Hello community, here is the log from the commit of package vsftpd for openSUSE:Factory checked in at 2015-09-19 06:53:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vsftpd (Old) and /work/SRC/openSUSE:Factory/.vsftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd" Changes: -------- --- /work/SRC/openSUSE:Factory/vsftpd/vsftpd.changes 2015-07-02 22:45:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.vsftpd.new/vsftpd.changes 2015-09-19 06:53:10.000000000 +0200 @@ -1,0 +2,33 @@ +Tue Sep 8 10:57:55 UTC 2015 - tchva...@suse.com + +- Version bump to 3.0.3: + * Increase VSFTP_AS_LIMIT to 200MB; various reports. + * Make the PWD response more RFC compliant; report from Barry Kelly + <ba...@modeltwozero.com>. + * Remove the trailing period from EPSV response to work around BT Internet + issues; report from Tim Bishop <t...@mirrorservice.org>. + * Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil + <mvysko...@suse.cz>. At least, syslogging seems to work on my Fedora now. + * Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I + probably have a different distro / libc / etc. and there are multiple reports. + * Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle + this case gracefully. Report from Vasily Averin <v...@odin.com>. + * List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default. + * Make some compile-time SSL defaults (such as correct client shutdown + handling) stricter. + * Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms + delays. From Tim Kosse <tim.ko...@filezilla-project.org>. + * Kill the FTP session if we see HTTP protocol commands, to avoid + cross-protocol attacks. A report from Jann Horn <j...@thejh.net>. + * Kill the FTP session if we see session re-use failure. A report from + Tim Kosse <tim.ko...@filezilla-project.org>. + * Enable ECDHE, Tim Kosse <tim.ko...@filezilla-project.org>. + * Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384. + * Minor SSL logging improvements. + * Un-default tunable_strict_ssl_write_shutdown again. We still have + tunable_strict_ssl_read_eof defaulted now, which is the important one to prove + upload integrity. +- Drop patch vsftpd-allow-dev-log-socket.patch should be included + upstream, se above bullet with mvyskocil's email + +------------------------------------------------------------------- Old: ---- vsftpd-3.0.2.tar.gz vsftpd-3.0.2.tar.gz.asc vsftpd-allow-dev-log-socket.patch New: ---- vsftpd-3.0.3.tar.gz vsftpd-3.0.3.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.A3hBd6/_old 2015-09-19 06:53:11.000000000 +0200 +++ /var/tmp/diff_new_pack.A3hBd6/_new 2015-09-19 06:53:11.000000000 +0200 @@ -17,7 +17,7 @@ Name: vsftpd -Version: 3.0.2 +Version: 3.0.3 Release: 0 Summary: Very Secure FTP Daemon - Written from Scratch License: SUSE-GPL-2.0-with-openssl-exception @@ -44,8 +44,6 @@ Patch9: vsftpd-2.3.5-conf.patch Patch10: vsftpd-3.0.0_gnu_source_defines.patch Patch11: vsftpd-3.0.0-optional-seccomp.patch -#PATCH-FIX-OPENSUSE: bnc#786024 -Patch12: vsftpd-allow-dev-log-socket.patch #PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct Patch13: vsftpd-drop-newpid-from-clone.patch #PATCH-FIX-OPENSUSE: bnc#812406 @@ -96,7 +94,6 @@ %patch9 %patch10 -p1 %patch11 -p1 -%patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 ++++++ vsftpd-3.0.2.tar.gz -> vsftpd-3.0.3.tar.gz ++++++ Files old/vsftpd-3.0.2/.ftpcmdio.h.swp and new/vsftpd-3.0.3/.ftpcmdio.h.swp differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/Changelog new/vsftpd-3.0.3/Changelog --- old/vsftpd-3.0.2/Changelog 2012-09-18 12:03:15.000000000 +0200 +++ new/vsftpd-3.0.3/Changelog 2015-07-23 08:01:55.000000000 +0200 @@ -1343,3 +1343,35 @@ At this point: v3.0.2 released! =============================== + +- Increase VSFTP_AS_LIMIT to 200MB; various reports. +- Make the PWD response more RFC compliant; report from Barry Kelly +<ba...@modeltwozero.com>. +- Remove the trailing period from EPSV response to work around BT Internet +issues; report from Tim Bishop <t...@mirrorservice.org>. +- Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil +<mvysko...@suse.cz>. At least, syslogging seems to work on my Fedora now. +- Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I +probably have a different distro / libc / etc. and there are multiple reports. +- Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle +this case gracefully. Report from Vasily Averin <v...@odin.com>. +- List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default. +- Make some compile-time SSL defaults (such as correct client shutdown +handling) stricter. +- Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms +delays. From Tim Kosse <tim.ko...@filezilla-project.org>. +- Kill the FTP session if we see HTTP protocol commands, to avoid +cross-protocol attacks. A report from Jann Horn <j...@thejh.net>. +- Kill the FTP session if we see session re-use failure. A report from +Tim Kosse <tim.ko...@filezilla-project.org>. +(vsftpd-3.0.3pre1) +- Enable ECDHE, Tim Kosse <tim.ko...@filezilla-project.org>. +- Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384. +- Minor SSL logging improvements. +- Un-default tunable_strict_ssl_write_shutdown again. We still have +tunable_strict_ssl_read_eof defaulted now, which is the important one to prove +upload integrity. +(vsftpd-3.0.3pre2) + +At this point: v3.0.3 released! +=============================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/README new/vsftpd-3.0.3/README --- old/vsftpd-3.0.2/README 2012-09-18 12:02:27.000000000 +0200 +++ new/vsftpd-3.0.3/README 2015-07-21 00:06:54.000000000 +0200 @@ -1,4 +1,4 @@ -This is vsftpd, version 3.0.2 +This is vsftpd, version 3.0.3 Author: Chris Evans Contact: scarybea...@gmail.com Website: http://vsftpd.beasts.org/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/defs.h new/vsftpd-3.0.3/defs.h --- old/vsftpd-3.0.2/defs.h 2012-04-03 09:00:23.000000000 +0200 +++ new/vsftpd-3.0.3/defs.h 2015-07-21 01:03:17.000000000 +0200 @@ -19,7 +19,7 @@ /* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and VSFTP_DATA_BUFSIZE*2 */ #define VSFTP_PRIVSOCK_MAXSTR VSFTP_DATA_BUFSIZE * 2 -#define VSFTP_AS_LIMIT 100UL * 1024 * 1024 +#define VSFTP_AS_LIMIT 200UL * 1024 * 1024 #endif /* VSF_DEFS_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/ftpdataio.c new/vsftpd-3.0.3/ftpdataio.c --- old/vsftpd-3.0.2/ftpdataio.c 2012-04-03 09:04:39.000000000 +0200 +++ new/vsftpd-3.0.3/ftpdataio.c 2015-07-22 20:36:41.000000000 +0200 @@ -181,15 +181,13 @@ } if (ret != 1) { - static struct mystr s_err_msg; - str_alloc_text(&s_err_msg, "SSL connection failed"); if (tunable_require_ssl_reuse) { - str_append_text(&s_err_msg, "; session reuse required"); - str_append_text( - &s_err_msg, ": see require_ssl_reuse option in vsftpd.conf man page"); + vsf_cmdio_write_exit(p_sess, FTP_DATATLSBAD, + "SSL connection failed: session reuse required", 1); + } else { + vsf_cmdio_write(p_sess, FTP_DATATLSBAD, "SSL connection failed"); } - vsf_cmdio_write_str(p_sess, FTP_DATATLSBAD, &s_err_msg); } return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/postlogin.c new/vsftpd-3.0.3/postlogin.c --- old/vsftpd-3.0.2/postlogin.c 2012-09-18 11:59:37.000000000 +0200 +++ new/vsftpd-3.0.3/postlogin.c 2015-07-22 21:03:22.000000000 +0200 @@ -439,6 +439,15 @@ { /* Deliberately ignore to avoid NAT device bugs. ProFTPd does the same. */ } + else if (str_equal_text(&p_sess->ftp_cmd_str, "GET") || + str_equal_text(&p_sess->ftp_cmd_str, "POST") || + str_equal_text(&p_sess->ftp_cmd_str, "HEAD") || + str_equal_text(&p_sess->ftp_cmd_str, "OPTIONS") || + str_equal_text(&p_sess->ftp_cmd_str, "CONNECT")) + { + vsf_cmdio_write_exit(p_sess, FTP_BADCMD, + "HTTP protocol commands not allowed.", 1); + } else { vsf_cmdio_write(p_sess, FTP_BADCMD, "Unknown command."); @@ -466,7 +475,7 @@ /* Enclose pathname in quotes */ str_alloc_text(&s_pwd_res_str, "\""); str_append_str(&s_pwd_res_str, &s_cwd_buf_mangle_str); - str_append_text(&s_pwd_res_str, "\""); + str_append_text(&s_pwd_res_str, "\" is the current directory"); vsf_cmdio_write_str(p_sess, FTP_PWDOK, &s_pwd_res_str); } @@ -594,7 +603,7 @@ { str_alloc_text(&s_pasv_res_str, "Entering Extended Passive Mode (|||"); str_append_ulong(&s_pasv_res_str, (unsigned long) the_port); - str_append_text(&s_pasv_res_str, "|)."); + str_append_text(&s_pasv_res_str, "|)"); vsf_cmdio_write_str(p_sess, FTP_EPSVOK, &s_pasv_res_str); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/seccompsandbox.c new/vsftpd-3.0.3/seccompsandbox.c --- old/vsftpd-3.0.2/seccompsandbox.c 2012-09-18 08:52:30.000000000 +0200 +++ new/vsftpd-3.0.3/seccompsandbox.c 2015-07-22 21:47:35.000000000 +0200 @@ -20,6 +20,7 @@ #include <errno.h> #include <netinet/in.h> +#include <netinet/tcp.h> #include <sys/fcntl.h> #include <sys/mman.h> @@ -300,6 +301,7 @@ reject_nr(__NR_mremap, ENOSYS); /* Misc simple low-risk calls. */ + allow_nr(__NR_gettimeofday); /* Used by logging. */ allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */ allow_nr(__NR_restart_syscall); allow_nr(__NR_close); @@ -352,6 +354,11 @@ if (tunable_ssl_enable) { allow_nr_1_arg_match(__NR_recvmsg, 3, 0); + allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY); + } + if (tunable_syslog_enable) + { + reject_nr(__NR_socket, EACCES); } } @@ -441,6 +448,16 @@ } } + if (tunable_syslog_enable) + { + /* The ability to pass an address spec isn't needed so disable it. We ensure + * the 6th arg (socklen) is 0. We could have checked the 5th arg (sockptr) + * but I don't know if 64-bit compares work in the kernel filter, so we're + * happy to check the socklen arg, which is 32 bits. + */ + allow_nr_1_arg_match(__NR_sendto, 6, 0); + } + if (tunable_text_userdb_names) { reject_nr(__NR_socket, EACCES); @@ -667,6 +684,11 @@ ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0); if (ret != 0) { + if (errno == EINVAL) + { + /* Kernel isn't good enough. */ + return; + } die("prctl PR_SET_SECCOMP failed"); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/ssl.c new/vsftpd-3.0.3/ssl.c --- old/vsftpd-3.0.2/ssl.c 2012-04-03 02:23:42.000000000 +0200 +++ new/vsftpd-3.0.3/ssl.c 2015-07-23 06:14:04.000000000 +0200 @@ -120,6 +120,15 @@ { die("SSL: RNG is not seeded"); } + { + EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (key == NULL) + { + die("SSL: failed to get curve p256"); + } + SSL_CTX_set_tmp_ecdh(p_ctx, key); + EC_KEY_free(key); + } if (tunable_ssl_request_cert) { verify_option |= SSL_VERIFY_PEER; @@ -275,8 +284,20 @@ */ if (retval == 0 && SSL_get_shutdown(p_ssl) != SSL_RECEIVED_SHUTDOWN) { - str_alloc_text(&debug_str, "Connection terminated without SSL shutdown " - "- buggy client?"); + if (p_ssl == p_sess->p_control_ssl) + { + str_alloc_text(&debug_str, "Control"); + } + else + { + str_alloc_text(&debug_str, "DATA"); + } + str_append_text(&debug_str, " connection terminated without SSL shutdown."); + if (p_ssl != p_sess->p_control_ssl) + { + str_append_text(&debug_str, + " Buggy client! Integrity of upload cannot be asserted."); + } vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); if (tunable_strict_ssl_read_eof) { @@ -380,6 +401,12 @@ { int ret; maybe_log_shutdown_state(p_sess); + + /* Disable Nagle algorithm. We want the shutdown packet to be sent + * immediately, there's nothing coming after. + */ + vsf_sysutil_set_nodelay(SSL_get_fd(p_ssl)); + /* This is a mess. Ideally, when we're the sender, we'd like to get to the * SSL_RECEIVED_SHUTDOWN state to get a cryptographic guarantee that the * peer received all the data and shut the connection down cleanly. It diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/tunables.c new/vsftpd-3.0.3/tunables.c --- old/vsftpd-3.0.2/tunables.c 2012-04-05 00:29:50.000000000 +0200 +++ new/vsftpd-3.0.3/tunables.c 2015-07-23 06:13:07.000000000 +0200 @@ -215,7 +215,7 @@ tunable_debug_ssl = 0; tunable_require_cert = 0; tunable_validate_cert = 0; - tunable_strict_ssl_read_eof = 0; + tunable_strict_ssl_read_eof = 1; tunable_strict_ssl_write_shutdown = 0; tunable_ssl_request_cert = 1; tunable_delete_failed_uploads = 0; @@ -284,7 +284,7 @@ install_str_setting("/usr/share/ssl/certs/vsftpd.pem", &tunable_rsa_cert_file); install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers); + install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.2/vsftpver.h new/vsftpd-3.0.3/vsftpver.h --- old/vsftpd-3.0.2/vsftpver.h 2012-09-18 12:02:36.000000000 +0200 +++ new/vsftpd-3.0.3/vsftpver.h 2015-07-21 00:07:04.000000000 +0200 @@ -1,7 +1,7 @@ #ifndef VSF_VERSION_H #define VSF_VERSION_H -#define VSF_VERSION "3.0.2" +#define VSF_VERSION "3.0.3" #endif /* VSF_VERSION_H */