forked from pool/vsftpd
- Version bump to 3.0.3:
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
* Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
* Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
* Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
upstream, se above bullet with mvyskocil's email
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=89
This commit is contained in:
Tomáš Chvátal
Git OBS Bridge
parent
b1b099bd31
commit
7cbe902ddd
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:be46f0e2c5528fe021fafc8dab1ecfea0c1f183063a06977f8537fcd0b195e56
|
||||
size 192808
|
||||
@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.11 (GNU/Linux)
|
||||
|
||||
iEYEABECAAYFAlBYSB8ACgkQqmLsRjwOdRwyzACdEOSXJgLVmiIZHZ/dFJfchX1R
|
||||
Z3cAnjkRO3++zgZuG+CQ+FJx745IlazL
|
||||
=UTJs
|
||||
-----END PGP SIGNATURE-----
|
||||
3
vsftpd-3.0.3.tar.gz
Normal file
3
vsftpd-3.0.3.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9d4d2bf6e6e2884852ba4e69e157a2cecd68c5a7635d66a3a8cf8d898c955ef7
|
||||
size 196649
|
||||
7
vsftpd-3.0.3.tar.gz.asc
Normal file
7
vsftpd-3.0.3.tar.gz.asc
Normal file
@ -0,0 +1,7 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iEYEABECAAYFAlWy7z8ACgkQqmLsRjwOdRyg1QCgp6fVazIhibmgmlefKPEVBUEM
|
||||
yDMAnibP6iavxih4przbfR+Fd3LgsARM
|
||||
=G+eX
|
||||
-----END PGP SIGNATURE-----
|
||||
@ -1,30 +0,0 @@
|
||||
From: mvyskocil@suse.com
|
||||
Subject: enable /dev/log related socket call
|
||||
|
||||
Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
|
||||
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
|
||||
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
|
||||
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
|
||||
|
||||
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
|
||||
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str
|
||||
{
|
||||
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
||||
}
|
||||
+
|
||||
+ //this is very probably an attempt to open /dev/log
|
||||
+ //it fails because process cannot open any file, so it might be safe
|
||||
+ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
|
||||
+ allow_nr_3_arg_match(__NR_socket,
|
||||
+ 1, PF_FILE,
|
||||
+ 2, SOCK_DGRAM | SOCK_CLOEXEC,
|
||||
+ 3, 0);
|
||||
+
|
||||
}
|
||||
|
||||
void
|
||||
@ -1,3 +1,36 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 8 10:57:55 UTC 2015 - tchvatal@suse.com
|
||||
|
||||
- Version bump to 3.0.3:
|
||||
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
|
||||
* Make the PWD response more RFC compliant; report from Barry Kelly
|
||||
<barry@modeltwozero.com>.
|
||||
* Remove the trailing period from EPSV response to work around BT Internet
|
||||
issues; report from Tim Bishop <tdb@mirrorservice.org>.
|
||||
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
|
||||
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
|
||||
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
|
||||
probably have a different distro / libc / etc. and there are multiple reports.
|
||||
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
|
||||
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
|
||||
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
|
||||
* Make some compile-time SSL defaults (such as correct client shutdown
|
||||
handling) stricter.
|
||||
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
|
||||
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
|
||||
* Kill the FTP session if we see HTTP protocol commands, to avoid
|
||||
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
|
||||
* Kill the FTP session if we see session re-use failure. A report from
|
||||
Tim Kosse <tim.kosse@filezilla-project.org>.
|
||||
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
|
||||
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
|
||||
* Minor SSL logging improvements.
|
||||
* Un-default tunable_strict_ssl_write_shutdown again. We still have
|
||||
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
|
||||
upload integrity.
|
||||
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
|
||||
upstream, se above bullet with mvyskocil's email
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 23 08:51:32 UTC 2015 - tchvatal@suse.com
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: vsftpd
|
||||
Version: 3.0.2
|
||||
Version: 3.0.3
|
||||
Release: 0
|
||||
Summary: Very Secure FTP Daemon - Written from Scratch
|
||||
License: SUSE-GPL-2.0-with-openssl-exception
|
||||
@ -44,8 +44,6 @@ Patch8: vsftpd-2.0.5-utf8-log-names.patch
|
||||
Patch9: vsftpd-2.3.5-conf.patch
|
||||
Patch10: vsftpd-3.0.0_gnu_source_defines.patch
|
||||
Patch11: vsftpd-3.0.0-optional-seccomp.patch
|
||||
#PATCH-FIX-OPENSUSE: bnc#786024
|
||||
Patch12: vsftpd-allow-dev-log-socket.patch
|
||||
#PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct
|
||||
Patch13: vsftpd-drop-newpid-from-clone.patch
|
||||
#PATCH-FIX-OPENSUSE: bnc#812406
|
||||
@ -96,7 +94,6 @@ tests.
|
||||
%patch9
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user