SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for vsftpd-3.0.3-5.7.x86_64.rpm :

* Wed Apr 25 2018 psimonsAATTsuse.com- vsftpd-enable-syscalls-needed-by-sle15.patch: Enable wait4(), sysinfo(), and shutdown() syscalls in seccomp sandbox. These are required for the daemon to work properly on SLE-15. [bsc#1089088]
* Tue Apr 03 2018 vcizekAATTsuse.com- Add firewalld service file (bsc#1083705)
* Wed Dec 13 2017 tchvatalAATTsuse.com- Make sure to also require group nobody and user ftp bsc#1070653
* Thu Sep 07 2017 psimonsAATTsuse.com- Add \"vsftpd-die-with-session.patch\" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever system errors occurred that were supposed to be non-fatal. [bsc#1044292]- Add \"vsftpd-mdtm-in-utc.patch\" to fix interoperability issue with various ftp clients that arose when vsftpd is configured with option \"use_localtime=YES\". Basically, it\'s fine to use local time stamps in directory listings, but responding to MDTM commands with any time zone other than UTC directly violates RFC3659 and leads FTP clients to misinterpret the file\'s time stamp. [bsc#1024961]- Add \"vsftpd-append-seek-pipe.patch\" to allow the FTP server to append to a file system pipe. [bsc#1048427]- Add \"vsftpd-3.0.3-address_space_limit.patch\" to create the new configuration option \"address_space_limit\", which determines the memory limit vsftpd configures for its own process (given in bytes). The previously hard-coded limit (100 MB) may not be sufficient for vsftpd servers running with certain PAM modules enabled, and in such cases administrators may wish to raise the limit to match their system\'s requirements. [bsc#1042137]- Don\'t rely on the vsf_findlibs.sh script to figure out the list of libraries the build needs to link. The script is wildly unreliable and it\'s hard to predict what results it will produce. Also, the results it
*does
* produce are invisble in the build log. We stumbled across this issue when vsftpd suddendly had build failures on i586 platforms because the script decided to try and link \"-lnsl\" even though the library was neither installed nor required.- Drop the explicit specification of the LDFLAGS and LINK variables from the call to make. The value of LDFLAGS we passed is the default anyway and giving LINK has no effect since it\'s not used anywhere in the Makefile.
* Wed Jun 14 2017 tchvatalAATTsuse.com- Conditionally install xinetd service only on older releases
* On current distributions we support the same functionality via systemd socket activation
* Mon Jun 12 2017 daniel.molkentinAATTsuse.com- Fix build against OpenSSL 1.1. Remove lock on 1.0.x libs adds vsftpd-3.0.3-build-with-openssl-1.1.patch (bsc#1042673)
* Wed May 31 2017 psimonsAATTsuse.com- Explicitly depend on OpenSSL version 1.0.x since vsftpd doesn\'t compile against the API provided by newer versions.
* Tue May 02 2017 kukukAATTsuse.de- Adjust to new system user/group RPMs
* Mon Sep 19 2016 psimonsAATTsuse.com- Add vsftpd-3.0.2-fix-chown-uploads.patch to fix a bug in vsftpd where files uploaded by an anonymous user could not be chown()ed to the desired UID as specified in the daemon\'s configuration file. [bnc#996370]
* Wed Aug 31 2016 dimstarAATTopensuse.org- Extend vsftpd-2.0.4-lib64.diff to also find libcap.so.
* in /usr/lib64.
* Fri Aug 05 2016 tchvatalAATTsuse.com- Do not bother with omc xml configs, useless nowdays
* Wed Mar 23 2016 tchvatalAATTsuse.com- Require shadow and do not output the error out of useradd
* Tue Mar 22 2016 tchvatalAATTsuse.com- Fix user creation to not report error when user alredy exist bnc#972169
* Mon Mar 21 2016 tchvatalAATTsuse.com- Fix bnc#970982 hanging on pam_exec in pam.d
* Add patch vsftpd-3.0.2-wnohang.patch
* Thu Mar 10 2016 jcejkaAATTsuse.com- Fix memory leaks in ls.c bnc#968138
* Add patch vsftpd-ls-memleak.patch
* Update patch vsftpd-path-normalize.patch- Fix wildcard ? matching bnc#969411
* Update patch vsftpd-2.3.4-sqb.patch
* Mon Sep 21 2015 tchvatalAATTsuse.com- Clean-up the init.d support to be bit more readable and add missing dep
* Mon Sep 21 2015 joop.boonenAATTopensuse.org- Brought back additional systemv support so it also builds for SLES 10 and 11
* Tue Sep 08 2015 tchvatalAATTsuse.com- Version bump to 3.0.3:
* Increase VSFTP_AS_LIMIT to 200MB; various reports.
* Make the PWD response more RFC compliant; report from Barry Kelly .
* Remove the trailing period from EPSV response to work around BT Internet issues; report from Tim Bishop .
* Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil . At least, syslogging seems to work on my Fedora now.
* Allow gettimeofday() in the seccomp sandbox. I can\'t repro failures, but I probably have a different distro / libc / etc. and there are multiple reports.
* Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle this case gracefully. Report from Vasily Averin .
* List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
* Make some compile-time SSL defaults (such as correct client shutdown handling) stricter.
* Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms delays. From Tim Kosse .
* Kill the FTP session if we see HTTP protocol commands, to avoid cross-protocol attacks. A report from Jann Horn .
* Kill the FTP session if we see session re-use failure. A report from Tim Kosse .
* Enable ECDHE, Tim Kosse .
* Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
* Minor SSL logging improvements.
* Un-default tunable_strict_ssl_write_shutdown again. We still have tunable_strict_ssl_read_eof defaulted now, which is the important one to prove upload integrity.- Drop patch vsftpd-allow-dev-log-socket.patch should be included upstream, se above bullet with mvyskocil\'s email
* Tue Jun 23 2015 tchvatalAATTsuse.com- Fix logrotate script to not fail when vsftpd is not running, bnc#935279
* Fri Apr 17 2015 tchvatalAATTsuse.com- Fix hide_file option wrt bnc#927612:
* vsftpd-path-normalize.patch
* Sun Apr 05 2015 tchvatalAATTsuse.com- bnc#925963 stat is sometimes run on wrong path and results with ENOENT, ensure we sent both dir+file to filter verification:
* vsftpd-path-normalize.patch
* Wed Mar 25 2015 tchvatalAATTsuse.com- Update patch bit more for sanity checks. Done by rsassuAATTsuse.de:
* vsftpd-path-normalize.patch
* Mon Mar 23 2015 tchvatalAATTsuse.com- Add back patch attempting to fix bnc#900326 bnc#915522 and bnc#922538:
* vsftpd-path-normalize.patch
* Mon Mar 23 2015 tchvatalAATTsuse.com- Reset filter patch to match fedora, my work will be restarted in one-off patch to make the changes stand out. Add rest of RH filtering patches:
* vsftpd-2.2.0-wildchar.patch
* vsftpd-2.3.4-sqb.patch
* vsftpd-2.1.0-filter.patch
* Mon Mar 23 2015 tchvatalAATTsuse.com- Work on the filter patch and split out the normalisation of the path to separate str function, currently commented out so I avoid huge diffing.
* vsftpd-2.1.0-filter.patch
* Fri Feb 20 2015 tchvatalAATTsuse.com- Add service calls for other unit files too- Udate filter patch to work as expected:
* vsftpd-2.1.0-filter.patch
* Fri Jan 02 2015 tchvatalAATTsuse.com- Try to fix deny_file parsing to do more what is expected. Taken from fedora. bnc#900326 bnc#915522 CVE-2015-1419
* vsftpd-2.1.0-filter.patch
* Fri Nov 14 2014 dimstarAATTopensuse.org- No longer perform gpg validation; osc source_validator does it implicit: + Drop gpg-offline BuildRequires. + No longer execute gpg_verify.
* Thu Aug 21 2014 jmatejekAATTsuse.com- force using fork() instead of clone() on s390 - fixes bnc#890469
* vsftpd-3.0.2-s390.patch
* Mon May 26 2014 tchvatalAATTsuse.com- Cleanup with spec-cleaner- Remove conditions about init files as we do not build for < 12.1 anyway.- Update the README.SUSE file to describe more the listen option.
* Mon May 26 2014 tchvatalAATTsuse.com- Add socket service for vsftpd to avoid the need for xinetd here.
* Mon May 26 2014 tchvatalAATTsuse.com- Add comment about listen variables for xinetd configuration. Fixes bnc#872221.- Add default configuration as arg to xinetd started vsftpd.- Updated patch:
* vsftpd-2.0.4-xinetd.diff
* Thu Apr 10 2014 tchvatalAATTsuse.com- Move the enabling of timeofday and alarm one level deeper to be sure it is whitelisted everytime. Also should possibly fix bnc#872215.- Updated patch:
* vsftpd-enable-gettimeofday-sec.patch
* Thu Apr 10 2014 tchvatalAATTsuse.com- Remove forking from service type as it hangs in endless loop.
* Wed Apr 02 2014 tchvatalAATTsuse.com- Fix warning about dangling symlink on rcvsftpd from rpmlint and remove also clean section while at it.
* Wed Apr 02 2014 tchvatalAATTsuse.com- Add patch to allow gettimeofday and alarm calls with seccomp enabled. bnc#870122- Added patch:
* vsftpd-enable-gettimeofday-sec.patch
* Tue Apr 01 2014 tchvatalAATTsuse.com- Specify that the service type is forking
* Mon Jan 27 2014 mvyskocilAATTsuse.com- changed license to SUSE-GPL-2.0-with-openssl-exception
* suggested by legal team
* Tue Jan 21 2014 mvyskocilAATTsuse.com- add allow_root_squashed_chroot option to enable chroot on nsf mounted with squash_root option (fate#311051)
* vsftpd-root-squashed-chroot.patch
* Sat Jul 20 2013 crrodriguezAATTopensuse.org- build with OPENSSL_NO_SSL_INTERN this hides internal struct members or functions that if changed in future openssl versions will break the ABI of the calling applications.
* Thu Apr 04 2013 mvyskocilAATTsuse.com- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
* this enabled a sendto on /dev/log socket when syslog is enabled- provide more verbose explanation about isolate_network and seccomp_sanbox in config file template- don\'t install init file on openSUSE 13.1+- drop a build support for SL 10 and older
* Fri Mar 29 2013 mvyskocilAATTsuse.com- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
* drop CLONE_NEWPID from clone to enable audit system- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
* unconditionally enable F_SETFL patch - might be safe to do
* Thu Feb 28 2013 lnusselAATTsuse.de- add isolate_network and seccomp_sandbox options to template to make them easier to find (bnc#786024)
* Thu Feb 28 2013 mvyskocilAATTsuse.com- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
* whitelist /dev/log related socket syscall
* Tue Nov 20 2012 sbrabecAATTsuse.cz- Verify GPG signature.
* Tue Nov 20 2012 dimstarAATTopensuse.org- Fix useradd invocation: -o is useless without -u and newer versions of pwdutils/shadowutils fail on this now.
* Mon Oct 22 2012 mvyskocilAATTsuse.com- update to 3.0.2 (bnc#786024)
* Fix some seccomp related build errors on certain CentOS and Debian versions.
* Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort() opens and maps /proc/meminfo but only for larger item counts?
* Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
* Fix various NULL crashes with nonsensical config settings. Noted by Tianyin Xu .
* Force cast to unsigned char in is
* char functions.
* Fix harmless integer issues in strlist.c.
* Started on a (possibly ill-advised?) crusade to compile cleanly with Wconversion. Decided to suspend the effort half-way through.
* One more seccomp policy fix: mremap (denied).
* Support STOU with no filename, uses a STOU. prefix.
* Fri Aug 24 2012 mvyskocilAATTsuse.cz- make seccomp sandbox enabled by default
* dropped vsftpd-3.0.0-turn-seccomp-sandbox-off.patch
* Mon Apr 23 2012 brianAATTaljex.com- fix building on 11.4 x86_64 and lower
* fix where, when, & how __USE_GNU gets #defined
* make seccomp optional and disable it on 10.3 and lower
* Tue Apr 10 2012 mvyskocilAATTsuse.cz- update to upstream 3.0.0:
* Make listen mode the default.
* Fix missing \"const\" in ssl.c
* Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu 12.04 ABI.
* Rearrange ftppolicy.c a bit so the syscall list is easily comparable with seccompsandbox.c
* Rename deprecated \"sandbox\" to \"ptrace_sandbox\".
* Add a few more state checks to the privileged helper processes.
* Add tunable \"seccomp_sandbox\", default on.
* Use hardened build flags.
* Retry creating a PASV socket upon port reuse race between bind() and listen(), patch from Ralph Wuerthner .
* Don\'t die() if recv() indicates a closed remote connection. Problem report on a Windows client from Herbert van den Bergh, .
* Add new config setting \"allow_writeable_chroot\" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
* Remove a couple of fixed things from BUGS.
* strlen() trunction fix -- no particular impact.
* Apply some tidyups from mmoufidAATTyorku.ca.
* Fix delete_failed_uploads if there is a timeout. Report from Alejandro Hernández Hdez .
* Fix other data channel bugs such as failure to log failure upon timeout.
* Use exit codes a bit more consistently.
* Fix bad interaction between SSL and trans_chunk_size.
* Redo data timeout to fire properly for SSL sessions.
* Redo idle timeout to fire properly for SSL sessions.
* Make sure PROT_EXEC isn\'t allowed, thanks to Will Drewry for noticing.
* Use 10 minutes as a max linger time just in case an alarm gets lost.
* Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
* Add AES128-SHA to default SSL cipher suites for FileZilla compatibility. Unfortunately the default vsftpd SSL confiuration still doesn\'t fully work with FileZilla, because FileZilla has a data connection security problem: no client certificate presentation and no session reuse. At least the error message is now very clear.
* Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst a data transfer is in progress.
* Fix delete_failed_uploads for anonymous sessions.
* Don\'t listen for urgent data if the control connection is SSL, due to possible protocol synchronization issues.- SUSE specific changes:
* turn off the listen mode (listen=NO) by default and change README.SUSE
* merge new hardended flags for build and linking
* fix the wrong Type=forking from systemd service file
* turn off the seccomp_sandbox off by default as SUSE kernel does not support it (yet)
* Tue Feb 21 2012 mvyskocilAATTsuse.cz- follow Systemd Packaging guidelines http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines- add $local_fs and $remote_fs to init script
* Wed Feb 15 2012 mvyskocilAATTsuse.cz- use the original tarball, because the bz2 repacking madness disables gpg --verify- revert a part oc changes utf converting
* Fri Dec 23 2011 andreas.stiegerAATTgmx.de- update to upstream 2.3.5:
* Try and force glibc to cache zoneinfo files in an attempt to work around glibc parsing vulnerability. Thanks to Kingcope.
* Only report CHMOD in SITE HELP if it\'s enabled. Thanks to Martin Schwenke .
* Some simple fixes and cleanups from Thorsten Brehm .
* Only advertise \"AUTH SSL\" if one of SSLv2, SSLv3 is enabled. Thanks to steve willing .
* Handle connect() failures properly. Thanks to Takayuki Nagata .
* Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.- convert .changes file to unicode- refresh vsftpd-2.0.4-conf.diff to vsftpd-2.3.5-conf.patch- name patches explicitly without macro as per recommendations- remove INSTALL file from binary package- update license to GPL-2.0+- mark /etc/sysconfig/SuSEfirewall2/services/vsftpd as config file
* Sat Nov 26 2011 crrodriguezAATTopensuse.org- fis copy/paste error in previous change
* Fri Nov 25 2011 crrodriguezAATTopensuse.org- Add systemd unit
* Thu Sep 22 2011 mvyskocilAATTsuse.cz- fix bnc#713588 - bogus logrotate config for vsftpd call /sbin/killproc -HUP /usr/sbin/vsftpd like init script- change the url and service file to the new location at security.appspot.com/vsftpd
* Fri Feb 25 2011 crrodriguezAATTopensuse.org- Update to 2.3.4- Avoid consuming excessive CPU when matching filenames to patterns. Thanks to Maksymilian Arciemowicz .- Some bugfixes from Raphaël Rigo -- good bugs but no apparent security impact.
* Tue Sep 21 2010 cristian.rodriguezAATTopensuse.org- Update to version 2.3.2- Fix silly regression re: log files being overwritten from the start.- Rename a few file-open functions to make it clearer what they do
* Tue Aug 10 2010 cristian.rodriguezAATTopensuse.org- Update to 2.3.0- Add extremely simply HTTP support. It\'s very experimental, ignorant of HTTP protocol and headers, and likely has all sorts of other issues. The use case it might satisfy is if you need to serve simple static unathenticated content with large levels of paranoia.- Fix port_promiscuous breakage.- Minor FAQ update.- Use a larger address space limit if using text_userdb_names=YES- Always use CLONE_NEWNET if possible when in HTTP mode.- Change REST + STOR so that it\'s possible to overwrite part of file without truncating it.- Boot the session if we see a USER where encryption was required. May prevent the transmission of plaintext passwords by buggy clients.- Fix failure to transmit a large ASCII file over SSL, if it contains \
-> \\r\
fixups.
* Tue May 25 2010 cristian.rodriguezAATTopensuse.org- $remote_fs --> network-remotefs
* Sun Feb 21 2010 msebenAATTnovell.com- updated to version 2.2.2
* Change \"File receive OK.\" to \"Transfer complete.\" to placate some broken clients. Thanks Holger Kiehl .
* Fix erroneous \"child died\" upon FTP client connect, when under load. Awesome thanks to Holger Kiehl for running diagnostic tests on his live server.
* Boot the session if an overly long line is encountered.- see Changelog file for changes in 2.1.0, 2.1.1, 2.1.2 and 2.2.0 releases- deprecated use-ipv6-scope-id.patch,libcap2-fix.diff,write_race.patch nowarn.patch
* Thu Jan 28 2010 msebenAATTnovell.com- added use-ipv6-scope-id.patch to fix connection issues with ipv6-link local address (bnc#574366)
* Wed Jan 20 2010 cooloAATTnovell.com- fix typo in the package description - and remove authors
  
ICM