So this wasnt a bug but a misusage of chkconfig ------------------------------------------------------------------- @@ -809,12 +822,12 @@ Wed Apr 19 11:13:47 CEST 2006 - hvogel@suse.de ------------------------------------------------------------------- Thu Feb 16 12:27:53 CET 2006 - hvogel@suse.de -- enable ssl for real [#151453] +- enable ssl for real [#151453] ------------------------------------------------------------------- Mon Feb 6 14:31:27 CET 2006 - hvogel@suse.de -- The switch to standalone should not happen in update. +- The switch to standalone should not happen in update. Installed xinetd config file again. The configuration file is marked as noreplace anyway so if you are updating you will get a xinetd.d/vsftpd.rpmnew and a vsftpd.conf.rpmnew @@ -875,7 +888,7 @@ Mon Aug 8 14:39:16 CEST 2005 - uli@suse.de ------------------------------------------------------------------- Mon Jun 27 14:09:14 CEST 2005 - ro@suse.de -- use libcap +- use libcap ------------------------------------------------------------------- Fri Jun 17 10:16:13 CEST 2005 - mmj@suse.de @@ -1123,7 +1136,7 @@ Sun Feb 17 18:14:13 CET 2002 - mmj@suse.de ------------------------------------------------------------------- Tue Feb 12 13:52:01 MET 2002 - mmj@suse.de -- Remove Requires: ftpdir +- Remove Requires: ftpdir ------------------------------------------------------------------- Mon Feb 4 18:02:20 CET 2002 - choeger@suse.de diff --git a/vsftpd.keyring b/vsftpd.keyring index 8dd9720..47f6bc2 100644 --- a/vsftpd.keyring +++ b/vsftpd.keyring @@ -1,28 +1,52 @@ -pub 1024D/3C0E751C 2004-06-29 -uid Chris Evans -sub 1024g/0A9EB17D 2004-06-29 - -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) -mQGiBEDh9hcRBACkPpPw2Pm4v6i+dQccbPAmiGyf6Hn7hHyKx25lJD7sK5vQ/L/w -7sKDLBF1JO76+9xN9UQb4emgmRW5T+tll4KD4uaTP1+bopg+RlRSD2S8MqAoYBE/ -kUu1je49FNV3VyNHLvi77XkjHd4C0+hoZhnBK/OMo3FXo9vEWrFokXwCtwCgsgxn -USwXet4jojSt+//E7W6AYV8D/jUMh02PbxHhbCHYQnITB9aiaMQtCoeAlbj3HAQA -+ZgNxApZ6hbhE0I27i4MrGte3O/9l5j3V0rXltpNY9E6tm8HT2UeLc1m7aMCXy+0 -IUrtQtuEx50jD3oaKbqix6UcBpDAZh+aeqTGansCHUHvlOuQQFO4vAPSr6aHPDmS -1Dc7A/9JImvSvwq5xbDQWpWMMvpQXkDgCqjkRnvqBHqoXXy7R8xEaYAqcRYVHCo4 -hmVYyRXsdY7iPxQkugbLBAPTHq2ajWsZGmrJymVZP7FGz+Rn/j/XoGYrbdJ86fgs -XnydJY+/uBaS/A+P/+xeHByr4fqG2T60LUVXtwQP2oP/xYN8kbQkQ2hyaXMgRXZh -bnMgPGNocmlzQHNjYXJ5LmJlYXN0cy5vcmc+iF4EExECAB4FAkDh9hcCGwMGCwkI -BwMCAxUCAwMWAgECHgECF4AACgkQqmLsRjwOdRwHOACgp9BubQZNeDf+cbTyuhfo -+qEedNsAoJIde2sM6Waxd4utyNEGG4pQ3sKeuQENBEDh9h0QBACTJBc/TYG3jVRL -4dI0R1M42DqyaTpm+qDgIgZ6YoXMzw9Z7NiHZaVVrnxYN98mCsNvvevaVT6Jy8Rr -FWMf4jx82ulH6NWZ9rKu3V9CXK9VXxt03VAWK2mGaKWlb7QKuiAuxSSrWTFO9neL -wWAixHsL0w9l19grtn1eKW9e61wIawADBgP/ab8QxketqpzecJhsIr/XM3k2oeKH -mj2BhegIaZzMAqrdvqGIj0cVGpun0tcoB2w4J1S8PyhM0/1PDaTKT+U83Ewljghw -Z+J5KUzG8T5xz9Qi3MyG4GnDqCSwZ9gKN8gt354tVd1qioX+ur5rovfVw+21iciW -IENPG81Z/P+DJzSISQQYEQIACQUCQOH2HQIbDAAKCRCqYuxGPA51HJUGAJ9ynmOj -Hu3p4DUdukkZfSuqyJaAXgCbBxgmdB7hOfSIGyou31PfdaIeFqU= -=BKUG +mQINBGCyyncBEADCkx7Uh4mO2Q590LFi7gCh+Ivm1MqsK+pBXmIiIMBPFLMKqmji +boJiJFu4QcB/ZJZOLVBKKwbQfN/7IeulNkrvMhnu+jJizz0hUDDLQjuoScx53+MW +zwIPhI7OAJ6kurlHo0b1wvNnJD5ENmwxrOTYL5bHxut/05a+uTaruPFQPNOMYMzs +rOvIZrzv0lcW/8ZL4tAFvlkogfiGNC9Vfxy4Px8lyVhhfiVzVY3+UNJMM69n6QAt +kUH07xpV+vn7I3lD4dZM96zFnrXuQhwJba3fbCY9vFN0NDRVdF3tYl2xwJhXMJtM +jtQ1Tw9ykRMPsLlaiow0/uW3mYrTYjDP12VxukCEg6a240mhT4jAVA4cSoOCdGBJ +AZCQk5SLbr/MwikggUyS9Fu3d10WKUSyQFS8NWQGHpaFSIIp3T/dGTe6fprhXzFo +vvLv26OCFNvn4vTHz4lMzZZJjYLNtlcriJoSPCCe8/fI9BmgARmFxiKgY5ENQOrY +cZUJJ3sHre52aqCETgz+w8j5o/cAU8iizlYxYsJK/Y+QXlVIzyV8oQGm/jvXhrhi +CgB4xx96cthfolv2Lj+Dz90d/MYKB3suX38Q1ZNhxCZjIcoE+dcn+uGHUqzm4sot +gN37P1Xfijn15L2cHoV1itasVlOc92HrEUEaBWpB6QXF6nEYkkgA2agnMwARAQAB +tCNDaHJpcyBFdmFucyA8c2NhcnliZWFzdHNAZ21haWwuY29tPokCVAQTAQgAPhYh +BGeiq09B+ZcsIfa/ZnuJARvK4c/qBQJgssp3AhsDBQkSzAMABQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJEHuJARvK4c/qW6QP/2dZFkqxQl7hGJizaGIMCHXV1R2G +0r1S3GyVSRZEUWuVvv2UMjxYx6DZhhoaTGRNi0gXVrTVL3FG8yBfLN2LQQCSXK4k +eee8FIXSp1LhwciAJKN+Z5nc0i7R6Qy6cIvc82DO6Y4FaMJZoO5lWbl1WjEYO/oN +NJAp7U3J+BWYKTzIB+Nh2vaapzj2XrNB6dh3ry2nj7yZmerPquYtXsuNRfi/c/Z0 +2t+TiSEFZW83/NZFGbDhhzWB19TMFM5oUpSBH6Yw02ASseaZBRBK0gLhfKGEnf2W +KgrwcGd41kMxia6UsrXiG3ZjDR+gF/sed93ZdLWpyYxN4DinirCt/+i1/L5RWCSg +Xus1SviMmnTfhB7WB+WfrIauLpPZOZhdLc3vSBdBmOZ6+p0qLQC2eK2rehM6kQzw +nd9vmCtws2l5HGsBngrBEIkXsPVSVZKEUB8xH57nbIzn7igsUgrTBdz8K61oMaAu +iEZzRJ35P81B3uJqZyqjkONm/1J9d081V2aiASJw/vfiAEkjpws488ZWkg9FFSFJ +VqvAUu6p/g152GP+vatqFT1sH8zxXLLrwGlcktZFNfTYSnscQ9NU/L761anjrgM4 +Oi7ks4jLq91vwvxW9E9TNyuMUJj85412xPIwx1o1+fKGwzi1d+01uQ73aPmp6Z4l +idE6tmV5wVSuMGSCuQINBGCyyncBEADIM7Z+1GxMvEtKRyWukfL5w8C4Bqid6M7N +yCCs8bT1lunc7/weiNCOFigZDfAaSoFQpVe22YZABeWD/wO0iY9x+wOwpnsGhmC9 +7H/c0+g4IT7fKkaNVMbvUGfo9dWrXD2gtFzZJruMnPbj0HeFqSHvkGbMM7dLyMlF +K295F901iFvvfw7jSQyVGVS97i7swXj9F/O13jedIbh+3TWdkKk/YqmMsETjkcOe +UvmY7P7pTKEpdimvY2I1B8PsBJkyjdZA8G+eiG1STa0+Vj4yVtMJodKJDJbY6+y7 +M9hajCdUTplLWTbxzPMo54KjTOzyLVT7mfugUlS7WQWrVWVtvScJsvaec95+p/Bx +UdJVwylVjQrxJxI8Bk2yrIgu7/rj+uYGV5+TNKjJWFkQw0YDJ1NkcvVjU7WIwNCl +X6s5s/tuX+yzUA+DBSHx0WuqtGWYaFgXeO/pWPidc8ovYFVIAr3QB76AeEL3ZJj3 +ttN5jk96zOlaVxOOlEC6zX5TJ7Z+aQHBPq8RN/G8o99sOdx5QuKqvhHe8673eIMY +CWPgNSSMJ/7I5IBLsIfIv2UWgLPPHS8s/HTwPacU0/L4pahh553uAhC4QP7BPkYw +p4KXGasR3v9YxuSa33IraJALC6eF2t3L0CLUMzsc0pgLCmGqzskbrP8p0daBjFCS +KofV+jOiQQARAQABiQI8BBgBCAAmFiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmCy +yncCGwwFCRLMAwAACgkQe4kBG8rhz+qDNRAAsG3lta/eQ+yWTHCXxXYfw94jm/bx +XFUcvSOwjO+vB5tCt8Q0JmxoZ6PDD/bkcGSDz8FHjhxiIGYKPQiyu7jeZDAijBzu +MLf3yGuubM6SUoXB1olkTbs9DTSFdTPqbM8eYn14CVHk19w/in/Oe11BD0I7D4Qg +bkjIAkIKf01AxbcLFKOMihqhSEIEeqP70DIP8hT3arefk2wgEKG108SOzCPD1YQ7 +sEkYX2lRXjqBefHmIGLVllF3v+jUHYFIVz62i/OVMBHXF0D9Qn39cE5e94VdRZIf +0hdizes1w48o9DxVSs+5TTtuLfFtsY+22OqZZ1cxXrdNUBCB4XEllrDdu58Qr7No +fpDPDB4AVatWkpB288C/USl1UJgvhuvZs1AKChi9egfoMJczkZMvgQeiKagQkyeb +l/W7vT3wX4R2WvcM4n6rlPkvRNvO+jw9owSDWuF+6iB0DWEpv5hMjPEfTBv0sYTH +T/sOcV7vKV9Q6JsQwvfOagI9OAkXbxbjpbQgk/jlaaz/9+5wIy2vvW69Nh7ZfFNO +RU1GhwNbghLwbHF7rrGvpwlV9hwpaMYcplvkW9bMgjPGpwxecE1zDdhO8Zq9QXyb +dvDqRPNAqsWd/LwwqRpG36/YI4f5Pdv38W9/HoXlqj9+Uaa/TyDl9TIlBCYcnrzM +SEfMQy8pH/YWOBk= +=QcZC -----END PGP PUBLIC KEY BLOCK----- diff --git a/vsftpd.spec b/vsftpd.spec index 4629ab4..451521e 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -1,7 +1,7 @@ # # spec file for package vsftpd # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ %define use_firewalld 0 %endif Name: vsftpd -Version: 3.0.3 +Version: 3.0.4 Release: 0 Summary: Very Secure FTP Daemon - Written from Scratch License: SUSE-GPL-2.0-with-openssl-exception @@ -85,7 +85,6 @@ Patch30: vsftpd-3.0.3-address_space_limit.patch Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch Patch32: vsftpd-support-dsa-only-setups.patch Patch33: vsftpd-avoid-bogus-ssl-write.patch -Patch34: 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch # PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553 Patch36: seccomp-fixes.patch @@ -154,7 +153,6 @@ tests. %patch31 -p1 %patch32 -p1 %patch33 -p1 -%patch34 -p1 %patch35 -p1 %patch36 -p1 From 0ca37ce5e56fed356792e69f65672e42dd6caadf5f0f2278257321d1d474c857 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 29 Jun 2021 11:17:01 +0000 Subject: [PATCH 2/2] refresh patches for the new version OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=150 --- ...ntroduce-TLSv1.1-and-TLSv1.2-options.patch | 149 ------------------ seccomp-fixes.patch | 20 +-- vsftpd-2.0.4-lib64.diff | 22 +-- vsftpd-3.0.3-build-with-openssl-1.1.patch | 12 +- vsftpd.changes | 2 + vsftpd.spec | 2 +- 6 files changed, 26 insertions(+), 181 deletions(-) delete mode 100644 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch diff --git a/0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch deleted file mode 100644 index ab3fc62..0000000 --- a/0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch +++ /dev/null @@ -1,149 +0,0 @@ -From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 13:36:17 +0100 -Subject: [PATCH] Introduce TLSv1.1 and TLSv1.2 options. - -Users can now enable a specific version of TLS protocol. ---- - parseconf.c | 2 ++ - ssl.c | 8 ++++++++ - tunables.c | 9 +++++++-- - tunables.h | 2 ++ - vsftpd.conf.5 | 24 ++++++++++++++++++++---- - 5 files changed, 39 insertions(+), 6 deletions(-) - -Index: vsftpd-3.0.3/parseconf.c -=================================================================== ---- vsftpd-3.0.3.orig/parseconf.c 2020-11-13 09:52:41.369111000 +0000 -+++ vsftpd-3.0.3/parseconf.c 2020-11-13 09:52:48.881045043 +0000 -@@ -85,6 +85,8 @@ parseconf_bool_array[] = - { "ssl_sslv2", &tunable_sslv2 }, - { "ssl_sslv3", &tunable_sslv3 }, - { "ssl_tlsv1", &tunable_tlsv1 }, -+ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, -+ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -Index: vsftpd-3.0.3/ssl.c -=================================================================== ---- vsftpd-3.0.3.orig/ssl.c 2020-11-13 09:52:41.369111000 +0000 -+++ vsftpd-3.0.3/ssl.c 2020-11-13 09:52:48.881045043 +0000 -@@ -78,6 +78,14 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1; - } -+ if (!tunable_tlsv1_1) -+ { -+ options |= SSL_OP_NO_TLSv1_1; -+ } -+ if (!tunable_tlsv1_2) -+ { -+ options |= SSL_OP_NO_TLSv1_2; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -Index: vsftpd-3.0.3/tunables.c -=================================================================== ---- vsftpd-3.0.3.orig/tunables.c 2020-11-13 09:52:41.369111000 +0000 -+++ vsftpd-3.0.3/tunables.c 2020-11-13 09:56:53.162888596 +0000 -@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; - int tunable_sslv2; - int tunable_sslv3; - int tunable_tlsv1; -+int tunable_tlsv1_1; -+int tunable_tlsv1_2; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -207,7 +209,10 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -+ /* TLSv1 up to TLSv1.2 is enabled by default */ - tunable_tlsv1 = 1; -+ tunable_tlsv1_1 = 1; -+ tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -@@ -288,7 +293,8 @@ tunables_load_defaults() - install_str_setting("/usr/share/ssl/certs/vsftpd.pem", - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); -- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -Index: vsftpd-3.0.3/tunables.h -=================================================================== ---- vsftpd-3.0.3.orig/tunables.h 2020-11-13 09:52:41.369111000 +0000 -+++ vsftpd-3.0.3/tunables.h 2020-11-13 09:52:48.881045043 +0000 -@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; - extern int tunable_sslv2; /* Allow SSLv2 */ - extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ -+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ -+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -Index: vsftpd-3.0.3/vsftpd.conf.5 -=================================================================== ---- vsftpd-3.0.3.orig/vsftpd.conf.5 2020-11-13 09:52:41.370110991 +0000 -+++ vsftpd-3.0.3/vsftpd.conf.5 2020-11-13 09:52:48.881045043 +0000 -@@ -486,7 +486,7 @@ Default: YES - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v2 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -494,7 +494,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v3 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -502,7 +502,23 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_1 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.1 protocol connections. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_2 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.2 protocol connections. -+TLS v1.2 connections are preferred. - - Default: YES - .TP -@@ -1001,7 +1017,7 @@ man page for further details. Note that - security precaution as it prevents malicious remote parties forcing a cipher - which they have found problems with. - --Default: DES-CBC3-SHA -+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 - .TP - .B user_config_dir - This powerful option allows the override of any config option specified in diff --git a/seccomp-fixes.patch b/seccomp-fixes.patch index 1bc1225..9062295 100644 --- a/seccomp-fixes.patch +++ b/seccomp-fixes.patch @@ -1,7 +1,7 @@ -Index: vsftpd-3.0.3/seccompsandbox.c +Index: vsftpd-3.0.4/seccompsandbox.c =================================================================== ---- vsftpd-3.0.3.orig/seccompsandbox.c -+++ vsftpd-3.0.3/seccompsandbox.c +--- vsftpd-3.0.4.orig/seccompsandbox.c 2021-06-15 08:06:29.165512830 +0000 ++++ vsftpd-3.0.4/seccompsandbox.c 2021-06-15 08:06:42.778484808 +0000 @@ -18,6 +18,7 @@ #include "utility.h" @@ -10,7 +10,7 @@ Index: vsftpd-3.0.3/seccompsandbox.c #include #include -@@ -60,6 +61,7 @@ +@@ -63,6 +64,7 @@ #define kMaxSyscalls 100 @@ -18,7 +18,7 @@ Index: vsftpd-3.0.3/seccompsandbox.c #ifdef DEBUG_SIGSYS #include -@@ -68,7 +70,10 @@ +@@ -71,7 +73,10 @@ void handle_sigsys(int sig) { @@ -30,15 +30,7 @@ Index: vsftpd-3.0.3/seccompsandbox.c } #endif -@@ -443,6 +448,7 @@ seccomp_sandbox_setup_postlogin(const st - allow_nr(__NR_getcwd); - allow_nr(__NR_chdir); - allow_nr(__NR_getdents); -+ allow_nr(__NR_getdents64); - /* Misc */ - allow_nr(__NR_umask); - -@@ -579,8 +585,8 @@ seccomp_sandbox_lockdown() +@@ -586,8 +591,8 @@ seccomp_sandbox_lockdown() p_filter->code = BPF_LD+BPF_W+BPF_ABS; p_filter->jt = 0; p_filter->jf = 0; diff --git a/vsftpd-2.0.4-lib64.diff b/vsftpd-2.0.4-lib64.diff index c86b0e7..6fb5864 100644 --- a/vsftpd-2.0.4-lib64.diff +++ b/vsftpd-2.0.4-lib64.diff @@ -1,7 +1,7 @@ -Index: vsf_findlibs.sh +Index: vsftpd-3.0.4/vsf_findlibs.sh =================================================================== ---- vsf_findlibs.sh.orig -+++ vsf_findlibs.sh +--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-05-18 07:14:35.000000000 +0000 ++++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-29 09:24:32.833223756 +0000 @@ -14,6 +14,7 @@ fi # crypt library. if find_func pam_start sysdeputil.o; then @@ -18,11 +18,11 @@ Index: vsf_findlibs.sh locate_library /usr/lib/libcrypt.so && echo "-lcrypt"; locate_library /usr/lib64/libcrypt.so && echo "-lcrypt"; locate_library /lib/x86_64-linux-gnu/libcrypt.so && echo "-lcrypt"; -@@ -54,6 +56,7 @@ elif locate_library /lib/libcap.so.2; th - echo "/lib/libcap.so.2"; - else - locate_library /usr/lib/libcap.so && echo "-lcap"; -+ locate_library /usr/lib64/libcap.so && echo "-lcap"; - locate_library /lib/libcap.so && echo "-lcap"; - locate_library /lib64/libcap.so && echo "-lcap"; - fi +@@ -52,6 +54,7 @@ locate_library /usr/lib/libsec.sl && ech + # /usr/bin/ld: cannot find -lcap + # If the libcap-devel package isn't installed. + locate_library /usr/lib/libcap.so && echo "-lcap"; ++locate_library /usr/lib64/libcap.so && echo "-lcap"; + locate_library /lib/libcap.so && echo "-lcap"; + locate_library /lib64/libcap.so && echo "-lcap"; + diff --git a/vsftpd-3.0.3-build-with-openssl-1.1.patch b/vsftpd-3.0.3-build-with-openssl-1.1.patch index bb71436..d1dc8e4 100644 --- a/vsftpd-3.0.3-build-with-openssl-1.1.patch +++ b/vsftpd-3.0.3-build-with-openssl-1.1.patch @@ -1,13 +1,13 @@ -Index: vsftpd-3.0.3/vsf_findlibs.sh +Index: vsftpd-3.0.4/vsf_findlibs.sh =================================================================== ---- vsftpd-3.0.3.orig/vsf_findlibs.sh -+++ vsftpd-3.0.3/vsf_findlibs.sh -@@ -72,7 +72,7 @@ locate_library /usr/shlib/librt.so && ec +--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-06-15 07:58:45.004475824 +0000 ++++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-15 07:59:59.039320940 +0000 +@@ -69,7 +69,7 @@ locate_library /usr/shlib/librt.so && ec locate_library /usr/lib/libsendfile.so && echo "-lsendfile"; # OpenSSL -if find_func SSL_library_init ssl.o; then +if find_func SSL_CTX_new ssl.o; then echo "-lssl -lcrypto"; - fi - + elif find_func SSL_new ssl.o; then + echo "-lssl -lcrypto"; diff --git a/vsftpd.changes b/vsftpd.changes index c8ffd07..ac0656d 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -11,6 +11,8 @@ Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons - Upstream has a new GPG key (7B89011BCAE1CFEA). +- "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" is now obsolete. + ------------------------------------------------------------------- Thu Dec 3 11:20:20 UTC 2020 - Ismail Dönmez diff --git a/vsftpd.spec b/vsftpd.spec index 451521e..e36a414 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -122,7 +122,7 @@ tests. %prep %setup -q -%patch1 +%patch1 -p1 %patch3 -p1 %patch4 %patch5