Bug 811193 - vsftpd-3.0.0 is available
Summary: vsftpd-3.0.0 is available
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jiri Skala
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-10 11:15 UTC by Upstream Release Monitoring
Modified: 2014-11-09 22:35 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-04-10 19:42:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Upstream Release Monitoring 2012-04-10 11:15:47 UTC
Latest upstream release: 3.0.0
Current version in Fedora Rawhide: 2.3.5
URL: https://security.appspot.com/vsftpd.html

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring

Comment 1 Account closed by user 2012-04-10 12:20:09 UTC
vsftpd-3.0.0 is released - with a new highly restrictive seccomp filter sandbox. It activates automatically on 64-bit bit binaries on Ubuntu 12.04+. In addition, there's a fix for passive mode connections under high loads and a few timeout fixes, particularly if you're using SSL. 

<http://scarybeastsecurity.blogspot.com.es/2012/04/vsftpd-300-and-seccomp-filter.html>


v3.0.0 changelog:

- Update vsf_findlibs.sh to work on Ubuntu 11.10+
- Make listen mode the default.
- Add -Werror to build flags.
- Fix missing "const" in ssl.c
- Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu
12.04 ABI.
- Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
seccompsandbox.c
- Rename deprecated "sandbox" to "ptrace_sandbox".
- Add a few more state checks to the privileged helper processes.
- Add tunable "seccomp_sandbox", default on.
- Use hardened build flags. Distros of course override these and provide their
own build flags but no harm in showing how it could be done.
- Retry creating a PASV socket upon port reuse race between bind() and listen(),
patch from Ralph Wuerthner <ralph.wuerthner.com>.
- Don't die() if recv() indicates a closed remote connection. Problem report
on a Windows client from Herbert van den Bergh,
<herbert.van.den.bergh>.
- Add new config setting "allow_writeable_chroot" to help people in a bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
- Remove a couple of fixed things from BUGS.
- strlen() trunction fix -- no particular impact.
- Apply some tidyups from mmoufid.
(vsftpd-3.0.0-pre1)
- Fix delete_failed_uploads if there is a timeout. Report from Alejandro
Hernández Hdez <aalejandrohdez>.
- Fix other data channel bugs such as failure to log failure upon timeout.
- Use exit codes a bit more consistently.
- Fix bad interaction between SSL and trans_chunk_size.
- Redo data timeout to fire properly for SSL sessions.
- Redo idle timeout to fire properly for SSL sessions.
- Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing.
- Use 10 minutes as a max linger time just in case an alarm gets lost.
(vsftpd-3.0.0-pre2)
- Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
- Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
Unfortunately the default vsftpd SSL confiuration still doesn't fully work
with FileZilla, because FileZilla has a data connection security problem:
no client certificate presentation and no session reuse. At least the error
message is now very clear.
- Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
a data transfer is in progress.
- Fix delete_failed_uploads for anonymous sessions.
- Don't listen for urgent data if the control connection is SSL, due to possible
protocol synchronization issues.


Note You need to log in before you can comment on or make changes to this bug.