Hello community, here is the log from the commit of package vsftpd for openSUSE:Factory checked in at 2012-02-22 15:55:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vsftpd (Old) and /work/SRC/openSUSE:Factory/.vsftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/vsftpd/vsftpd.changes 2011-09-23 12:50:08.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.vsftpd.new/vsftpd.changes 2012-02-22 15:55:44.000000000 +0100 @@ -1,0 +2,47 @@ +Tue Feb 21 10:51:51 UTC 2012 - [email protected] + +- follow Systemd Packaging guidelines + http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines +- add $local_fs and $remote_fs to init script + +------------------------------------------------------------------- +Wed Feb 15 16:41:15 UTC 2012 - [email protected] + +- use the original tarball, because the bz2 repacking madness disables + gpg --verify +- revert a part oc changes utf converting + +------------------------------------------------------------------- +Fri Dec 23 17:48:04 UTC 2011 - [email protected] + +- update to upstream 2.3.5: + * Try and force glibc to cache zoneinfo files in an attempt to work around + glibc parsing vulnerability. Thanks to Kingcope. + * Only report CHMOD in SITE HELP if it's enabled. Thanks to Martin Schwenke + <[email protected]>. + * Some simple fixes and cleanups from Thorsten Brehm <[email protected]>. + * Only advertise "AUTH SSL" if one of SSLv2, SSLv3 is enabled. Thanks to + steve willing <[email protected]>. + * Handle connect() failures properly. Thanks to Takayuki Nagata + <[email protected]>. + * Add stronger checks for the configuration error of running with a + writeable root directory inside a chroot(). This may bite people who + carelessly turned on chroot_local_user but such is life. +- convert .changes file to unicode +- refresh vsftpd-2.0.4-conf.diff to vsftpd-2.3.5-conf.patch +- name patches explicitly without macro as per recommendations +- remove INSTALL file from binary package +- update license to GPL-2.0+ +- mark /etc/sysconfig/SuSEfirewall2/services/vsftpd as config file + +------------------------------------------------------------------- +Sat Nov 26 16:31:20 UTC 2011 - [email protected] + +- fis copy/paste error in previous change + +------------------------------------------------------------------- +Fri Nov 25 22:14:14 UTC 2011 - [email protected] + +- Add systemd unit + +------------------------------------------------------------------- @@ -486,3 +533,3 @@ - � IPv6 support, so drop our patch - � Many bugfixes and tunings - � Build fixes + ˇ IPv6 support, so drop our patch + ˇ Many bugfixes and tunings + ˇ Build fixes Old: ---- _service _service:download_url:vsftpd-2.3.4.tar.gz vsftpd-2.0.4-conf.diff New: ---- vsftpd-2.3.5-conf.patch vsftpd-2.3.5.tar.gz vsftpd.service ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.gJn1nm/_old 2012-02-22 15:55:45.000000000 +0100 +++ /var/tmp/diff_new_pack.gJn1nm/_new 2012-02-22 15:55:45.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package vsftpd # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,20 +15,22 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - Name: vsftpd -BuildRequires: openssl-devel pam-devel +BuildRequires: openssl-devel +BuildRequires: pam-devel %if 0%{?suse_version} < 1001 BuildRequires: libcap %else BuildRequires: libcap-devel %endif -Version: 2.3.4 -Release: 1 +%if 0%{?suse_version} > 1140 +BuildRequires: systemd +%endif +Version: 2.3.5 +Release: 0 Summary: Very Secure FTP Daemon - Written from Scratch -License: GPLv2+ +License: GPL-2.0+ Group: Productivity/Networking/Ftp/Servers Url: https://security.appspot.com/vsftpd.html Source: %name-%version.tar.gz @@ -38,17 +40,19 @@ Source4: README.SUSE Source5: %name.xml Source6: %name.firewall -Patch1: %name-2.0.4-lib64.diff -Patch3: %name-2.0.4-xinetd.diff -Patch4: %name-2.0.4-enable-ssl.patch -Patch5: %name-2.0.4-dmapi.patch -Patch6: %name-2.0.5-vuser.patch -Patch7: %name-2.0.5-enable-debuginfo.patch -Patch8: %name-2.0.5-utf8-log-names.patch -Patch9: %name-2.0.4-conf.diff +Source7: vsftpd.service +Patch1: vsftpd-2.0.4-lib64.diff +Patch3: vsftpd-2.0.4-xinetd.diff +Patch4: vsftpd-2.0.4-enable-ssl.patch +Patch5: vsftpd-2.0.4-dmapi.patch +Patch6: vsftpd-2.0.5-vuser.patch +Patch7: vsftpd-2.0.5-enable-debuginfo.patch +Patch8: vsftpd-2.0.5-utf8-log-names.patch +Patch9: vsftpd-2.3.5-conf.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Provides: ftp-server PreReq: %insserv_prereq /usr/sbin/useradd +%{?systemd_requires} Requires: logrotate %description @@ -94,25 +98,43 @@ install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ install -m 644 %{S:6} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} +%if 0%{?suse_version} > 1140 +install -D -m 0644 %SOURCE7 %{buildroot}/%{_unitdir}/%{name}.service +%endif %pre /usr/sbin/useradd -r -o -g nogroup -s /bin/false -c "Secure FTP User" -d /var/lib/empty ftpsecure 2> /dev/null || : +%if 0%{?suse_version} > 1140 +%service_add_pre %{name}.service +%endif %preun %stop_on_removal %name +%if 0%{?suse_version} > 1140 +%service_del_preun %{name}.service +%endif %post %{fillup_and_insserv -f %{name}} +%if 0%{?suse_version} > 1140 +%service_add_post %{name}.service +%endif %postun %insserv_cleanup %restart_on_update %name +%if 0%{?suse_version} > 1140 +%service_del_postun %{name}.service +%endif %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) +%if 0%{?suse_version} > 1140 +%{_unitdir}/%{name}.service +%endif /usr/sbin/%name /usr/sbin/rc%name %config /etc/init.d/%name @@ -124,9 +146,9 @@ %config(noreplace) /etc/logrotate.d/%name %_mandir/man5/%name.conf.* %_mandir/man8/%name.* -%doc INSTALL BUGS AUDIT Changelog LICENSE README README.security +%doc BUGS AUDIT Changelog LICENSE README README.security %doc REWARD SPEED TODO SECURITY TUNING SIZE FAQ EXAMPLE COPYING %doc README.SUSE -%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} +%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} %changelog ++++++ vsftpd-2.3.5-conf.patch ++++++ Index: vsftpd.conf =================================================================== --- vsftpd.conf.orig 2011-12-17 18:24:40.000000000 +0000 +++ vsftpd.conf 2011-12-23 17:16:43.000000000 +0000 @@ -4,23 +4,89 @@ # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # +# If you do not change anything here you will have a minimum setup for an +# anonymus FTP server. +# # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # -# Allow anonymous FTP? (Beware - allowed by default if you comment this out). -anonymous_enable=YES -# -# Uncomment this to allow local users to log in. -#local_enable=YES +# ################ +# General Settings +# ################ # # Uncomment this to enable any form of FTP write command. -#write_enable=YES +write_enable=NO +# +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES +# +# It is recommended that you define on your system a unique user which the +# ftp server can use as a totally isolated and unprivileged user. +nopriv_user=ftpsecure +# +# You may fully customise the login banner string: +#ftpd_banner=Welcome to blah FTP service. +# +# You may activate the "-R" option to the builtin ls. This is disabled by +# default to avoid remote users being able to cause excessive I/O on large +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume +# the presence of the "-R" option, so there is a strong case for enabling it. +#ls_recurse_enable=YES +# +# You may specify a file of disallowed anonymous e-mail addresses. Apparently +# useful for combatting certain DoS attacks. +#deny_email_enable=YES +# (default follows) +#banned_email_file=/etc/vsftpd.banned_emails +# +# If enabled, all user and group information in +# directory listings will be displayed as "ftp". +#hide_ids=YES +# +# ####################### +# Local FTP user Settings +# ####################### +# +# Uncomment this to allow local users to log in. +local_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # +# You may specify an explicit list of local users to chroot() to their home +# directory. If chroot_local_user is YES, then this list becomes a list of +# users to NOT chroot(). +#chroot_local_user=YES +#chroot_list_enable=YES +# (default follows) +#chroot_list_file=/etc/vsftpd.chroot_list +# +# The maximum data transfer rate permitted, in bytes per second, for +# local authenticated users. The default is 0 (unlimited). +#local_max_rate=7200 +# +# ########################## +# Anonymus FTP user Settings +# ########################## +# +# Allow anonymous FTP? (Beware - allowed by default if you comment this out). +anonymous_enable=YES +# +# The maximum data transfer rate permitted, in bytes per second, for anonymous +# authenticated users. The default is 0 (unlimited). +#anon_max_rate=7200 +# +# Anonymous users will only be allowed to download files which are +# world readable. +anon_world_readable_only=YES +# +# Default umask for anonymus users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +#anon_umask=022 +# # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. @@ -30,15 +96,9 @@ anonymous_enable=YES # new directories. #anon_mkdir_write_enable=YES # -# Activate directory messages - messages given to remote users when they -# go into a certain directory. -dirmessage_enable=YES -# -# Activate logging of uploads/downloads. -xferlog_enable=YES -# -# Make sure PORT transfer connections originate from port 20 (ftp-data). -connect_from_port_20=YES +# Uncomment this to enable anonymus FTP users to perform other write operations +# like deletion and renaming. +#anon_other_write_enable=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not @@ -46,24 +106,51 @@ connect_from_port_20=YES #chown_uploads=YES #chown_username=whoever # +# ############ +# Log Settings +# ############ +# +# Log to the syslog daemon instead of using an logfile. +syslog_enable=YES +# +# Uncomment this to log all FTP requests and responses. +#log_ftp_protocol=YES +# +# Activate logging of uploads/downloads. +#xferlog_enable=YES +# # You may override where the log file goes if you like. The default is shown # below. -#xferlog_file=/var/log/vsftpd.log +# +#vsftpd_log_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # +# You may override where the log file goes if you like. The default is shown +# below. +#xferlog_file=/var/log/vsftpd.log +# +# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log. +#dual_log_enable=YES +# +# Uncomment this to enable session status information in the system process listing. +#setproctitle_enable=YES +# +# ################# +# Transfer Settings +# ################# +# +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES +# # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # -# It is recommended that you define on your system a unique user which the -# ftp server can use as a totally isolated and unprivileged user. -#nopriv_user=ftpsecure -# # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. @@ -77,41 +164,29 @@ connect_from_port_20=YES # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. -#ascii_upload_enable=YES +ascii_upload_enable=YES #ascii_download_enable=YES # -# You may fully customise the login banner string: -#ftpd_banner=Welcome to blah FTP service. -# -# You may specify a file of disallowed anonymous e-mail addresses. Apparently -# useful for combatting certain DoS attacks. -#deny_email_enable=YES -# (default follows) -#banned_email_file=/etc/vsftpd.banned_emails -# -# You may specify an explicit list of local users to chroot() to their home -# directory. If chroot_local_user is YES, then this list becomes a list of -# users to NOT chroot(). -# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that -# the user does not have write access to the top level directory within the -# chroot) -#chroot_local_user=YES -#chroot_list_enable=YES -# (default follows) -#chroot_list_file=/etc/vsftpd.chroot_list +# Set to NO if you want to disallow the PASV method of obtaining a data +# connection. +#pasv_enable=NO # -# You may activate the "-R" option to the builtin ls. This is disabled by -# default to avoid remote users being able to cause excessive I/O on large -# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume -# the presence of the "-R" option, so there is a strong case for enabling it. -#ls_recurse_enable=YES +# PAM setting. Do NOT change this unless you know what you do! +pam_service_name=vsftpd # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. -listen=YES +#listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! -#listen_ipv6=YES +listen_ipv6=YES +# +# Set to ssl_enable=YES if you want to enable SSL +ssl_enable=NO +# +# Limit passive ports to this range to assis firewalling +pasv_min_port=30000 +pasv_max_port=30100 ++++++ vsftpd.init ++++++ --- /var/tmp/diff_new_pack.gJn1nm/_old 2012-02-22 15:55:45.000000000 +0100 +++ /var/tmp/diff_new_pack.gJn1nm/_new 2012-02-22 15:55:45.000000000 +0100 @@ -24,8 +24,8 @@ # ### BEGIN INIT INFO # Provides: ftpd -# Required-Start: $syslog network-remotefs -# Required-Stop: $syslog network-remotefs +# Required-Start: $local_fs $remote_fs $syslog network-remotefs +# Required-Stop: $local_fs $remote_fs $syslog network-remotefs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: very secure ftp daemon ++++++ vsftpd.service ++++++ [Unit] Description=Vsftpd ftp daemon After=network.target [Service] Type=forking ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf [Install] WantedBy=multi-user.target -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
