Bug 1187041 (CVE-2015-1419)
Summary: | CVE-2015-1419 vsftpd: access restrictions bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, jaskalnik, mdshaikh, mosvald, nagy.martin |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-17 04:11:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1187043 | ||
Bug Blocks: | 1187042 |
Description
Vasyl Kaigorodov
2015-01-29 08:58:02 UTC
Created vsftpd tracking bugs for this issue: Affects: fedora-all [bug 1187043] As per the vsftpd.conf man page: "This option is very simple, and should not be used for serious access control - the filesystem's permissions should be used in preference. However, this option may be useful in certain virtual user setups. In particular aware that if a filename is accessible by a variety of names (perhaps due to symbolic links or hard links), then care must be taken to deny access to all the names." The man page advices users to exercise caution when using the deny_file option and mentions that filesystem permissions should be preferred. Based on the above documentation, Red Hat Product Security Team, does not consider this issue as a security flaw. Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details. |