No longer an issue with testssl.sh version 3.0.8 and vsftpd version
3.0.3-13+b2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591552
Title:
vsftpd vulnerable to heartbleed (according to testssl)
This should had been automatically set to expired. I am re-setting the
"incomplete" status here since we did not get a reproducer for this.
It will then eventually be set as expired if we get no reproducer in a
while.
--
You received this bug notification because you are a member of Ubuntu
Time to close this one?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591552
Title:
vsftpd vulnerable to heartbleed (according to testssl)
To manage notifications about this bug go to:
Hmm I'm still not getting a reproducer [1]. Are you sure you have
restarted your ftp server since you have updated openssl? I am sure you
have, but that is the only thing I can think of.
I took your config and just changed the certificates to use mine.
[1] https://paste.ubuntu.com/23865421/
--
> Any chance I could see your vsftpd.conf file
Sure, here it is:
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in
Thanks for the response. Any chance I could see your vsftpd.conf file
and know what versions of openssl and libssl1.0.0 are installed? I ask
because I was unable to reproduce.
I've pasted the results of my testssl.sh [1] and vsftpd.conf [2], and
the versions of vsftpd, openssl, and libssl1.0.0
I just re-downloaded the current version of testssl.sh (dated December
20th 2016), and tried again, and vsftpd is still shown to be vulnerable
to Heartbleed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
There appears to be a bug report around a false positive with testssl.sh
[1] and fix [2] specific to vsftpd. This was reported after this bug
report, so I am wondering if you could retest. For now I am marking this
as 'incomplete', if you get newer results please mark this as 'new'.
I would also
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591552
Title:
vsftpd vulnerable to heartbleed (according to testssl)
To manage
