Changelog for
vsftpd-3.0.2-51.23.x86_64.rpm :
Thu Apr 10 14:00:00 2014 tchvatalAATTsuse.com
- Move the enabling of timeofday and alarm one level deeper to
be sure it is whitelisted everytime.
Also should possibly fix bnc#872215.
- Updated patch:
* vsftpd-enable-gettimeofday-sec.patch
Thu Apr 10 14:00:00 2014 tchvatalAATTsuse.com
- Remove forking from service type as it hangs in endless loop.
Wed Apr 2 14:00:00 2014 tchvatalAATTsuse.com
- Fix warning about dangling symlink on rcvsftpd from rpmlint and
remove also clean section while at it.
Wed Apr 2 14:00:00 2014 tchvatalAATTsuse.com
- Add patch to allow gettimeofday and alarm calls with seccomp
enabled. bnc#870122
- Added patch:
* vsftpd-enable-gettimeofday-sec.patch
Tue Apr 1 14:00:00 2014 tchvatalAATTsuse.com
- Specify that the service type is forking
Mon Jan 27 13:00:00 2014 mvyskocilAATTsuse.com
- changed license to SUSE-GPL-2.0-with-openssl-exception
* suggested by legal team
Tue Jan 21 13:00:00 2014 mvyskocilAATTsuse.com
- add allow_root_squashed_chroot option to enable chroot on nsf
mounted with squash_root option (fate#311051)
* vsftpd-root-squashed-chroot.patch
Sat Jul 20 14:00:00 2013 crrodriguezAATTopensuse.org
- build with OPENSSL_NO_SSL_INTERN this hides internal struct
members or functions that if changed in future openssl versions
will break the ABI of the calling applications.
Thu Apr 4 14:00:00 2013 mvyskocilAATTsuse.com
- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
* this enabled a sendto on /dev/log socket when syslog is enabled
- provide more verbose explanation about isolate_network and seccomp_sanbox in
config file template
- don\'t install init file on openSUSE 13.1+
- drop a build support for SL 10 and older
Fri Mar 29 13:00:00 2013 mvyskocilAATTsuse.com
- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
* drop CLONE_NEWPID from clone to enable audit system
- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
* unconditionally enable F_SETFL patch - might be safe to do
Thu Feb 28 13:00:00 2013 lnusselAATTsuse.de
- add isolate_network and seccomp_sandbox options to template to make them
easier to find (bnc#786024)
Thu Feb 28 13:00:00 2013 mvyskocilAATTsuse.com
- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
* whitelist /dev/log related socket syscall
Tue Nov 20 13:00:00 2012 sbrabecAATTsuse.cz
- Verify GPG signature.
Tue Nov 20 13:00:00 2012 dimstarAATTopensuse.org
- Fix useradd invocation: -o is useless without -u and newer
versions of pwdutils/shadowutils fail on this now.
Mon Oct 22 14:00:00 2012 mvyskocilAATTsuse.com
- update to 3.0.2 (bnc#786024)
* Fix some seccomp related build errors on certain CentOS and Debian versions.
* Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
opens and maps /proc/meminfo but only for larger item counts?
* Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
* Fix various NULL crashes with nonsensical config settings. Noted by Tianyin
Xu
.
* Force cast to unsigned char in is
* char functions.
* Fix harmless integer issues in strlist.c.
* Started on a (possibly ill-advised?) crusade to compile cleanly with
Wconversion. Decided to suspend the effort half-way through.
* One more seccomp policy fix: mremap (denied).
* Support STOU with no filename, uses a STOU. prefix.
Fri Aug 24 14:00:00 2012 mvyskocilAATTsuse.cz
- make seccomp sandbox enabled by default
* dropped vsftpd-3.0.0-turn-seccomp-sandbox-off.patch
Mon Apr 23 14:00:00 2012 brianAATTaljex.com
- fix building on 11.4 x86_64 and lower
* fix where, when, & how __USE_GNU gets #defined
* make seccomp optional and disable it on 10.3 and lower
Tue Apr 10 14:00:00 2012 mvyskocilAATTsuse.cz
- update to upstream 3.0.0:
* Make listen mode the default.
* Fix missing \"const\" in ssl.c
* Add seccompsandbox.c to support a seccomp filter sandbox; works against
Ubuntu 12.04 ABI.
* Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
seccompsandbox.c
* Rename deprecated \"sandbox\" to \"ptrace_sandbox\".
* Add a few more state checks to the privileged helper processes.
* Add tunable \"seccomp_sandbox\", default on.
* Use hardened build flags.
* Retry creating a PASV socket upon port reuse race between bind() and
listen(), patch from Ralph Wuerthner .
* Don\'t die() if recv() indicates a closed remote connection. Problem report
on a Windows client from Herbert van den Bergh,
.
* Add new config setting \"allow_writeable_chroot\" to help people in a bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
* Remove a couple of fixed things from BUGS.
* strlen() trunction fix -- no particular impact.
* Apply some tidyups from mmoufidAATTyorku.ca.
* Fix delete_failed_uploads if there is a timeout. Report from Alejandro
Hernández Hdez .
* Fix other data channel bugs such as failure to log failure upon timeout.
* Use exit codes a bit more consistently.
* Fix bad interaction between SSL and trans_chunk_size.
* Redo data timeout to fire properly for SSL sessions.
* Redo idle timeout to fire properly for SSL sessions.
* Make sure PROT_EXEC isn\'t allowed, thanks to Will Drewry for noticing.
* Use 10 minutes as a max linger time just in case an alarm gets lost.
* Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
* Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
Unfortunately the default vsftpd SSL confiuration still doesn\'t fully work with
FileZilla, because FileZilla has a data connection security problem: no client
certificate presentation and no session reuse. At least the error message is
now very clear.
* Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
a data transfer is in progress.
* Fix delete_failed_uploads for anonymous sessions.
* Don\'t listen for urgent data if the control connection is SSL, due to possible
protocol synchronization issues.
- SUSE specific changes:
* turn off the listen mode (listen=NO) by default and change README.SUSE
* merge new hardended flags for build and linking
* fix the wrong Type=forking from systemd service file
* turn off the seccomp_sandbox off by default as SUSE kernel does not support
it (yet)
Tue Feb 21 13:00:00 2012 mvyskocilAATTsuse.cz
- follow Systemd Packaging guidelines
http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines
- add $local_fs and $remote_fs to init script
Wed Feb 15 13:00:00 2012 mvyskocilAATTsuse.cz
- use the original tarball, because the bz2 repacking madness disables
gpg --verify
- revert a part oc changes utf converting
Fri Dec 23 13:00:00 2011 andreas.stiegerAATTgmx.de
- update to upstream 2.3.5:
* Try and force glibc to cache zoneinfo files in an attempt to work around
glibc parsing vulnerability. Thanks to Kingcope.
* Only report CHMOD in SITE HELP if it\'s enabled. Thanks to Martin Schwenke
.
* Some simple fixes and cleanups from Thorsten Brehm .
* Only advertise \"AUTH SSL\" if one of SSLv2, SSLv3 is enabled. Thanks to
steve willing .
* Handle connect() failures properly. Thanks to Takayuki Nagata
.
* Add stronger checks for the configuration error of running with a
writeable root directory inside a chroot(). This may bite people who
carelessly turned on chroot_local_user but such is life.
- convert .changes file to unicode
- refresh vsftpd-2.0.4-conf.diff to vsftpd-2.3.5-conf.patch
- name patches explicitly without macro as per recommendations
- remove INSTALL file from binary package
- update license to GPL-2.0+
- mark /etc/sysconfig/SuSEfirewall2/services/vsftpd as config file
Sat Nov 26 13:00:00 2011 crrodriguezAATTopensuse.org
- fis copy/paste error in previous change
Fri Nov 25 13:00:00 2011 crrodriguezAATTopensuse.org
- Add systemd unit
Thu Sep 22 14:00:00 2011 mvyskocilAATTsuse.cz
- fix bnc#713588 - bogus logrotate config for vsftpd
call /sbin/killproc -HUP /usr/sbin/vsftpd like init script
- change the url and service file to the new location at
security.appspot.com/vsftpd
Fri Feb 25 13:00:00 2011 crrodriguezAATTopensuse.org
- Update to 2.3.4
- Avoid consuming excessive CPU when matching filenames to patterns. Thanks to
Maksymilian Arciemowicz .
- Some bugfixes from Raphaël Rigo -- good bugs but
no apparent security impact.
Tue Sep 21 14:00:00 2010 cristian.rodriguezAATTopensuse.org
- Update to version 2.3.2
- Fix silly regression re: log files being overwritten from the start.
- Rename a few file-open functions to make it clearer what they do
Tue Aug 10 14:00:00 2010 cristian.rodriguezAATTopensuse.org
- Update to 2.3.0
- Add extremely simply HTTP support. It\'s very experimental, ignorant of HTTP
protocol and headers, and likely has all sorts of other issues. The use case
it might satisfy is if you need to serve simple static unathenticated content
with large levels of paranoia.
- Fix port_promiscuous breakage.
- Minor FAQ update.
- Use a larger address space limit if using text_userdb_names=YES
- Always use CLONE_NEWNET if possible when in HTTP mode.
- Change REST + STOR so that it\'s possible to overwrite part of file without
truncating it.
- Boot the session if we see a USER where encryption was required. May prevent
the transmission of plaintext passwords by buggy clients.
- Fix failure to transmit a large ASCII file over SSL, if it contains \
-> \\r\
fixups.
Tue May 25 14:00:00 2010 cristian.rodriguezAATTopensuse.org
- $remote_fs --> network-remotefs
Sun Feb 21 13:00:00 2010 msebenAATTnovell.com
- updated to version 2.2.2
* Change \"File receive OK.\" to \"Transfer complete.\" to placate some broken
clients. Thanks Holger Kiehl .
* Fix erroneous \"child died\" upon FTP client connect, when under load. Awesome
thanks to Holger Kiehl for running diagnostic tests on
his live server.
* Boot the session if an overly long line is encountered.
- see Changelog file for changes in 2.1.0, 2.1.1, 2.1.2 and 2.2.0 releases
- deprecated use-ipv6-scope-id.patch,libcap2-fix.diff,write_race.patch
nowarn.patch
Thu Jan 28 13:00:00 2010 msebenAATTnovell.com
- added use-ipv6-scope-id.patch to fix connection issues with
ipv6-link local address (bnc#574366)
Wed Jan 20 13:00:00 2010 cooloAATTnovell.com
- fix typo in the package description - and remove authors
Mon Sep 15 14:00:00 2008 hvogelAATTsuse.de
- limit port range for passv to 30000:30100 to assist firewalling
[bnc#420671]
Mon Sep 8 14:00:00 2008 hvogelAATTsuse.de
- version 2.0.7
* Fix man page typo
* Enhance logging for debug_ssl
* Shutdown the SSL data connections properly
* Add option to enforce proper SSL shutdown on uploads
* Add option to delete failed uploads
- limit port range for passv to 1024:2024 to assist firewalling
[bnc#420671]
Wed Jun 11 14:00:00 2008 hvogelAATTsuse.de
- Fix simultaneous ftp put of the same file [bnc#361559, bnc#273454]
- dont die on EADDRINUSE but try again [bnc#395899]
Fri May 2 14:00:00 2008 tiwaiAATTsuse.de
- fix the link with libcap2
Wed Apr 30 14:00:00 2008 hvogelAATTsuse.de
- Make the unpriv bits run as ftpsecure and not as nobody
[bnc#384776]
Tue Apr 1 14:00:00 2008 mkoenigAATTsuse.de
- remove dir /usr/share/omc/svcinfo.d as it is provided now
by filesystem
Tue Mar 11 13:00:00 2008 crrodriguezAATTsuse.de
- version 2.0.6
- Fix delay_failed_login typo. Oops.
- Patch the getcwd and readlink sysutil helpers to reflect that they wouldn\'t
like a 0-sized buf. No caller is affected. Thanks Ilja van Sprundel
.
- Allow a (fake) reauth as the same user as the logged in user. Should resolve
.NET related report from Sabo Jim .
- Tweak from Lucian Adrian Grijincu to take
unnecessary port calculations out of a loop.
- Fix byte I/O accounting in the error path of do_file_send_rwloop, thanks to
.
- Don\'t log FireFox\'s attempts to RETR directories! Reported by
Nixdorf, Tim .
- Fix STOU sending the same 150 status line twice - oops! Reported by
.
- Fix xferlog format for virtual (guest) users, reported by Andy Fletcher
.
- Fix bug with empty user list file and userlist_deny=NO. Reported by
Marcin Zawadzki/GlobalVanet.com .
- Pretend we have proper UTF8 support and respond positively to OPTS UTF8 ON.
Thanks Stanislav Maslovski .
- Add control over the file permissions used in the chown()ing of anonymous
uploads: chown_upload_mode (default 0600 as before). Suggestion from
An Pham .
- Do a retry getting the active ftp socket in vsf_privop_get_ftp_port_sock();
should help buggy Solaris systems. Reported by Michael Masterson
.
- Add debug_ssl option to dump out some SSL connection details.
- Use code 522, not 521, to indicate that the server requires an encrypted
data connection. Still does not seem to coax lftp to retry :(
- Recognize OPTS pre-login.
- A whole ton of SSL improvements, including ability to force requirement of
a client cert; data and control channel client cert cross checking. Ability
to require fully valid / authentic client certs. No cert-based auth yet.
Tue Mar 27 14:00:00 2007 mskibbeAATTsuse.de
- change path to firewall script (#247352)
Fri Mar 2 13:00:00 2007 mskibbeAATTsuse.de
- change path to firewall script (#247352)
Wed Feb 28 13:00:00 2007 mskibbeAATTsuse.de
- vsftpd - Support for FATE #300687: Ports for SuSEfirewall added
via packages (#246932)
Mon Jan 15 13:00:00 2007 mskibbeAATTsuse.de
- fix cryptic symbol in package - description
- build against libcap on suse < 10.1
Fri Jan 12 13:00:00 2007 mskibbeAATTsuse.de
- vsftp could not log any file name other then ascii (#229320)
Thu Jan 11 13:00:00 2007 mskibbeAATTsuse.de
- change path to xml service document (fate #301713)
Mon Jan 8 13:00:00 2007 mskibbeAATTsuse.de
- fix Bug #230220 - vsftp no debuginfo
Mon Jan 8 13:00:00 2007 mskibbeAATTsuse.de
- xml document should readable to all (fate #301713)
Wed Dec 6 13:00:00 2006 mskibbeAATTsuse.de
- add service xml document (fate #301713 )
Mon Oct 23 14:00:00 2006 mskibbeAATTsuse.de
- fix Bug 213894 - vsftpd and pam
Mon Sep 4 14:00:00 2006 kukukAATTsuse.de
- Include common PAM config files, add pam_loginuid.so
Fri Jul 14 14:00:00 2006 mskibbeAATTsuse.de
- udpate to version 2.0.5 which
o IE should now show the login dialog again
o configurable login attempt limits and delays were added
o a bad intereaction with DMAPI filesystems was fixed and chained
certs should now work.
