| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: vsftpd | Distribution: SUSE Linux Framework One |
| Version: 3.0.5 | Vendor: SUSE LLC <https://www.suse.com/> |
| Release: slfo.1.1.7 | Build date: Wed Aug 21 17:54:02 2024 |
| Group: Productivity/Networking/Ftp/Servers | Build host: ibs-power9-12 |
| Size: 369242 | Source RPM: vsftpd-3.0.5-slfo.1.1.7.src.rpm |
| Packager: https://www.suse.com/ | |
| Url: https://security.appspot.com/vsftpd.html | |
| Summary: Very Secure FTP Daemon - Written from Scratch | |
Vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but the entire codebase was written with security in mind, and carefully designed to be resilient to attack. Recent evidence suggests that vsftpd is also extremely fast (and this is before any explicit performance tuning!). In tests against wu-ftpd, vsftpd was always faster, supporting over twice as many users in some tests.
SUSE-GPL-2.0-with-openssl-exception
* Wed Oct 04 2023 kukuk@suse.com
- Add vsftpd.ftpusers, the netcfg one is not maintained, outdated
and will be removed.
- vsftpd.pam: use own copy of ftpusers.
* Tue Sep 26 2023 pmonreal@suse.com
- Enable crypto-policies support: [bsc#1211301]
* Add vsftpd-use-system-wide-crypto-policy.patch
* Fri Aug 25 2023 kukuk@suse.com
- Use pam macros to install pam config in /usr/lib/pam.d
- Adjust vsftpd.pam to include postlogin config (replace wtmp with
wtmpdb for Y2038 [jsc#3144])
* Mon Jun 19 2023 psimons@suse.com
- Apply "0001-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch"
to fix the documentation of the strict_ssl_read_eof option. The
documentation says option would be disabled by default, but it is
in fact enabled. [bsc#1200075]
* Tue Jan 03 2023 david.anes@suse.com
- Use valid separator for logrotate config file. [bsc#1192179]
* Fri Sep 16 2022 psimons@suse.com
- systemd versions prior to 244 do not support the ProtectXYZ
directives we use in our vsftpd.service file and log warnings
every time the daemon starts, which confuses our users. We avoid
this issue by removing the unsupported options from the service
file when installing on a distribution that comes with such an
older version of systemd. [bsc#1196918]
* Thu Sep 15 2022 schubi@localhost
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
* Thu Aug 25 2022 psimons@suse.com
- Apply "disable-tls13-to-support-older-openssl-versions.patch"
when building on SLE-15. This is necessary, because openssl_1_1
on that codestream is version 1.1.0 rather than 1.1.1 and that
older version has no TLSv1.3 support. [bsc#1187686]
* Wed Jun 29 2022 schubi@suse.com
- When building on Tumbleweed, move logrotate files from user
specific directory /etc/logrotate.d to vendor specific directory
/usr/etc/logrotate.d. Builds on other codestreams still use the
original location.
* Thu Mar 03 2022 psimons@suse.com
- Use rpm conditional to build against the proper OpenSSL version
on all distributions. This allows us to update vsftpd in all
maintained SLE codestreams to the current Factory version and
mitigate the newly discovered ALPACA attack. [jsc#SLE-24275,
jsc#PM-3322, bsc#1187686]
* Tue Feb 01 2022 psimons@suse.com
- Add "seccomp-fixes.patch" to fix the syscall architecture offset
from 4 to 5, this change was documented in
<https://lore.kernel.org/patchwork/patch/554803/>.
- Add "vsftpd-openlog-force.patch" to a logic error in the way the
force option for syslog's openlog() call was handled.
- Add "vsftpd-seccomp-getrandom.patch" to fix a seccomp failure in
FIPS mode when SSL was enabled. [bsc#1052900]
- Add "vsftpd-seccomp-ssl.patch" to allow stat() to be called,
which is required during SSL initialization by RAND_load_file().
- Add "vsftpd-seccomp-wait4.patch" to allow wait4() to be called so
that the broker can wait for its child processes. [bsc#1021387]
- Refresh patches to -p1 style so that we can use %autosetup:
* vsftpd-2.0.4-dmapi.patch
* vsftpd-2.0.4-enable-ssl.patch
* vsftpd-2.0.5-enable-debuginfo.patch
* vsftpd-2.0.5-utf8-log-names.patch
* vsftpd-2.0.5-vuser.patch
* vsftpd-2.3.5-conf.patch
- Apply "revert-undocumented-config-file-format-changes.patch" to
revert the "ssl_tlsv1_X"-style config file options back to their
original spelling. The changes that dropped the underscore from
the version numbers in release 3.0.4 breaks existing
configurations and it was never documented anywhere -- not in the
package's changelog and not in the packages's own man page.
- Apply "use-system-wide-tls-cipher-policy.patch" so that vsftpd
follows the system-wide TLS cipher policy "DEFAULT_SUSE" by
default. Run the command "openssl ciphers -v DEFAULT_SUSE" to see
which ciphers this includes.
- Apply "vsftpd-allow-dev-log-socket.patch" to allow sendto()
syscall when /dev/log support is enabled. [bnc#786024]
- Apply "vsftpd-enable-sendto-for-prelogin-syslog.patch" to allow
sendto() to be called from check_limits(), which is necessary for
vsftpd to write to the system log.
* Wed Jan 05 2022 jsegitz@suse.com
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* vsftpd.service
* Fri Sep 10 2021 fvogt@suse.com
- Update to version 3.0.5:
* Fix ALPN callback to correctly select the 'ftp' string if present.
Works with FileZilla-3.55.0.
* Fix a couple of seccomp policy issues with Fedora 34.
* Tue Jun 15 2021 psimons@suse.com
- Update to version 3.0.4.
* Fix runtime SIGSYS crashes (seccomp sandbox policy tweaks).
* Reject HTTP verbs pre-login.
* Disable TLS prior to v1.2 by default.
* Close the control connection after 10 unknown commands pre-login.
* Reject any TLS ALPN advertisement that's not 'ftp'.
* Add ssl_sni_hostname option to require a match on incoming SNI hostname.
* The options "ssl_tlsv1_1", "ssl_tlsv1_2", and "ssl_tlsv1_3"
have been renamed to "ssl_tlsv11", "ssl_tlsv12", and
"ssl_tlsv13" respectively. Note that the man page has not been
updated accordingly.
- Upstream has a new GPG key (7B89011BCAE1CFEA).
- "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" is now obsolete.
- "0001-Introduce-TLSv1.3-option.patch" is now obsolete.
- "vsftpd-seccomp-syslog.patch" is now obsolete.
* Mon Jun 14 2021 psimons@suse.com
- OpenSSL was updated to version 1.1.1 in SLE-15-SP2, adding
support for the TLSv1.3 protocol. As a consequence, some SLE-15
applications that link OpenSSL for TLS support -- like vsftpd --,
gained the ability to use the newer TLS protocol, which created
interoperability problems with FTP clients in some cases. To
remedy the situation, "0001-Introduce-TLSv1.3-option.patch" was
applied in a forked SLE-15-SP2 version of vsftpd. The patch adds
the configuration option "ssl_tlsv1_3" that system administrators
can use to disable TLSv1.3 support on their servers.
[bsc#1187188]
* Thu Dec 03 2020 idonmez@suse.com
- Add seccomp-fixes.patch to allow getdents64 syscall in seccomp
sandbox, fixes bsc#1179553
Also in the same patch, fix the architecture offset from 4 to 5,
this change was documented in https://lore.kernel.org/patchwork/patch/554803/
* Fri Nov 13 2020 psimons@suse.com
- Apply "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" and
"0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch",
which add the "ssl_tlsv1_1" and "ssl_tlsv1_2" options to the
configuration file. Both options default to true. [SLE-4182]
* Wed Aug 19 2020 dimstar@opensuse.org
- Use %{_prefix}/lib instead of misused %{_libexecdir}.
* Thu Dec 05 2019 josef.moellers@suse.com
- Add pam_keyinit.so to PAM config file.
[vsftpd.pam, bsc#1144062]
* Tue Jun 18 2019 psimons@suse.com
- Apply "vsftpd-avoid-bogus-ssl-write.patch" to fix a segmentation
fault that occurred while trying to write to an invalid TLS
context. [bsc#1125951]
* Wed Jun 12 2019 dimstar@opensuse.org
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
shortcut the build queues by allowing usage of systemd-mini
* Tue Oct 23 2018 suse-beta@cboltz.de
- firewall-macros should be BuildRequires, not Requires(post)
(the macro gets expanded during package build)
* Thu Jun 28 2018 psimons@suse.com
- Extend "vsftpd-3.0.3-address_space_limit.patch" to mention the
new 'address_space_limit' option in the installed vsftpd.conf(5)
man page. [bsc#1075060]
* Thu Jun 21 2018 psimons@suse.com
- Apply "vsftpd-support-dsa-only-setups.patch" to disable the
problematic default setting for rsa_cert_file. Upstream
initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and
vsftpd won't start up if that file does not exist (or if it does
not contain an RSA certificate). Therefore, users who copy a DSA
certificate into that location or properly configure a DSA
certificate via dsa_cert_file without explicitly disabling the
RSA certificate won't be able to start vsftpd. [bsc#975538]
* Wed May 16 2018 psimons@suse.com
- Don't start/stop parameterized systemd units in pre/post actions.
These units cannot be used without an explicit parameter and
attempts to do so lead to a confusing "failed to try-restart"
error message. [bsc#1093179, bsc#1010177]
* Wed Apr 25 2018 psimons@suse.com
- vsftpd-enable-syscalls-needed-by-sle15.patch: Enable wait4(),
sysinfo(), and shutdown() syscalls in seccomp sandbox. These are
required for the daemon to work properly on SLE-15. [bsc#1089088,
bsc#1180314]
* Tue Apr 03 2018 vcizek@suse.com
- Add firewalld service file (bsc#1083705)
* Wed Dec 13 2017 tchvatal@suse.com
- Make sure to also require group nobody and user ftp bsc#1070653
* Thu Sep 07 2017 psimons@suse.com
- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that
would cause SSL protocol errors, aborting the connection, whenever
system errors occurred that were supposed to be non-fatal.
[bsc#1044292]
- Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with
various ftp clients that arose when vsftpd is configured with
option "use_localtime=YES". Basically, it's fine to use local time
stamps in directory listings, but responding to MDTM commands with
any time zone other than UTC directly violates RFC3659 and leads
FTP clients to misinterpret the file's time stamp. [bsc#1024961]
- Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to
append to a file system pipe. [bsc#1048427]
- Add "vsftpd-3.0.3-address_space_limit.patch" to create the new
configuration option "address_space_limit", which determines the
memory limit vsftpd configures for its own process (given in
bytes). The previously hard-coded limit (100 MB) may not be
sufficient for vsftpd servers running with certain PAM modules
enabled, and in such cases administrators may wish to raise the
limit to match their system's requirements. [bsc#1042137]
- Don't rely on the vsf_findlibs.sh script to figure out the list
of libraries the build needs to link. The script is wildly
unreliable and it's hard to predict what results it will produce.
Also, the results it *does* produce are invisble in the build
log. We stumbled across this issue when vsftpd suddendly had
build failures on i586 platforms because the script decided to
try and link "-lnsl" even though the library was neither
installed nor required.
- Drop the explicit specification of the LDFLAGS and LINK variables
from the call to make. The value of LDFLAGS we passed is the
default anyway and giving LINK has no effect since it's not used
anywhere in the Makefile.
* Wed Jun 14 2017 tchvatal@suse.com
- Conditionally install xinetd service only on older releases
* On current distributions we support the same functionality
via systemd socket activation
* Mon Jun 12 2017 daniel.molkentin@suse.com
- Fix build against OpenSSL 1.1. Remove lock on 1.0.x libs
adds vsftpd-3.0.3-build-with-openssl-1.1.patch
(bsc#1042673)
* Wed May 31 2017 psimons@suse.com
- Explicitly depend on OpenSSL version 1.0.x since vsftpd doesn't
compile against the API provided by newer versions.
* Tue May 02 2017 kukuk@suse.de
- Adjust to new system user/group RPMs
* Mon Sep 19 2016 psimons@suse.com
- Add vsftpd-3.0.2-fix-chown-uploads.patch to fix a bug in vsftpd
where files uploaded by an anonymous user could not be chown()ed
to the desired UID as specified in the daemon's configuration
file. [bnc#996370]
* Wed Aug 31 2016 dimstar@opensuse.org
- Extend vsftpd-2.0.4-lib64.diff to also find libcap.so.* in
/usr/lib64.
* Fri Aug 05 2016 tchvatal@suse.com
- Do not bother with omc xml configs, useless nowdays
* Wed Mar 23 2016 tchvatal@suse.com
- Require shadow and do not output the error out of useradd
* Tue Mar 22 2016 tchvatal@suse.com
- Fix hang when using seccomp and syslog bnc#971784:
* vsftpd-seccomp-syslog.patch
* Tue Mar 22 2016 tchvatal@suse.com
- Fix user creation to not report error when user alredy exist
bnc#972169
* Mon Mar 21 2016 tchvatal@suse.com
- Fix bnc#970982 hanging on pam_exec in pam.d
* Add patch vsftpd-3.0.2-wnohang.patch
* Thu Mar 10 2016 jcejka@suse.com
- Fix memory leaks in ls.c bnc#968138
* Add patch vsftpd-ls-memleak.patch
* Update patch vsftpd-path-normalize.patch
- Fix wildcard ? matching bnc#969411
* Update patch vsftpd-2.3.4-sqb.patch
* Mon Sep 21 2015 tchvatal@suse.com
- Clean-up the init.d support to be bit more readable and add missing dep
* Mon Sep 21 2015 joop.boonen@opensuse.org
- Brought back additional systemv support so it also builds for SLES 10 and 11
* Tue Sep 08 2015 tchvatal@suse.com
- Version bump to 3.0.3:
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
* Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
* Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
* Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
* Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
- Drop patch vsftpd-allow-dev-log-socket.patch should be included
upstream, se above bullet with mvyskocil's email
* Tue Jun 23 2015 tchvatal@suse.com
- Fix logrotate script to not fail when vsftpd is not running,
bnc#935279
* Fri Apr 17 2015 tchvatal@suse.com
- Fix hide_file option wrt bnc#927612:
* vsftpd-path-normalize.patch
* Sun Apr 05 2015 tchvatal@suse.com
- bnc#925963 stat is sometimes run on wrong path and results with
ENOENT, ensure we sent both dir+file to filter verification:
* vsftpd-path-normalize.patch
* Wed Mar 25 2015 tchvatal@suse.com
- Update patch bit more for sanity checks. Done by rsassu@suse.de:
* vsftpd-path-normalize.patch
* Mon Mar 23 2015 tchvatal@suse.com
- Add back patch attempting to fix bnc#900326 bnc#915522 and
bnc#922538:
* vsftpd-path-normalize.patch
* Mon Mar 23 2015 tchvatal@suse.com
- Reset filter patch to match fedora, my work will be restarted
in one-off patch to make the changes stand out. Add rest of
RH filtering patches:
* vsftpd-2.2.0-wildchar.patch
* vsftpd-2.3.4-sqb.patch
* vsftpd-2.1.0-filter.patch
* Mon Mar 23 2015 tchvatal@suse.com
- Work on the filter patch and split out the normalisation of the
path to separate str function, currently commented out so I
avoid huge diffing.
* vsftpd-2.1.0-filter.patch
* Fri Feb 20 2015 tchvatal@suse.com
- Add service calls for other unit files too
- Udate filter patch to work as expected:
* vsftpd-2.1.0-filter.patch
* Fri Jan 02 2015 tchvatal@suse.com
- Try to fix deny_file parsing to do more what is expected. Taken
from fedora. bnc#900326 bnc#915522 CVE-2015-1419
* vsftpd-2.1.0-filter.patch
* Fri Nov 14 2014 dimstar@opensuse.org
- No longer perform gpg validation; osc source_validator does it
implicit:
+ Drop gpg-offline BuildRequires.
+ No longer execute gpg_verify.
* Thu Aug 21 2014 jmatejek@suse.com
- force using fork() instead of clone() on s390 - fixes bnc#890469
* vsftpd-3.0.2-s390.patch
* Mon May 26 2014 tchvatal@suse.com
- Cleanup with spec-cleaner
- Remove conditions about init files as we do not build for < 12.1
anyway.
- Update the README.SUSE file to describe more the listen option.
* Mon May 26 2014 tchvatal@suse.com
- Add socket service for vsftpd to avoid the need for xinetd here.
* Mon May 26 2014 tchvatal@suse.com
- Add comment about listen variables for xinetd configuration.
Fixes bnc#872221.
- Add default configuration as arg to xinetd started vsftpd.
- Updated patch:
* vsftpd-2.0.4-xinetd.diff
* Thu Apr 10 2014 tchvatal@suse.com
- Move the enabling of timeofday and alarm one level deeper to
be sure it is whitelisted everytime.
Also should possibly fix bnc#872215.
- Updated patch:
* vsftpd-enable-gettimeofday-sec.patch
* Thu Apr 10 2014 tchvatal@suse.com
- Remove forking from service type as it hangs in endless loop.
* Wed Apr 02 2014 tchvatal@suse.com
- Fix warning about dangling symlink on rcvsftpd from rpmlint and
remove also clean section while at it.
* Wed Apr 02 2014 tchvatal@suse.com
- Add patch to allow gettimeofday and alarm calls with seccomp
enabled. bnc#870122
- Added patch:
* vsftpd-enable-gettimeofday-sec.patch
* Tue Apr 01 2014 tchvatal@suse.com
- Specify that the service type is forking
* Mon Jan 27 2014 mvyskocil@suse.com
- changed license to SUSE-GPL-2.0-with-openssl-exception
* suggested by legal team
* Tue Jan 21 2014 mvyskocil@suse.com
- add allow_root_squashed_chroot option to enable chroot on nsf
mounted with squash_root option (fate#311051)
* vsftpd-root-squashed-chroot.patch
* Sat Jul 20 2013 crrodriguez@opensuse.org
- build with OPENSSL_NO_SSL_INTERN this hides internal struct
members or functions that if changed in future openssl versions
will break the ABI of the calling applications.
* Thu Apr 04 2013 mvyskocil@suse.com
- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
* this enabled a sendto on /dev/log socket when syslog is enabled
- provide more verbose explanation about isolate_network and seccomp_sanbox in
config file template
- don't install init file on openSUSE 13.1+
- drop a build support for SL 10 and older
* Fri Mar 29 2013 mvyskocil@suse.com
- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
* drop CLONE_NEWPID from clone to enable audit system
- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
* unconditionally enable F_SETFL patch - might be safe to do
* Thu Feb 28 2013 lnussel@suse.de
- add isolate_network and seccomp_sandbox options to template to make them
easier to find (bnc#786024)
* Thu Feb 28 2013 mvyskocil@suse.com
- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
* whitelist /dev/log related socket syscall
* Tue Nov 20 2012 sbrabec@suse.cz
- Verify GPG signature.
* Tue Nov 20 2012 dimstar@opensuse.org
- Fix useradd invocation: -o is useless without -u and newer
versions of pwdutils/shadowutils fail on this now.
* Mon Oct 22 2012 mvyskocil@suse.com
- update to 3.0.2 (bnc#786024)
* Fix some seccomp related build errors on certain CentOS and Debian versions.
* Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
opens and maps /proc/meminfo but only for larger item counts?
* Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
* Fix various NULL crashes with nonsensical config settings. Noted by Tianyin
Xu <tixu@cs.ucsd.edu>.
* Force cast to unsigned char in is* char functions.
* Fix harmless integer issues in strlist.c.
* Started on a (possibly ill-advised?) crusade to compile cleanly with
Wconversion. Decided to suspend the effort half-way through.
* One more seccomp policy fix: mremap (denied).
* Support STOU with no filename, uses a STOU. prefix.
* Fri Aug 24 2012 mvyskocil@suse.cz
- make seccomp sandbox enabled by default
* dropped vsftpd-3.0.0-turn-seccomp-sandbox-off.patch
* Mon Apr 23 2012 brian@aljex.com
- fix building on 11.4 x86_64 and lower
* fix where, when, & how __USE_GNU gets #defined
* make seccomp optional and disable it on 10.3 and lower
* Tue Apr 10 2012 mvyskocil@suse.cz
- update to upstream 3.0.0:
* Make listen mode the default.
* Fix missing "const" in ssl.c
* Add seccompsandbox.c to support a seccomp filter sandbox; works against
Ubuntu 12.04 ABI.
* Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
seccompsandbox.c
* Rename deprecated "sandbox" to "ptrace_sandbox".
* Add a few more state checks to the privileged helper processes.
* Add tunable "seccomp_sandbox", default on.
* Use hardened build flags.
* Retry creating a PASV socket upon port reuse race between bind() and
listen(), patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>.
* Don't die() if recv() indicates a closed remote connection. Problem report
on a Windows client from Herbert van den Bergh,
<herbert.van.den.bergh@oracle.com>.
* Add new config setting "allow_writeable_chroot" to help people in a bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
* Remove a couple of fixed things from BUGS.
* strlen() trunction fix -- no particular impact.
* Apply some tidyups from mmoufid@yorku.ca.
* Fix delete_failed_uploads if there is a timeout. Report from Alejandro
Hernández Hdez <aalejandrohdez@gmail.com>.
* Fix other data channel bugs such as failure to log failure upon timeout.
* Use exit codes a bit more consistently.
* Fix bad interaction between SSL and trans_chunk_size.
* Redo data timeout to fire properly for SSL sessions.
* Redo idle timeout to fire properly for SSL sessions.
* Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing.
* Use 10 minutes as a max linger time just in case an alarm gets lost.
* Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
* Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
Unfortunately the default vsftpd SSL confiuration still doesn't fully work with
FileZilla, because FileZilla has a data connection security problem: no client
certificate presentation and no session reuse. At least the error message is
now very clear.
* Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
a data transfer is in progress.
* Fix delete_failed_uploads for anonymous sessions.
* Don't listen for urgent data if the control connection is SSL, due to possible
protocol synchronization issues.
- SUSE specific changes:
* turn off the listen mode (listen=NO) by default and change README.SUSE
* merge new hardended flags for build and linking
* fix the wrong Type=forking from systemd service file
* turn off the seccomp_sandbox off by default as SUSE kernel does not support
it (yet)
* Tue Feb 21 2012 mvyskocil@suse.cz
- follow Systemd Packaging guidelines
http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines
- add $local_fs and $remote_fs to init script
* Wed Feb 15 2012 mvyskocil@suse.cz
- use the original tarball, because the bz2 repacking madness disables
gpg --verify
- revert a part oc changes utf converting
* Fri Dec 23 2011 andreas.stieger@gmx.de
- update to upstream 2.3.5:
* Try and force glibc to cache zoneinfo files in an attempt to work around
glibc parsing vulnerability. Thanks to Kingcope.
* Only report CHMOD in SITE HELP if it's enabled. Thanks to Martin Schwenke
<martin@meltin.net>.
* Some simple fixes and cleanups from Thorsten Brehm <tbrehm@dspace.de>.
* Only advertise "AUTH SSL" if one of SSLv2, SSLv3 is enabled. Thanks to
steve willing <eiji-gravion@hotmail.com>.
* Handle connect() failures properly. Thanks to Takayuki Nagata
<tnagata@redhat.com>.
* Add stronger checks for the configuration error of running with a
writeable root directory inside a chroot(). This may bite people who
carelessly turned on chroot_local_user but such is life.
- convert .changes file to unicode
- refresh vsftpd-2.0.4-conf.diff to vsftpd-2.3.5-conf.patch
- name patches explicitly without macro as per recommendations
- remove INSTALL file from binary package
- update license to GPL-2.0+
- mark /etc/sysconfig/SuSEfirewall2/services/vsftpd as config file
* Sat Nov 26 2011 crrodriguez@opensuse.org
- fis copy/paste error in previous change
* Fri Nov 25 2011 crrodriguez@opensuse.org
- Add systemd unit
* Thu Sep 22 2011 mvyskocil@suse.cz
- fix bnc#713588 - bogus logrotate config for vsftpd
call /sbin/killproc -HUP /usr/sbin/vsftpd like init script
- change the url and service file to the new location at
security.appspot.com/vsftpd
* Fri Feb 25 2011 crrodriguez@opensuse.org
- Update to 2.3.4
- Avoid consuming excessive CPU when matching filenames to patterns. Thanks to
Maksymilian Arciemowicz <cxib@securityreason.com>.
- Some bugfixes from Raphaël Rigo <raphael.rigo@syscall.eu> -- good bugs but
no apparent security impact.
* Tue Sep 21 2010 cristian.rodriguez@opensuse.org
- Update to version 2.3.2
- Fix silly regression re: log files being overwritten from the start.
- Rename a few file-open functions to make it clearer what they do
* Tue Aug 10 2010 cristian.rodriguez@opensuse.org
- Update to 2.3.0
- Add extremely simply HTTP support. It's very experimental, ignorant of HTTP
protocol and headers, and likely has all sorts of other issues. The use case
it might satisfy is if you need to serve simple static unathenticated content
with large levels of paranoia.
- Fix port_promiscuous breakage.
- Minor FAQ update.
- Use a larger address space limit if using text_userdb_names=YES
- Always use CLONE_NEWNET if possible when in HTTP mode.
- Change REST + STOR so that it's possible to overwrite part of file without
truncating it.
- Boot the session if we see a USER where encryption was required. May prevent
the transmission of plaintext passwords by buggy clients.
- Fix failure to transmit a large ASCII file over SSL, if it contains \n -> \r\n
fixups.
* Tue May 25 2010 cristian.rodriguez@opensuse.org
- $remote_fs --> network-remotefs
* Sun Feb 21 2010 mseben@novell.com
- updated to version 2.2.2
* Change "File receive OK." to "Transfer complete." to placate some broken
clients. Thanks Holger Kiehl <Holger.Kiehl@dwd.de>.
* Fix erroneous "child died" upon FTP client connect, when under load. Awesome
thanks to Holger Kiehl <Holger.Kiehl@dwd.de> for running diagnostic tests on
his live server.
* Boot the session if an overly long line is encountered.
- see Changelog file for changes in 2.1.0, 2.1.1, 2.1.2 and 2.2.0 releases
- deprecated use-ipv6-scope-id.patch,libcap2-fix.diff,write_race.patch
nowarn.patch
* Thu Jan 28 2010 mseben@novell.com
- added use-ipv6-scope-id.patch to fix connection issues with
ipv6-link local address (bnc#574366)
* Wed Jan 20 2010 coolo@novell.com
- fix typo in the package description - and remove authors
* Mon Sep 15 2008 hvogel@suse.de
- limit port range for passv to 30000:30100 to assist firewalling
[bnc#420671]
* Mon Sep 08 2008 hvogel@suse.de
- version 2.0.7
* Fix man page typo
* Enhance logging for debug_ssl
* Shutdown the SSL data connections properly
* Add option to enforce proper SSL shutdown on uploads
* Add option to delete failed uploads
- limit port range for passv to 1024:2024 to assist firewalling
[bnc#420671]
* Wed Jun 11 2008 hvogel@suse.de
- Fix simultaneous ftp put of the same file [bnc#361559, bnc#273454]
- dont die on EADDRINUSE but try again [bnc#395899]
* Fri May 02 2008 tiwai@suse.de
- fix the link with libcap2
* Wed Apr 30 2008 hvogel@suse.de
- Make the unpriv bits run as ftpsecure and not as nobody
[bnc#384776]
* Tue Apr 01 2008 mkoenig@suse.de
- remove dir /usr/share/omc/svcinfo.d as it is provided now
by filesystem
* Tue Mar 11 2008 crrodriguez@suse.de
- version 2.0.6
- Fix delay_failed_login typo. Oops.
- Patch the getcwd and readlink sysutil helpers to reflect that they wouldn't
like a 0-sized buf. No caller is affected. Thanks Ilja van Sprundel
<ilja@suresec.org>.
- Allow a (fake) reauth as the same user as the logged in user. Should resolve
.NET related report from Sabo Jim <Jim.Sabo@thomson.net>.
- Tweak from Lucian Adrian Grijincu <lucian.grijincu@gmail.com> to take
unnecessary port calculations out of a loop.
- Fix byte I/O accounting in the error path of do_file_send_rwloop, thanks to
<echen@siac.com>.
- Don't log FireFox's attempts to RETR directories! Reported by
Nixdorf, Tim <tnixdorf@dnps.com>.
- Fix STOU sending the same 150 status line twice - oops! Reported by
<yamazaki@iij.ad.jp>.
- Fix xferlog format for virtual (guest) users, reported by Andy Fletcher
<andy@withnail.org>.
- Fix bug with empty user list file and userlist_deny=NO. Reported by
Marcin Zawadzki/GlobalVanet.com <marcin.zawadzki@globalvanet.com>.
- Pretend we have proper UTF8 support and respond positively to OPTS UTF8 ON.
Thanks Stanislav Maslovski <stanislav.maslovski@gmail.com>.
- Add control over the file permissions used in the chown()ing of anonymous
uploads: chown_upload_mode (default 0600 as before). Suggestion from
An Pham <apham@medforcetech.com>.
- Do a retry getting the active ftp socket in vsf_privop_get_ftp_port_sock();
should help buggy Solaris systems. Reported by Michael Masterson
<mjmasterson@xo.com>.
- Add debug_ssl option to dump out some SSL connection details.
- Use code 522, not 521, to indicate that the server requires an encrypted
data connection. Still does not seem to coax lftp to retry :(
- Recognize OPTS pre-login.
- A whole ton of SSL improvements, including ability to force requirement of
a client cert; data and control channel client cert cross checking. Ability
to require fully valid / authentic client certs. No cert-based auth yet.
* Tue Mar 27 2007 mskibbe@suse.de
- change path to firewall script (#247352)
* Fri Mar 02 2007 mskibbe@suse.de
- change path to firewall script (#247352)
* Wed Feb 28 2007 mskibbe@suse.de
- vsftpd - Support for FATE #300687: Ports for SuSEfirewall added
via packages (#246932)
* Mon Jan 15 2007 mskibbe@suse.de
- fix cryptic symbol in package - description
- build against libcap on suse < 10.1
* Fri Jan 12 2007 mskibbe@suse.de
- vsftp could not log any file name other then ascii (#229320)
* Thu Jan 11 2007 mskibbe@suse.de
- change path to xml service document (fate #301713)
* Mon Jan 08 2007 mskibbe@suse.de
- fix Bug #230220 - vsftp no debuginfo
* Mon Jan 08 2007 mskibbe@suse.de
- xml document should readable to all (fate #301713)
* Wed Dec 06 2006 mskibbe@suse.de
- add service xml document (fate #301713 )
* Mon Oct 23 2006 mskibbe@suse.de
- fix Bug 213894 - vsftpd and pam
* Mon Sep 04 2006 kukuk@suse.de
- Include common PAM config files, add pam_loginuid.so
* Fri Jul 14 2006 mskibbe@suse.de
- udpate to version 2.0.5 which
o IE should now show the login dialog again
o configurable login attempt limits and delays were added
o a bad intereaction with DMAPI filesystems was fixed and chained
certs should now work.
* Fri May 26 2006 schwab@suse.de
- Don't strip binaries.
* Thu Apr 20 2006 hvogel@suse.de
- revert the rename to vsftp for the xinetd config file. chkconfig
knows on for init and xinetd. So this wasnt a bug but a misusage
of chkconfig
* Thu Apr 20 2006 hvogel@suse.de
- add support for DMAPI filesystems [#167632]
* Wed Apr 19 2006 hvogel@suse.de
- rename xinetd config from vsftpd to vsftp to avoid name clashes
in chkconfig [#165745]
* Thu Feb 16 2006 hvogel@suse.de
- enable ssl for real [#151453]
* Mon Feb 06 2006 hvogel@suse.de
- The switch to standalone should not happen in update.
Installed xinetd config file again. The configuration file is
marked as noreplace anyway so if you are updating you will
get a xinetd.d/vsftpd.rpmnew and a vsftpd.conf.rpmnew
and everything is working as before and standalone is only used
for new installations. [#148201]
- redirect standalone parent output to /var/log/rcvsftp.log
so the init script can return properly.
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Fri Jan 13 2006 hvogel@suse.de
- Make use of Stack Protector
- fix some uninitialized variables
* Wed Jan 11 2006 hvogel@suse.de
- Update to version 2.0.4 including:
o Add explicit "This FTP server does not allow anonymous logins"
message.
o Add paranoid checks to sysutil.c for large values / lengths.
o Load per-IP config files earlier; allows more settings to be
tuned on a per-IP level.
o regex fix so that {*} correctly matches everything.
o Add optional file locking support via lock_upload_files.
o Apply LDFLAGS patch from Mads Martin Joergensen <mmj@suse.de>.
o Add pasv_addr_resolve option to allow pasv_address to get
DNS resolved once at startup.
o Apply patch to fix timezone issues (caused by chroot()
interacting badly with newer glibc versions).
* Wed Sep 28 2005 mmj@suse.de
- Add init script, and make it standalone
* Sun Sep 18 2005 kukuk@suse.de
- Add libcap-devel to nfb
* Tue Aug 09 2005 mmj@suse.de
- Document that /etc/xinet.d/vsftpd is for xinetd conf [#102953]
* Mon Aug 08 2005 uli@suse.de
- build with -fPIE, not -fpie (fixes s390x)
* Mon Jun 27 2005 ro@suse.de
- use libcap
* Fri Jun 17 2005 mmj@suse.de
- Compile with -fpie, link with -pie
* Tue Apr 19 2005 mmj@suse.de
- Update to 2.0.3 including:
o Document what regex expressions are supported in the man page.
o New settings rsa_private_key_file and dsa_private_key_file to
allow separate files for the certificates and private keys.
o Initial, simple fix for timed out processes not exiting when
SSL is in use. Better fix (which reports timeout to client
properly) to follow.
o Add which setsockopt option failed to die("setsockopt") calls.
o Fix error with IPv4 connections to IPv6 listeners and PORT
type data connections when connect_from_port_20 is set.
o Remove vsf_sysutil_sockaddr_same_family (unused).
o Support protocol 1 (IPv4) in EPRT.
o Add ssl.c to AUDIT.
o Allow config file to use "ssl_ciphers=" to use default
OpenSSL cipher list.
o Allow "EPSV 1" to mean IPv4 EPSV.
o Report dummy IP but correct port with IPv6 / PASV.
o Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read
and SSL_write; fixes SSL upload failures when data timeouts are
in use with some clients.
o Implicitly disable connect_from_port_20 and chown_uploads
when a non-root user is using run_as_launching_user.
o Add force_anon_logins_ssl and force_anon_data_ssl for a fully
SSL secure anonymous oonly solution (useful when you don't
have root access and a range of acceptable anonymous
passwords as credentials).
o Use SSL BIO callbacks to fix data connection timeout checks;
the checks weren't all occurring promply.
* Thu Mar 03 2005 mmj@suse.de
- Update to 2.0.2 including:
o Emit data transfer status messages (success / failure)
after flushing and waiting for the full data transfer to
reach the client. This should help work around buggy FTP
clients such as FlashFXP, which is known to truncate files
incorrectly.
o Make str_empty actually allocate an empty string.
o Change the ASCII receive code to ONLY rip out \r if it is
just before a \n; someone finally complained about this.
o Enable AIX Large File Support
o Add a couple of FAQ entries.
o Fix time delta code areas to cope with negative deltas,
which will occur if the clock is adjusted backwards.
o Fix "errno" checks to be robust in multiple places;
previously, calls to failing library calls could be made
inbetween the original library call and the "errno" reads.
o Make bandwidth limiter work with SSL data connections.
o Note that the SSL / bandwidth limiter bug fixed a much more
serious bug: SSL data connection dropouts after
data_connection_timeout seconds.
* Fri Feb 18 2005 mmj@suse.de
- Glibc doesn't cache the timezone as much as it used to, so export
the TZ variable after doing chroot. [#49878]
* Thu Aug 12 2004 mmj@suse.de
- Update to 2.0.1 including:
o Add -lcrypto for the SSL build; needed for some systems
o Oops; fix session bale out if an empty length password is given.
o Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so).
o Fix vsftpd.conf.5 man page error in "ssl_sslv3"
o Clarify licensing: I allow linking of my GPL software with the OpenSSL
libraries.
o Fix build where PAM build is enabled but PAM headers are missing.
* Fri Jul 02 2004 mmj@suse.de
- Update to 2.0.0 including:
o Improve logging (log deletes, renames, chmods, etc. as
requested by users).
o Add no_log_lock to work around Solaris / Veritas locking
hangs.
o Add EPRT, EPSV, PASV and TVFS to FEAT response.
o Implement use of MDTM to set timestamps.
o Recognize FEAT prior to login.
o Add OpenSSL (AUTH TLS / SSL) support for encrypted control
and data connections.
o Increase max size of .message files to 4000 characters
o Add easy builddefs.h ability to disable PAM builds even when
PAM is installed.
o Report vsftpd version in STAT output.
o Add REFS file.
o Change parent<->child socket comms from DGRAM to STREAM for
increased reliability. The main benefit is should the parent
be killed (or crash out) then the child won't block on a
read() that will never return.
o Make str_reserve reserve space for the trailing zero as well,
so we don't cause a reallocation if we exactly fill the buffer.
o Optimize the sending of strings over the parent<->child comms links.
o Improve the build system so tcp_wrappers, PAM and OpenSSL can
be forcibly compiled out.
o Fix vsftpd.conf.5 typos
o If trans_chunk_size is between 1 and 4096, use 4096 rather
than ignoring totally.
o Add SSL / TLS info to SECURITY texts.
o Add README.ssl
o Add documentation for new SSL options to vsftpd.conf.5.
o Add support for CWD ~
o Fix compile warnings.
* Sat May 29 2004 mmj@suse.de
- Add logrotate file [#41432]
* Tue Apr 27 2004 mmj@suse.de
- Update to 1.2.2 including:
o Fix nasty issue resulting in listener instability under
extreme load (root cause was re-entering malloc/free).
o Fix build with modern glibc-2.3 and no libcap on Linux.
o Add initial support for running as the user which launched
vsftpd, i.e. no root needed. Warning - easy to create
insecurity if you use this without knowing what you are
doing.
o For above run-as-launching-user support: make CDUP re-use CWD
code so that deny_file of *..* is useful.
* Mon Jan 26 2004 hvogel@suse.de
- reworked the log part of the conf file patch.
Enabled syslog as default log destination, clarify xferlog
settings.
* Mon Jan 19 2004 mmj@suse.de
- -D_LARGEFILE_SOURCE to get LFS support. Also make sure the
offset bits are set correct.
* Fri Jan 16 2004 kukuk@suse.de
- Add pam-devel to neededforbuild
* Thu Nov 13 2003 mmj@suse.de
- Update to 1.2.1
* Wed Oct 15 2003 mmj@suse.de
- Don't build as root
* Mon Jul 28 2003 mmj@suse.de
- Add EXAMPLE/ and FAQ
- Don't strip explicitly
* Fri May 30 2003 mmj@suse.de
- Update to vsftpd-1.2.0 including:
ˇ IPv6 support, so drop our patch
ˇ Many bugfixes and tunings
ˇ Build fixes
* Thu Mar 06 2003 mmj@suse.de
- Fix the xinetd conf file [#24774]
* Fri Feb 07 2003 kukuk@suse.de
- Use pam_unix2.so instead of pam_unix.so
* Fri Jan 24 2003 mmj@suse.de
- Correct xinetd conffile
* Tue Jan 14 2003 mmj@suse.de
- Install xinetd.d/vsftpd
* Sat Oct 26 2002 mmj@suse.de
- Use better configuration defaults, thanks henne.
* Fri Oct 25 2002 mmj@suse.de
- Add $RPM_OPT_FLAGS to CFLAGS when building
* Thu Oct 24 2002 mmj@suse.de
- Update to 1.1.2 including:
o Addition of per-IP connection limits in standalone mode.
o Add logging of refused connect due to global or IP connection limits.
o Make connection limit exceeded messages nonblocking.
o Don't exit the listener if fork fails.
* Tue Oct 08 2002 mmj@suse.de
- Update to 1.1.1
* Fri Aug 02 2002 mmj@suse.de
- Update to 1.1.0
* Tue Jul 09 2002 okir@suse.de
- Added a patch to get rid of lots of warnings caused by -Wshadow
- Added a patch to implement IPv6 support
* Tue Apr 30 2002 mmj@suse.de
- And now without detection of pam in /lib/libpam.so.0, which is
bogus.
* Sun Feb 17 2002 mmj@suse.de
- Added a patch to the vsftpd library detection function to make
it build with /usr/lib64. Fixes build on S/390.
* Tue Feb 12 2002 mmj@suse.de
- Remove Requires: ftpdir
* Mon Feb 04 2002 choeger@suse.de
- do not set e(x)ecute bit on textfiles
* Fri Feb 01 2002 choeger@suse.de
- declare config file as %config(noreplace)
* Thu Jan 17 2002 mmj@suse.de
- Update to version 1.0.1
* Fri Nov 30 2001 mmj@suse.de
- Use /etc/pam.d/vsftpd
* Tue Nov 13 2001 mmj@suse.de
- Updated to version 1.0.0
* Mon Oct 22 2001 mmj@suse.de
- Initial package
/etc/vsftpd /etc/vsftpd.conf /etc/vsftpd/ftpusers /usr/etc/logrotate.d/vsftpd /usr/lib/firewalld /usr/lib/firewalld/services /usr/lib/firewalld/services/vsftpd.xml /usr/lib/pam.d/vsftpd /usr/lib/systemd/system/vsftpd.service /usr/lib/systemd/system/vsftpd.socket /usr/lib/systemd/system/vsftpd@.service /usr/sbin/rcvsftpd /usr/sbin/vsftpd /usr/share/doc/packages/vsftpd /usr/share/doc/packages/vsftpd/AUDIT /usr/share/doc/packages/vsftpd/BUGS /usr/share/doc/packages/vsftpd/Changelog /usr/share/doc/packages/vsftpd/EXAMPLE /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE/README /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE/vsftpd.conf /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE/vsftpd.xinetd /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD/README /usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf /usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG /usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG/README /usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG/hosts.allow /usr/share/doc/packages/vsftpd/EXAMPLE/README /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_HOSTS /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_HOSTS/README /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/README /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/logins.txt /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/vsftpd.conf /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/vsftpd.pam /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS_2 /usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS_2/README /usr/share/doc/packages/vsftpd/FAQ /usr/share/doc/packages/vsftpd/README /usr/share/doc/packages/vsftpd/README.SUSE /usr/share/doc/packages/vsftpd/README.security /usr/share/doc/packages/vsftpd/REWARD /usr/share/doc/packages/vsftpd/SECURITY /usr/share/doc/packages/vsftpd/SECURITY/DESIGN /usr/share/doc/packages/vsftpd/SECURITY/IMPLEMENTATION /usr/share/doc/packages/vsftpd/SECURITY/OVERVIEW /usr/share/doc/packages/vsftpd/SECURITY/TRUST /usr/share/doc/packages/vsftpd/SIZE /usr/share/doc/packages/vsftpd/SPEED /usr/share/doc/packages/vsftpd/TODO /usr/share/doc/packages/vsftpd/TUNING /usr/share/empty /usr/share/licenses/vsftpd /usr/share/licenses/vsftpd/COPYING /usr/share/licenses/vsftpd/LICENSE /usr/share/man/man5/vsftpd.conf.5.gz /usr/share/man/man8/vsftpd.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Sep 19 23:55:02 2024