Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package vsftpd for openSUSE:Factory checked in at 2021-07-09 23:56:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vsftpd (Old) and /work/SRC/openSUSE:Factory/.vsftpd.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd" Fri Jul 9 23:56:38 2021 rev:75 rq:904379 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/vsftpd/vsftpd.changes 2021-01-19 16:00:26.679221281 +0100 +++ /work/SRC/openSUSE:Factory/.vsftpd.new.2625/vsftpd.changes 2021-07-09 23:56:49.525697454 +0200 @@ -1,0 +2,15 @@ +Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons <[email protected]> + +- Update to version 3.0.4. + * Fix runtime SIGSYS crashes (seccomp sandbox policy tweaks). + * Reject HTTP verbs pre-login. + * Disable TLS prior to v1.2 by default. + * Close the control connection after 10 unknown commands pre-login. + * Reject any TLS ALPN advertisement that's not 'ftp'. + * Add ssl_sni_hostname option to require a match on incoming SNI hostname. + +- Upstream has a new GPG key (7B89011BCAE1CFEA). + +- "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" is now obsolete. + +------------------------------------------------------------------- Old: ---- 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch vsftpd-3.0.3.tar.gz vsftpd-3.0.3.tar.gz.asc New: ---- vsftpd-3.0.4.tar.gz vsftpd-3.0.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.ZstmqG/_old 2021-07-09 23:56:51.025685789 +0200 +++ /var/tmp/diff_new_pack.ZstmqG/_new 2021-07-09 23:56:51.029685758 +0200 @@ -1,7 +1,7 @@ # # spec file for package vsftpd # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ %define use_firewalld 0 %endif Name: vsftpd -Version: 3.0.3 +Version: 3.0.4 Release: 0 Summary: Very Secure FTP Daemon - Written from Scratch License: SUSE-GPL-2.0-with-openssl-exception @@ -85,7 +85,6 @@ Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch Patch32: vsftpd-support-dsa-only-setups.patch Patch33: vsftpd-avoid-bogus-ssl-write.patch -Patch34: 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch # PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553 Patch36: seccomp-fixes.patch @@ -123,7 +122,7 @@ %prep %setup -q -%patch1 +%patch1 -p1 %patch3 -p1 %patch4 %patch5 @@ -154,7 +153,6 @@ %patch31 -p1 %patch32 -p1 %patch33 -p1 -%patch34 -p1 %patch35 -p1 %patch36 -p1 ++++++ seccomp-fixes.patch ++++++ --- /var/tmp/diff_new_pack.ZstmqG/_old 2021-07-09 23:56:51.057685540 +0200 +++ /var/tmp/diff_new_pack.ZstmqG/_new 2021-07-09 23:56:51.057685540 +0200 @@ -1,7 +1,7 @@ -Index: vsftpd-3.0.3/seccompsandbox.c +Index: vsftpd-3.0.4/seccompsandbox.c =================================================================== ---- vsftpd-3.0.3.orig/seccompsandbox.c -+++ vsftpd-3.0.3/seccompsandbox.c +--- vsftpd-3.0.4.orig/seccompsandbox.c 2021-06-15 08:06:29.165512830 +0000 ++++ vsftpd-3.0.4/seccompsandbox.c 2021-06-15 08:06:42.778484808 +0000 @@ -18,6 +18,7 @@ #include "utility.h" @@ -10,7 +10,7 @@ #include <netinet/in.h> #include <netinet/tcp.h> -@@ -60,6 +61,7 @@ +@@ -63,6 +64,7 @@ #define kMaxSyscalls 100 @@ -18,7 +18,7 @@ #ifdef DEBUG_SIGSYS #include <signal.h> -@@ -68,7 +70,10 @@ +@@ -71,7 +73,10 @@ void handle_sigsys(int sig) { @@ -30,15 +30,7 @@ } #endif -@@ -443,6 +448,7 @@ seccomp_sandbox_setup_postlogin(const st - allow_nr(__NR_getcwd); - allow_nr(__NR_chdir); - allow_nr(__NR_getdents); -+ allow_nr(__NR_getdents64); - /* Misc */ - allow_nr(__NR_umask); - -@@ -579,8 +585,8 @@ seccomp_sandbox_lockdown() +@@ -586,8 +591,8 @@ seccomp_sandbox_lockdown() p_filter->code = BPF_LD+BPF_W+BPF_ABS; p_filter->jt = 0; p_filter->jf = 0; ++++++ vsftpd-2.0.4-lib64.diff ++++++ --- /var/tmp/diff_new_pack.ZstmqG/_old 2021-07-09 23:56:51.069685447 +0200 +++ /var/tmp/diff_new_pack.ZstmqG/_new 2021-07-09 23:56:51.069685447 +0200 @@ -1,7 +1,7 @@ -Index: vsf_findlibs.sh +Index: vsftpd-3.0.4/vsf_findlibs.sh =================================================================== ---- vsf_findlibs.sh.orig -+++ vsf_findlibs.sh +--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-05-18 07:14:35.000000000 +0000 ++++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-29 09:24:32.833223756 +0000 @@ -14,6 +14,7 @@ fi # crypt library. if find_func pam_start sysdeputil.o; then @@ -18,11 +18,11 @@ locate_library /usr/lib/libcrypt.so && echo "-lcrypt"; locate_library /usr/lib64/libcrypt.so && echo "-lcrypt"; locate_library /lib/x86_64-linux-gnu/libcrypt.so && echo "-lcrypt"; -@@ -54,6 +56,7 @@ elif locate_library /lib/libcap.so.2; th - echo "/lib/libcap.so.2"; - else - locate_library /usr/lib/libcap.so && echo "-lcap"; -+ locate_library /usr/lib64/libcap.so && echo "-lcap"; - locate_library /lib/libcap.so && echo "-lcap"; - locate_library /lib64/libcap.so && echo "-lcap"; - fi +@@ -52,6 +54,7 @@ locate_library /usr/lib/libsec.sl && ech + # /usr/bin/ld: cannot find -lcap + # If the libcap-devel package isn't installed. + locate_library /usr/lib/libcap.so && echo "-lcap"; ++locate_library /usr/lib64/libcap.so && echo "-lcap"; + locate_library /lib/libcap.so && echo "-lcap"; + locate_library /lib64/libcap.so && echo "-lcap"; + ++++++ vsftpd-3.0.3-build-with-openssl-1.1.patch ++++++ --- /var/tmp/diff_new_pack.ZstmqG/_old 2021-07-09 23:56:51.101685199 +0200 +++ /var/tmp/diff_new_pack.ZstmqG/_new 2021-07-09 23:56:51.105685167 +0200 @@ -1,13 +1,13 @@ -Index: vsftpd-3.0.3/vsf_findlibs.sh +Index: vsftpd-3.0.4/vsf_findlibs.sh =================================================================== ---- vsftpd-3.0.3.orig/vsf_findlibs.sh -+++ vsftpd-3.0.3/vsf_findlibs.sh -@@ -72,7 +72,7 @@ locate_library /usr/shlib/librt.so && ec +--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-06-15 07:58:45.004475824 +0000 ++++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-15 07:59:59.039320940 +0000 +@@ -69,7 +69,7 @@ locate_library /usr/shlib/librt.so && ec locate_library /usr/lib/libsendfile.so && echo "-lsendfile"; # OpenSSL -if find_func SSL_library_init ssl.o; then +if find_func SSL_CTX_new ssl.o; then echo "-lssl -lcrypto"; - fi - + elif find_func SSL_new ssl.o; then + echo "-lssl -lcrypto"; ++++++ vsftpd-3.0.3.tar.gz -> vsftpd-3.0.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/Changelog new/vsftpd-3.0.4/Changelog --- old/vsftpd-3.0.3/Changelog 2015-07-23 08:01:55.000000000 +0200 +++ new/vsftpd-3.0.4/Changelog 2021-05-30 00:50:36.000000000 +0200 @@ -1375,3 +1375,15 @@ At this point: v3.0.3 released! =============================== + +- Fix build on Fedora 33 (one warning, one incorrect libcap used). +- Fix SSL build (terrible grep for symbol in vsf_findlibs.sh)! +- Fix runtime SIGSYS crashes on Fedora 33 (seccomp sandbox policy tweaks). +- Reject HTTP verbs pre-login. +- Disable TLS prior to v1.2 by default. +- Close the control connection after 10 unknown commands pre-login. +- Reject any TLS ALPN advertisement that's not 'ftp'. +- Add ssl_sni_hostname option to require a match on incoming SNI hostname. + +At this point: v3.0.4 released! +=============================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/README new/vsftpd-3.0.4/README --- old/vsftpd-3.0.3/README 2015-07-21 00:06:54.000000000 +0200 +++ new/vsftpd-3.0.4/README 2021-05-18 08:48:40.000000000 +0200 @@ -1,4 +1,4 @@ -This is vsftpd, version 3.0.3 +This is vsftpd, version 3.0.4 Author: Chris Evans Contact: [email protected] Website: http://vsftpd.beasts.org/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/main.c new/vsftpd-3.0.4/main.c --- old/vsftpd-3.0.3/main.c 2012-09-16 06:27:13.000000000 +0200 +++ new/vsftpd-3.0.4/main.c 2021-05-20 11:37:27.000000000 +0200 @@ -38,7 +38,7 @@ struct vsf_session the_session = { /* Control connection */ - 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, /* Data connection */ -1, 0, -1, 0, 0, 0, 0, /* Login */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/parseconf.c new/vsftpd-3.0.4/parseconf.c --- old/vsftpd-3.0.3/parseconf.c 2012-09-16 09:15:07.000000000 +0200 +++ new/vsftpd-3.0.4/parseconf.c 2021-05-29 23:39:19.000000000 +0200 @@ -85,6 +85,9 @@ { "ssl_sslv2", &tunable_sslv2 }, { "ssl_sslv3", &tunable_sslv3 }, { "ssl_tlsv1", &tunable_tlsv1 }, + { "ssl_tlsv11", &tunable_tlsv1_1 }, + { "ssl_tlsv12", &tunable_tlsv1_2 }, + { "ssl_tlsv13", &tunable_tlsv1_3 }, { "tilde_user_enable", &tunable_tilde_user_enable }, { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, @@ -178,6 +181,7 @@ { "rsa_private_key_file", &tunable_rsa_private_key_file }, { "dsa_private_key_file", &tunable_dsa_private_key_file }, { "ca_certs_file", &tunable_ca_certs_file }, + { "ssl_sni_hostname", &tunable_ssl_sni_hostname }, { "cmds_denied", &tunable_cmds_denied }, { 0, 0 } }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/prelogin.c new/vsftpd-3.0.4/prelogin.c --- old/vsftpd-3.0.3/prelogin.c 2012-04-03 07:22:11.000000000 +0200 +++ new/vsftpd-3.0.4/prelogin.c 2021-05-20 11:40:20.000000000 +0200 @@ -164,8 +164,21 @@ { /* Deliberately ignore to avoid NAT device bugs, as per ProFTPd. */ } + else if (str_equal_text(&p_sess->ftp_cmd_str, "GET") || + str_equal_text(&p_sess->ftp_cmd_str, "POST") || + str_equal_text(&p_sess->ftp_cmd_str, "HEAD") || + str_equal_text(&p_sess->ftp_cmd_str, "OPTIONS") || + str_equal_text(&p_sess->ftp_cmd_str, "CONNECT")) + { + vsf_cmdio_write_exit(p_sess, FTP_BADCMD, + "HTTP protocol commands not allowed.", 1); + } else { + p_sess->prelogin_errors++; + if (p_sess->prelogin_errors > 10) { + vsf_cmdio_write_exit(p_sess, FTP_BADCMD, "Too many errors.", 1); + } vsf_cmdio_write(p_sess, FTP_LOGINERR, "Please login with USER and PASS."); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/seccompsandbox.c new/vsftpd-3.0.4/seccompsandbox.c --- old/vsftpd-3.0.3/seccompsandbox.c 2015-07-22 21:47:35.000000000 +0200 +++ new/vsftpd-3.0.4/seccompsandbox.c 2021-05-20 07:43:18.000000000 +0200 @@ -45,6 +45,9 @@ #ifndef __NR_openat #define __NR_openat 257 #endif +#ifndef __NR_getrandom + #define __NR_getrandom 318 +#endif #ifndef O_LARGEFILE #define O_LARGEFILE 00100000 @@ -350,6 +353,8 @@ /* For file locking. */ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW); allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK); + /* Newer kernel / glibc hit this. */ + allow_nr(__NR_getrandom); } if (tunable_ssl_enable) { @@ -409,8 +414,10 @@ allow_nr(__NR_getcwd); allow_nr(__NR_chdir); allow_nr(__NR_getdents); + allow_nr(__NR_getdents64); /* Misc */ allow_nr(__NR_umask); + reject_nr(__NR_sysinfo, EPERM); /* Config-dependent items follow. */ if (tunable_use_sendfile) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/session.h new/vsftpd-3.0.4/session.h --- old/vsftpd-3.0.3/session.h 2012-04-05 03:27:19.000000000 +0200 +++ new/vsftpd-3.0.4/session.h 2021-05-20 11:39:12.000000000 +0200 @@ -23,6 +23,7 @@ char* p_control_line_buf; int idle_timeout; int data_timeout; + int prelogin_errors; /* Details of the data connection */ int pasv_listen_fd; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/ssl.c new/vsftpd-3.0.4/ssl.c --- old/vsftpd-3.0.3/ssl.c 2015-07-23 06:14:04.000000000 +0200 +++ new/vsftpd-3.0.4/ssl.c 2021-05-30 00:42:56.000000000 +0200 @@ -38,6 +38,13 @@ static long bio_callback( BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); +static int ssl_alpn_callback(SSL* p_ssl, + const unsigned char** p_out, + unsigned char* outlen, + const unsigned char* p_in, + unsigned int inlen, + void* p_arg); +static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg); static int ssl_cert_digest( SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); static void maybe_log_shutdown_state(struct vsf_session* p_sess); @@ -78,6 +85,18 @@ { options |= SSL_OP_NO_TLSv1; } + if (!tunable_tlsv1_1) + { + options |= SSL_OP_NO_TLSv1_1; + } + if (!tunable_tlsv1_2) + { + options |= SSL_OP_NO_TLSv1_2; + } + if (!tunable_tlsv1_3) + { + options |= SSL_OP_NO_TLSv1_3; + } SSL_CTX_set_options(p_ctx, options); if (tunable_rsa_cert_file) { @@ -165,6 +184,12 @@ /* Ensure cached session doesn't expire */ SSL_CTX_set_timeout(p_ctx, INT_MAX); } + /* Set up ALPN to check for FTP protocol intention of client. */ + SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); + /* Set up SNI callback for an optional hostname check. */ + SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback); + SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess); + p_sess->p_ssl_ctx = p_ctx; ssl_inited = 1; } @@ -702,6 +727,125 @@ return 1; } +static int +ssl_alpn_callback(SSL* p_ssl, + const unsigned char** p_out, + unsigned char* outlen, + const unsigned char* p_in, + unsigned int inlen, + void* p_arg) { + unsigned int i; + struct vsf_session* p_sess = (struct vsf_session*) p_arg; + int is_ok = 0; + + (void) p_ssl; + + /* Select everything but return an error if we don't like it. */ + *p_out = p_in; + *outlen = inlen; + + if (inlen == 4) { + if (p_in[0] == 3 && p_in[1] == 'f' && p_in[2] == 't' && p_in[3] == 'p') + { + is_ok = 1; + } + } + + if (!is_ok) + { + str_alloc_text(&debug_str, "ALPN rejection"); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + if (!is_ok || tunable_debug_ssl) + { + str_alloc_text(&debug_str, "ALPN data: "); + for (i = 0; i < inlen; ++i) { + str_append_char(&debug_str, p_in[i]); + } + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + + if (is_ok) + { + return SSL_TLSEXT_ERR_OK; + } + else + { + return SSL_TLSEXT_ERR_ALERT_FATAL; + } +} + +static long +ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg) +{ + static struct mystr s_sni_expected_hostname; + static struct mystr s_sni_received_hostname; + + int servername_type; + const char* p_sni_servername; + struct vsf_session* p_sess = (struct vsf_session*) p_arg; + int is_ok = 0; + + (void) p_ssl; + (void) p_arg; + + if (tunable_ssl_sni_hostname) + { + str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname); + } + + /* The OpenSSL documentation says it is pre-initialized like this, but set + * it just in case. + */ + *p_al = SSL_AD_UNRECOGNIZED_NAME; + + servername_type = SSL_get_servername_type(p_ssl); + p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name); + if (p_sni_servername != NULL) { + str_alloc_text(&s_sni_received_hostname, p_sni_servername); + } + + if (str_isempty(&s_sni_expected_hostname)) + { + is_ok = 1; + } + else if (servername_type != TLSEXT_NAMETYPE_host_name) + { + /* Fail. */ + str_alloc_text(&debug_str, "SNI bad type: "); + str_append_ulong(&debug_str, servername_type); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + else + { + if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname)) + { + is_ok = 1; + } + else + { + str_alloc_text(&debug_str, "SNI rejection"); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + } + + if (!is_ok || tunable_debug_ssl) + { + str_alloc_text(&debug_str, "SNI hostname: "); + str_append_str(&debug_str, &s_sni_received_hostname); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + + if (is_ok) + { + return SSL_TLSEXT_ERR_OK; + } + else + { + return SSL_TLSEXT_ERR_ALERT_FATAL; + } +} + void ssl_add_entropy(struct vsf_session* p_sess) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/sysstr.c new/vsftpd-3.0.4/sysstr.c --- old/vsftpd-3.0.3/sysstr.c 2011-12-14 11:26:39.000000000 +0100 +++ new/vsftpd-3.0.4/sysstr.c 2021-05-18 08:50:28.000000000 +0200 @@ -74,7 +74,7 @@ int str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) { - enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; + enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown; switch (mode) { case kVSFSysStrOpenReadOnly: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/sysutil.h new/vsftpd-3.0.4/sysutil.h --- old/vsftpd-3.0.3/sysutil.h 2012-09-16 08:13:13.000000000 +0200 +++ new/vsftpd-3.0.4/sysutil.h 2021-05-18 08:50:21.000000000 +0200 @@ -75,7 +75,8 @@ /* File create/open/close etc. */ enum EVSFSysUtilOpenMode { - kVSFSysUtilOpenReadOnly = 1, + kVSFSysUtilOpenUnknown = 0, + kVSFSysUtilOpenReadOnly, kVSFSysUtilOpenWriteOnly, kVSFSysUtilOpenReadWrite }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/tunables.c new/vsftpd-3.0.4/tunables.c --- old/vsftpd-3.0.3/tunables.c 2015-07-23 06:13:07.000000000 +0200 +++ new/vsftpd-3.0.4/tunables.c 2021-05-29 23:39:00.000000000 +0200 @@ -66,6 +66,9 @@ int tunable_sslv2; int tunable_sslv3; int tunable_tlsv1; +int tunable_tlsv1_1; +int tunable_tlsv1_2; +int tunable_tlsv1_3; int tunable_tilde_user_enable; int tunable_force_anon_logins_ssl; int tunable_force_anon_data_ssl; @@ -142,6 +145,7 @@ const char* tunable_rsa_private_key_file; const char* tunable_dsa_private_key_file; const char* tunable_ca_certs_file; +const char* tunable_ssl_sni_hostname; static void install_str_setting(const char* p_value, const char** p_storage); @@ -205,7 +209,10 @@ tunable_force_local_data_ssl = 1; tunable_sslv2 = 0; tunable_sslv3 = 0; - tunable_tlsv1 = 1; + tunable_tlsv1 = 0; + tunable_tlsv1_1 = 0; + tunable_tlsv1_2 = 1; + tunable_tlsv1_3 = 1; tunable_tilde_user_enable = 0; tunable_force_anon_logins_ssl = 0; tunable_force_anon_data_ssl = 0; @@ -288,6 +295,7 @@ install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); + install_str_setting(0, &tunable_ssl_sni_hostname); } void diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/tunables.h new/vsftpd-3.0.4/tunables.h --- old/vsftpd-3.0.3/tunables.h 2012-03-28 05:10:39.000000000 +0200 +++ new/vsftpd-3.0.4/tunables.h 2021-05-29 23:38:42.000000000 +0200 @@ -66,7 +66,10 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ extern int tunable_sslv2; /* Allow SSLv2 */ extern int tunable_sslv3; /* Allow SSLv3 */ -extern int tunable_tlsv1; /* Allow TLSv1 */ +extern int tunable_tlsv1; /* Allow TLSv1.0 */ +extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ +extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ +extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ @@ -144,6 +147,7 @@ extern const char* tunable_rsa_private_key_file; extern const char* tunable_dsa_private_key_file; extern const char* tunable_ca_certs_file; +extern const char* tunable_ssl_sni_hostname; extern const char* tunable_cmds_denied; #endif /* VSF_TUNABLES_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/vsf_findlibs.sh new/vsftpd-3.0.4/vsf_findlibs.sh --- old/vsftpd-3.0.3/vsf_findlibs.sh 2012-03-28 04:17:41.000000000 +0200 +++ new/vsftpd-3.0.4/vsf_findlibs.sh 2021-05-18 09:14:35.000000000 +0200 @@ -48,15 +48,12 @@ locate_library /usr/lib/libsec.sl && echo "-lsec"; # Look for libcap (capabilities) -if locate_library /lib/libcap.so.1; then - echo "/lib/libcap.so.1"; -elif locate_library /lib/libcap.so.2; then - echo "/lib/libcap.so.2"; -else - locate_library /usr/lib/libcap.so && echo "-lcap"; - locate_library /lib/libcap.so && echo "-lcap"; - locate_library /lib64/libcap.so && echo "-lcap"; -fi +# Note that link may fail with: +# /usr/bin/ld: cannot find -lcap +# If the libcap-devel package isn't installed. +locate_library /usr/lib/libcap.so && echo "-lcap"; +locate_library /lib/libcap.so && echo "-lcap"; +locate_library /lib64/libcap.so && echo "-lcap"; # Solaris needs this for nanosleep().. locate_library /lib/libposix4.so && echo "-lposix4"; @@ -71,6 +68,8 @@ # OpenSSL if find_func SSL_library_init ssl.o; then echo "-lssl -lcrypto"; +elif find_func SSL_new ssl.o; then + echo "-lssl -lcrypto"; fi exit 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/vsftpd.conf.5 new/vsftpd-3.0.4/vsftpd.conf.5 --- old/vsftpd-3.0.3/vsftpd.conf.5 2009-10-19 04:46:30.000000000 +0200 +++ new/vsftpd-3.0.4/vsftpd.conf.5 2021-05-30 00:46:13.000000000 +0200 @@ -479,7 +479,7 @@ Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. -TLS v1 connections are preferred. +TLS v1.2+ connections are preferred. Default: NO .TP @@ -487,15 +487,39 @@ Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. -TLS v1 connections are preferred. +TLS v1.2+ connections are preferred. Default: NO .TP .B ssl_tlsv1 Only applies if .BR ssl_enable -is activated. If enabled, this option will permit TLS v1 protocol connections. -TLS v1 connections are preferred. +is activated. If enabled, this option will permit TLS v1.0 protocol connections. +TLS v1.2+ connections are preferred. + +Default: NO +.TP +.B ssl_tlsv1_1 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.1 protocol connections. +TLS v1.2+ connections are preferred. + +Default: NO +.TP +.B ssl_tlsv1_2 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.2 protocol connections. +TLS v1.2+ connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_3 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.3 protocol connections. +TLS v1.2+ connections are preferred. Default: YES .TP @@ -981,6 +1005,12 @@ Default: DES-CBC3-SHA .TP +.B ssl_sni_hostname +If set, SSL connections will be rejected unless the SNI hostname in the +incoming handshakes matches this value. + +Default: (none) +.TP .B user_config_dir This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vsftpd-3.0.3/vsftpver.h new/vsftpd-3.0.4/vsftpver.h --- old/vsftpd-3.0.3/vsftpver.h 2015-07-21 00:07:04.000000000 +0200 +++ new/vsftpd-3.0.4/vsftpver.h 2021-05-18 08:48:48.000000000 +0200 @@ -1,7 +1,7 @@ #ifndef VSF_VERSION_H #define VSF_VERSION_H -#define VSF_VERSION "3.0.3" +#define VSF_VERSION "3.0.4" #endif /* VSF_VERSION_H */ ++++++ vsftpd.keyring ++++++ --- /var/tmp/diff_new_pack.ZstmqG/_old 2021-07-09 23:56:51.265683923 +0200 +++ /var/tmp/diff_new_pack.ZstmqG/_new 2021-07-09 23:56:51.269683892 +0200 @@ -1,28 +1,52 @@ -pub 1024D/3C0E751C 2004-06-29 -uid Chris Evans <[email protected]> -sub 1024g/0A9EB17D 2004-06-29 - -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) -mQGiBEDh9hcRBACkPpPw2Pm4v6i+dQccbPAmiGyf6Hn7hHyKx25lJD7sK5vQ/L/w -7sKDLBF1JO76+9xN9UQb4emgmRW5T+tll4KD4uaTP1+bopg+RlRSD2S8MqAoYBE/ -kUu1je49FNV3VyNHLvi77XkjHd4C0+hoZhnBK/OMo3FXo9vEWrFokXwCtwCgsgxn -USwXet4jojSt+//E7W6AYV8D/jUMh02PbxHhbCHYQnITB9aiaMQtCoeAlbj3HAQA -+ZgNxApZ6hbhE0I27i4MrGte3O/9l5j3V0rXltpNY9E6tm8HT2UeLc1m7aMCXy+0 -IUrtQtuEx50jD3oaKbqix6UcBpDAZh+aeqTGansCHUHvlOuQQFO4vAPSr6aHPDmS -1Dc7A/9JImvSvwq5xbDQWpWMMvpQXkDgCqjkRnvqBHqoXXy7R8xEaYAqcRYVHCo4 -hmVYyRXsdY7iPxQkugbLBAPTHq2ajWsZGmrJymVZP7FGz+Rn/j/XoGYrbdJ86fgs -XnydJY+/uBaS/A+P/+xeHByr4fqG2T60LUVXtwQP2oP/xYN8kbQkQ2hyaXMgRXZh -bnMgPGNocmlzQHNjYXJ5LmJlYXN0cy5vcmc+iF4EExECAB4FAkDh9hcCGwMGCwkI -BwMCAxUCAwMWAgECHgECF4AACgkQqmLsRjwOdRwHOACgp9BubQZNeDf+cbTyuhfo -+qEedNsAoJIde2sM6Waxd4utyNEGG4pQ3sKeuQENBEDh9h0QBACTJBc/TYG3jVRL -4dI0R1M42DqyaTpm+qDgIgZ6YoXMzw9Z7NiHZaVVrnxYN98mCsNvvevaVT6Jy8Rr -FWMf4jx82ulH6NWZ9rKu3V9CXK9VXxt03VAWK2mGaKWlb7QKuiAuxSSrWTFO9neL -wWAixHsL0w9l19grtn1eKW9e61wIawADBgP/ab8QxketqpzecJhsIr/XM3k2oeKH -mj2BhegIaZzMAqrdvqGIj0cVGpun0tcoB2w4J1S8PyhM0/1PDaTKT+U83Ewljghw -Z+J5KUzG8T5xz9Qi3MyG4GnDqCSwZ9gKN8gt354tVd1qioX+ur5rovfVw+21iciW -IENPG81Z/P+DJzSISQQYEQIACQUCQOH2HQIbDAAKCRCqYuxGPA51HJUGAJ9ynmOj -Hu3p4DUdukkZfSuqyJaAXgCbBxgmdB7hOfSIGyou31PfdaIeFqU= -=BKUG +mQINBGCyyncBEADCkx7Uh4mO2Q590LFi7gCh+Ivm1MqsK+pBXmIiIMBPFLMKqmji +boJiJFu4QcB/ZJZOLVBKKwbQfN/7IeulNkrvMhnu+jJizz0hUDDLQjuoScx53+MW +zwIPhI7OAJ6kurlHo0b1wvNnJD5ENmwxrOTYL5bHxut/05a+uTaruPFQPNOMYMzs +rOvIZrzv0lcW/8ZL4tAFvlkogfiGNC9Vfxy4Px8lyVhhfiVzVY3+UNJMM69n6QAt +kUH07xpV+vn7I3lD4dZM96zFnrXuQhwJba3fbCY9vFN0NDRVdF3tYl2xwJhXMJtM +jtQ1Tw9ykRMPsLlaiow0/uW3mYrTYjDP12VxukCEg6a240mhT4jAVA4cSoOCdGBJ +AZCQk5SLbr/MwikggUyS9Fu3d10WKUSyQFS8NWQGHpaFSIIp3T/dGTe6fprhXzFo +vvLv26OCFNvn4vTHz4lMzZZJjYLNtlcriJoSPCCe8/fI9BmgARmFxiKgY5ENQOrY +cZUJJ3sHre52aqCETgz+w8j5o/cAU8iizlYxYsJK/Y+QXlVIzyV8oQGm/jvXhrhi +CgB4xx96cthfolv2Lj+Dz90d/MYKB3suX38Q1ZNhxCZjIcoE+dcn+uGHUqzm4sot +gN37P1Xfijn15L2cHoV1itasVlOc92HrEUEaBWpB6QXF6nEYkkgA2agnMwARAQAB +tCNDaHJpcyBFdmFucyA8c2NhcnliZWFzdHNAZ21haWwuY29tPokCVAQTAQgAPhYh +BGeiq09B+ZcsIfa/ZnuJARvK4c/qBQJgssp3AhsDBQkSzAMABQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJEHuJARvK4c/qW6QP/2dZFkqxQl7hGJizaGIMCHXV1R2G +0r1S3GyVSRZEUWuVvv2UMjxYx6DZhhoaTGRNi0gXVrTVL3FG8yBfLN2LQQCSXK4k +eee8FIXSp1LhwciAJKN+Z5nc0i7R6Qy6cIvc82DO6Y4FaMJZoO5lWbl1WjEYO/oN +NJAp7U3J+BWYKTzIB+Nh2vaapzj2XrNB6dh3ry2nj7yZmerPquYtXsuNRfi/c/Z0 +2t+TiSEFZW83/NZFGbDhhzWB19TMFM5oUpSBH6Yw02ASseaZBRBK0gLhfKGEnf2W +KgrwcGd41kMxia6UsrXiG3ZjDR+gF/sed93ZdLWpyYxN4DinirCt/+i1/L5RWCSg +Xus1SviMmnTfhB7WB+WfrIauLpPZOZhdLc3vSBdBmOZ6+p0qLQC2eK2rehM6kQzw +nd9vmCtws2l5HGsBngrBEIkXsPVSVZKEUB8xH57nbIzn7igsUgrTBdz8K61oMaAu +iEZzRJ35P81B3uJqZyqjkONm/1J9d081V2aiASJw/vfiAEkjpws488ZWkg9FFSFJ +VqvAUu6p/g152GP+vatqFT1sH8zxXLLrwGlcktZFNfTYSnscQ9NU/L761anjrgM4 +Oi7ks4jLq91vwvxW9E9TNyuMUJj85412xPIwx1o1+fKGwzi1d+01uQ73aPmp6Z4l +idE6tmV5wVSuMGSCuQINBGCyyncBEADIM7Z+1GxMvEtKRyWukfL5w8C4Bqid6M7N +yCCs8bT1lunc7/weiNCOFigZDfAaSoFQpVe22YZABeWD/wO0iY9x+wOwpnsGhmC9 +7H/c0+g4IT7fKkaNVMbvUGfo9dWrXD2gtFzZJruMnPbj0HeFqSHvkGbMM7dLyMlF +K295F901iFvvfw7jSQyVGVS97i7swXj9F/O13jedIbh+3TWdkKk/YqmMsETjkcOe +UvmY7P7pTKEpdimvY2I1B8PsBJkyjdZA8G+eiG1STa0+Vj4yVtMJodKJDJbY6+y7 +M9hajCdUTplLWTbxzPMo54KjTOzyLVT7mfugUlS7WQWrVWVtvScJsvaec95+p/Bx +UdJVwylVjQrxJxI8Bk2yrIgu7/rj+uYGV5+TNKjJWFkQw0YDJ1NkcvVjU7WIwNCl +X6s5s/tuX+yzUA+DBSHx0WuqtGWYaFgXeO/pWPidc8ovYFVIAr3QB76AeEL3ZJj3 +ttN5jk96zOlaVxOOlEC6zX5TJ7Z+aQHBPq8RN/G8o99sOdx5QuKqvhHe8673eIMY +CWPgNSSMJ/7I5IBLsIfIv2UWgLPPHS8s/HTwPacU0/L4pahh553uAhC4QP7BPkYw +p4KXGasR3v9YxuSa33IraJALC6eF2t3L0CLUMzsc0pgLCmGqzskbrP8p0daBjFCS +KofV+jOiQQARAQABiQI8BBgBCAAmFiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmCy +yncCGwwFCRLMAwAACgkQe4kBG8rhz+qDNRAAsG3lta/eQ+yWTHCXxXYfw94jm/bx +XFUcvSOwjO+vB5tCt8Q0JmxoZ6PDD/bkcGSDz8FHjhxiIGYKPQiyu7jeZDAijBzu +MLf3yGuubM6SUoXB1olkTbs9DTSFdTPqbM8eYn14CVHk19w/in/Oe11BD0I7D4Qg +bkjIAkIKf01AxbcLFKOMihqhSEIEeqP70DIP8hT3arefk2wgEKG108SOzCPD1YQ7 +sEkYX2lRXjqBefHmIGLVllF3v+jUHYFIVz62i/OVMBHXF0D9Qn39cE5e94VdRZIf +0hdizes1w48o9DxVSs+5TTtuLfFtsY+22OqZZ1cxXrdNUBCB4XEllrDdu58Qr7No +fpDPDB4AVatWkpB288C/USl1UJgvhuvZs1AKChi9egfoMJczkZMvgQeiKagQkyeb +l/W7vT3wX4R2WvcM4n6rlPkvRNvO+jw9owSDWuF+6iB0DWEpv5hMjPEfTBv0sYTH +T/sOcV7vKV9Q6JsQwvfOagI9OAkXbxbjpbQgk/jlaaz/9+5wIy2vvW69Nh7ZfFNO +RU1GhwNbghLwbHF7rrGvpwlV9hwpaMYcplvkW9bMgjPGpwxecE1zDdhO8Zq9QXyb +dvDqRPNAqsWd/LwwqRpG36/YI4f5Pdv38W9/HoXlqj9+Uaa/TyDl9TIlBCYcnrzM +SEfMQy8pH/YWOBk= +=QcZC -----END PGP PUBLIC KEY BLOCK-----
