- Version bump to 3.0.3:
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
* Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
* Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
* Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
upstream, se above bullet with mvyskocil's email
OBS-URL: https://build.opensuse.org/request/show/329655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=52
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
* Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
* Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
* Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
upstream, se above bullet with mvyskocil's email
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=89
- bnc#925963 stat is sometimes run on wrong path and results with
ENOENT, ensure we sent both dir+file to filter verification:
* vsftpd-path-normalize.patch
- Update patch bit more for sanity checks. Done by rsassu@suse.de:
* vsftpd-path-normalize.patch
- Add back patch attempting to fix bnc#900326 bnc#915522 and
bnc#922538:
* vsftpd-path-normalize.patch
- Reset filter patch to match fedora, my work will be restarted
in one-off patch to make the changes stand out. Add rest of
RH filtering patches:
* vsftpd-2.2.0-wildchar.patch
* vsftpd-2.3.4-sqb.patch
* vsftpd-2.1.0-filter.patch
- Work on the filter patch and split out the normalisation of the
path to separate str function, currently commented out so I
avoid huge diffing.
* vsftpd-2.1.0-filter.patch
OBS-URL: https://build.opensuse.org/request/show/294583
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=49
- Cleanup with spec-cleaner
- Remove conditions about init files as we do not build for < 12.1
anyway.
- Update the README.SUSE file to describe more the listen option.
- Add socket service for vsftpd to avoid the need for xinetd here.
- Add comment about listen variables for xinetd configuration.
Fixes bnc#872221.
- Add default configuration as arg to xinetd started vsftpd.
- Updated patch:
* vsftpd-2.0.4-xinetd.diff
OBS-URL: https://build.opensuse.org/request/show/235383
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=43
- Move the enabling of timeofday and alarm one level deeper to
be sure it is whitelisted everytime.
Also should possibly fix bnc#872215.
- Updated patch:
* vsftpd-enable-gettimeofday-sec.patch
- Remove forking from service type as it hangs in endless loop.
- Fix warning about dangling symlink on rcvsftpd from rpmlint and
remove also clean section while at it.
- Add patch to allow gettimeofday and alarm calls with seccomp
enabled. bnc#870122
- Added patch:
* vsftpd-enable-gettimeofday-sec.patch
- Specify that the service type is forking
- changed license to SUSE-GPL-2.0-with-openssl-exception
* suggested by legal team
- add allow_root_squashed_chroot option to enable chroot on nsf
mounted with squash_root option (fate#311051)
* vsftpd-root-squashed-chroot.patch (forwarded request 229627 from scarabeus_iv)
OBS-URL: https://build.opensuse.org/request/show/229628
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=42
- Move the enabling of timeofday and alarm one level deeper to
be sure it is whitelisted everytime.
Also should possibly fix bnc#872215.
- Updated patch:
* vsftpd-enable-gettimeofday-sec.patch
- Remove forking from service type as it hangs in endless loop.
- Fix warning about dangling symlink on rcvsftpd from rpmlint and
remove also clean section while at it.
- Add patch to allow gettimeofday and alarm calls with seccomp
enabled. bnc#870122
- Added patch:
* vsftpd-enable-gettimeofday-sec.patch
- Specify that the service type is forking
- changed license to SUSE-GPL-2.0-with-openssl-exception
* suggested by legal team
- add allow_root_squashed_chroot option to enable chroot on nsf
mounted with squash_root option (fate#311051)
* vsftpd-root-squashed-chroot.patch
OBS-URL: https://build.opensuse.org/request/show/229627
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=59
- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
* this enabled a sendto on /dev/log socket when syslog is enabled
- provide more verbose explanation about isolate_network and seccomp_sanbox in
config file template
- don't install init file on openSUSE 13.1+
- drop a build support for SL 10 and older
- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
* drop CLONE_NEWPID from clone to enable audit system
- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
* unconditionally enable F_SETFL patch - might be safe to do (forwarded request 162590 from mvyskocil)
OBS-URL: https://build.opensuse.org/request/show/162591
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=39
- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
* this enabled a sendto on /dev/log socket when syslog is enabled
- provide more verbose explanation about isolate_network and seccomp_sanbox in
config file template
- don't install init file on openSUSE 13.1+
- drop a build support for SL 10 and older
- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
* drop CLONE_NEWPID from clone to enable audit system
- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
* unconditionally enable F_SETFL patch - might be safe to do
OBS-URL: https://build.opensuse.org/request/show/162590
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=55
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
-----------------
(forwarded request 143938 from sbrabec)
OBS-URL: https://build.opensuse.org/request/show/145730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=35
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
-----------------
OBS-URL: https://build.opensuse.org/request/show/143938
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=49
- update to 3.0.2 (bnc#786024)
* Fix some seccomp related build errors on certain CentOS and Debian versions.
* Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
opens and maps /proc/meminfo but only for larger item counts?
* Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
* Fix various NULL crashes with nonsensical config settings. Noted by Tianyin
Xu <tixu@cs.ucsd.edu>.
* Force cast to unsigned char in is* char functions.
* Fix harmless integer issues in strlist.c.
* Started on a (possibly ill-advised?) crusade to compile cleanly with
Wconversion. Decided to suspend the effort half-way through.
* One more seccomp policy fix: mremap (denied).
* Support STOU with no filename, uses a STOU. prefix.
OBS-URL: https://build.opensuse.org/request/show/138998
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=33
* Fix some seccomp related build errors on certain CentOS and Debian versions.
* Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
opens and maps /proc/meminfo but only for larger item counts?
* Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
* Fix various NULL crashes with nonsensical config settings. Noted by Tianyin
Xu <tixu@cs.ucsd.edu>.
* Force cast to unsigned char in is* char functions.
* Fix harmless integer issues in strlist.c.
* Started on a (possibly ill-advised?) crusade to compile cleanly with
Wconversion. Decided to suspend the effort half-way through.
* One more seccomp policy fix: mremap (denied).
* Support STOU with no filename, uses a STOU. prefix.
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=45
