* Make listen mode the default.
* Fix missing "const" in ssl.c
* Add seccompsandbox.c to support a seccomp filter sandbox; works against
Ubuntu 12.04 ABI.
* Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
seccompsandbox.c
* Rename deprecated "sandbox" to "ptrace_sandbox".
* Add a few more state checks to the privileged helper processes.
* Add tunable "seccomp_sandbox", default on.
* Use hardened build flags.
* Retry creating a PASV socket upon port reuse race between bind() and
listen(), patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>.
* Don't die() if recv() indicates a closed remote connection. Problem report
on a Windows client from Herbert van den Bergh,
<herbert.van.den.bergh@oracle.com>.
* Add new config setting "allow_writeable_chroot" to help people in a bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
* Remove a couple of fixed things from BUGS.
* strlen() trunction fix -- no particular impact.
* Apply some tidyups from mmoufid@yorku.ca.
* Fix delete_failed_uploads if there is a timeout. Report from Alejandro
Hernández Hdez <aalejandrohdez@gmail.com>.
* Fix other data channel bugs such as failure to log failure upon timeout.
* Use exit codes a bit more consistently.
* Fix bad interaction between SSL and trans_chunk_size.
* Redo data timeout to fire properly for SSL sessions.
* Redo idle timeout to fire properly for SSL sessions.
* Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing.
* Use 10 minutes as a max linger time just in case an alarm gets lost.
* Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
* Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
Unfortunately the default vsftpd SSL confiuration still doesn't fully work with
FileZilla, because FileZilla has a data connection security problem: no client
certificate presentation and no session reuse. At least the error message is
now very clear.
* Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
a data transfer is in progress.
* Fix delete_failed_uploads for anonymous sessions.
* Don't listen for urgent data if the control connection is SSL, due to possible
protocol synchronization issues.
- SUSE specific changes:
* turn off the listen mode (listen=NO) by default and change README.SUSE
* merge new hardended flags for build and linking
* fix the wrong Type=forking from systemd service file
* turn off the seccomp_sandbox off by default as SUSE kernel does not support
it (yet)
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=38
