userlist_deny
This option is examined if userlist_enable is activated. If you set this
setting to NO, then users will be denied login unless they are
explicitly listed in the file specified by userlist_file. When login is
denied, the denial is issued before the user is asked for a password.
If a user tries to log in using a name in this file, they will be denied
before they are asked for a password.
- Yeah, that is the problem. The user can now see that the username is not
valid. We really need an option here to prompt for password before failing.
--
You received this bug
This is something you should bring up to the VSFTPD development team as
this is not an Ubuntu bug. A VSFTPD mailing list perhaps, or an e-mail
to a project code contributor would be appropriate for your concerns.
--
You received this bug notification because you are a member of Ubuntu
Server
** Changed in: vsftpd (Debian)
Status: New = Invalid
** Changed in: vsftpd (Ubuntu)
Status: Invalid = Opinion
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
https://bugs.launchpad.net/bugs/672328
userlist_deny
This option is examined if userlist_enable is activated. If you set this
setting to NO, then users will be denied login unless they are
explicitly listed in the file specified by userlist_file. When login is
denied, the denial is issued before the user is asked for a password.
If a user tries to log in using a name in this file, they will be denied
before they are asked for a password.
- Yeah, that is the problem. The user can now see that the username is not
valid. We really need an option here to prompt for password before failing.
--
You received this bug
This is something you should bring up to the VSFTPD development team as
this is not an Ubuntu bug. A VSFTPD mailing list perhaps, or an e-mail
to a project code contributor would be appropriate for your concerns.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Changed in: vsftpd (Debian)
Status: New = Invalid
** Changed in: vsftpd (Ubuntu)
Status: Invalid = Opinion
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd:
Ok, ignore the wording of the advisory. The bug is as I described. If
userlist_enable=YES then vsftpd does not ask for a password if an
invalid username is entered (and therefore it is disclosed that the
username is not valid). I will check the value of local_enabled, when I
return to my computer
The bug only occurs when whitelisting is being used. It does not occur
for blacklisting.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd: discloses whether
Ok, ignore the wording of the advisory. The bug is as I described. If
userlist_enable=YES then vsftpd does not ask for a password if an
invalid username is entered (and therefore it is disclosed that the
username is not valid). I will check the value of local_enabled, when I
return to my computer
The bug only occurs when whitelisting is being used. It does not occur
for blacklisting.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd: discloses whether usernames are valid or
I just tried this out. To achieve whitelisting:
userlist_enable=YES
userlist_deny = NO
ftp the server:
ftp neptune
Connected to neptune.markhobley.yi.org.
220 Welcome to Mark Hobley's File Transfer Protocol Server.
Name (neptune:test): test
530 Permission denied. --- It should ask for a
** Changed in: vsftpd (Ubuntu)
Status: Invalid = New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd: discloses whether usernames are valid or not
--
The bug only occurs when the user whitelisting facility is being used (ie
userlist_enable=YES)
http://securitytracker.com/id?1008628
A workaround is to disable the uselist facility and then use PAM to deny
services.
I think this is a kludge. It should be possible to deny by default,
unless
Is your userlist_deny=NO/YES set. Could this be missing or commented
out in your configuration? Also, is your local_enable= variable set?
The security advisory only addresses disclosure of valid users and does
not allow password-less logins. I am sure a patched security update
will be provided
This does not allow for non password user authentication. The security,
or rather bug in question allows for brute force user name disclosure
and therefor a new bug report should be made and this ticket closed as
this description states falsely that causes the system to skip asking
for a password
I also want to take notice to the issue date of the vulnerability:
Updated: Jul 6 2008
Original Entry Date: Jan 7 2004
I changed the ticket status to 'invalid' and it should be closed.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
** Changed in: vsftpd (Ubuntu)
Status: Invalid = New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd: discloses whether usernames are valid or not
--
ubuntu-bugs mailing
The bug only occurs when the user whitelisting facility is being used (ie
userlist_enable=YES)
http://securitytracker.com/id?1008628
A workaround is to disable the uselist facility and then use PAM to deny
services.
I think this is a kludge. It should be possible to deny by default,
unless
Is your userlist_deny=NO/YES set. Could this be missing or commented
out in your configuration? Also, is your local_enable= variable set?
The security advisory only addresses disclosure of valid users and does
not allow password-less logins. I am sure a patched security update
will be provided
This does not allow for non password user authentication. The security,
or rather bug in question allows for brute force user name disclosure
and therefor a new bug report should be made and this ticket closed as
this description states falsely that causes the system to skip asking
for a password
I also want to take notice to the issue date of the vulnerability:
Updated: Jul 6 2008
Original Entry Date: Jan 7 2004
I changed the ticket status to 'invalid' and it should be closed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
We are closing this bug report because it lacks the information we need
to investigate the problem, as described in the previous comments.
Please reopen it if you can give us the missing information, and don't
hesitate to submit bug reports in the future. To reopen the bug report
you can click on
We are closing this bug report because it lacks the information we need
to investigate the problem, as described in the previous comments.
Please reopen it if you can give us the missing information, and don't
hesitate to submit bug reports in the future. To reopen the bug report
you can click on
We'd like to figure out what's causing this bug for you, but we haven't
heard back from you in a while. Could you please provide the requested
information? Thanks!
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
We'd like to figure out what's causing this bug for you, but we haven't
heard back from you in a while. Could you please provide the requested
information? Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thanks for reporting this issue. Could you please give specific steps on
how to reproduce it?
** Changed in: vsftpd (Ubuntu)
Status: New = Incomplete
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
Also, could you please say which version of vsftpd on which version of
Ubuntu you are using?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd: discloses whether
Thanks for reporting this issue. Could you please give specific steps on
how to reproduce it?
** Changed in: vsftpd (Ubuntu)
Status: New = Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Also, could you please say which version of vsftpd on which version of
Ubuntu you are using?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/672328
Title:
vsftpd: discloses whether usernames are
** Also affects: vsftpd (Debian)
Importance: Undecided
Status: New
--
vsftpd: discloses whether usernames are valid or not
https://bugs.launchpad.net/bugs/672328
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
** Also affects: vsftpd (Debian)
Importance: Undecided
Status: New
--
vsftpd: discloses whether usernames are valid or not
https://bugs.launchpad.net/bugs/672328
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs
** Changed in: vsftpd (Ubuntu)
Importance: Undecided = Low
--
vsftpd: discloses whether usernames are valid or not
https://bugs.launchpad.net/bugs/672328
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
--
** Changed in: vsftpd (Ubuntu)
Importance: Undecided = Low
--
vsftpd: discloses whether usernames are valid or not
https://bugs.launchpad.net/bugs/672328
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
35 matches
Mail list logo