Hello community, here is the log from the commit of package vsftpd for openSUSE:Factory checked in at 2020-11-15 15:22:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vsftpd (Old) and /work/SRC/openSUSE:Factory/.vsftpd.new.24930 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd" Sun Nov 15 15:22:21 2020 rev:73 rq:848321 version:3.0.3 Changes: -------- --- /work/SRC/openSUSE:Factory/vsftpd/vsftpd.changes 2020-08-21 19:01:44.072269131 +0200 +++ /work/SRC/openSUSE:Factory/.vsftpd.new.24930/vsftpd.changes 2020-11-15 15:24:09.747308304 +0100 @@ -1,0 +2,8 @@ +Fri Nov 13 09:49:06 AM UTC 2020 - [email protected] + +- Apply "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" and + "0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch", + which add the "ssl_tlsv1_1" and "ssl_tlsv1_2" options to the + configuration file. Both options default to true. [SLE-4182] + +------------------------------------------------------------------- New: ---- 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.AYqtF5/_old 2020-11-15 15:24:10.651309271 +0100 +++ /var/tmp/diff_new_pack.AYqtF5/_new 2020-11-15 15:24:10.655309276 +0100 @@ -85,6 +85,8 @@ Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch Patch32: vsftpd-support-dsa-only-setups.patch Patch33: vsftpd-avoid-bogus-ssl-write.patch +Patch34: 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch +Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -150,6 +152,8 @@ %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 +%patch35 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP ++++++ 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch ++++++ From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka <[email protected]> Date: Thu, 17 Nov 2016 13:36:17 +0100 Subject: [PATCH] Introduce TLSv1.1 and TLSv1.2 options. Users can now enable a specific version of TLS protocol. --- parseconf.c | 2 ++ ssl.c | 8 ++++++++ tunables.c | 9 +++++++-- tunables.h | 2 ++ vsftpd.conf.5 | 24 ++++++++++++++++++++---- 5 files changed, 39 insertions(+), 6 deletions(-) Index: vsftpd-3.0.3/parseconf.c =================================================================== --- vsftpd-3.0.3.orig/parseconf.c 2020-11-13 09:52:41.369111000 +0000 +++ vsftpd-3.0.3/parseconf.c 2020-11-13 09:52:48.881045043 +0000 @@ -85,6 +85,8 @@ parseconf_bool_array[] = { "ssl_sslv2", &tunable_sslv2 }, { "ssl_sslv3", &tunable_sslv3 }, { "ssl_tlsv1", &tunable_tlsv1 }, + { "ssl_tlsv1_1", &tunable_tlsv1_1 }, + { "ssl_tlsv1_2", &tunable_tlsv1_2 }, { "tilde_user_enable", &tunable_tilde_user_enable }, { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, Index: vsftpd-3.0.3/ssl.c =================================================================== --- vsftpd-3.0.3.orig/ssl.c 2020-11-13 09:52:41.369111000 +0000 +++ vsftpd-3.0.3/ssl.c 2020-11-13 09:52:48.881045043 +0000 @@ -78,6 +78,14 @@ ssl_init(struct vsf_session* p_sess) { options |= SSL_OP_NO_TLSv1; } + if (!tunable_tlsv1_1) + { + options |= SSL_OP_NO_TLSv1_1; + } + if (!tunable_tlsv1_2) + { + options |= SSL_OP_NO_TLSv1_2; + } SSL_CTX_set_options(p_ctx, options); if (tunable_rsa_cert_file) { Index: vsftpd-3.0.3/tunables.c =================================================================== --- vsftpd-3.0.3.orig/tunables.c 2020-11-13 09:52:41.369111000 +0000 +++ vsftpd-3.0.3/tunables.c 2020-11-13 09:56:53.162888596 +0000 @@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; int tunable_sslv2; int tunable_sslv3; int tunable_tlsv1; +int tunable_tlsv1_1; +int tunable_tlsv1_2; int tunable_tilde_user_enable; int tunable_force_anon_logins_ssl; int tunable_force_anon_data_ssl; @@ -207,7 +209,10 @@ tunables_load_defaults() tunable_force_local_data_ssl = 1; tunable_sslv2 = 0; tunable_sslv3 = 0; + /* TLSv1 up to TLSv1.2 is enabled by default */ tunable_tlsv1 = 1; + tunable_tlsv1_1 = 1; + tunable_tlsv1_2 = 1; tunable_tilde_user_enable = 0; tunable_force_anon_logins_ssl = 0; tunable_force_anon_data_ssl = 0; @@ -288,7 +293,8 @@ tunables_load_defaults() install_str_setting("/usr/share/ssl/certs/vsftpd.pem", &tunable_rsa_cert_file); install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); + install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", + &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); Index: vsftpd-3.0.3/tunables.h =================================================================== --- vsftpd-3.0.3.orig/tunables.h 2020-11-13 09:52:41.369111000 +0000 +++ vsftpd-3.0.3/tunables.h 2020-11-13 09:52:48.881045043 +0000 @@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; extern int tunable_sslv2; /* Allow SSLv2 */ extern int tunable_sslv3; /* Allow SSLv3 */ extern int tunable_tlsv1; /* Allow TLSv1 */ +extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ +extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ Index: vsftpd-3.0.3/vsftpd.conf.5 =================================================================== --- vsftpd-3.0.3.orig/vsftpd.conf.5 2020-11-13 09:52:41.370110991 +0000 +++ vsftpd-3.0.3/vsftpd.conf.5 2020-11-13 09:52:48.881045043 +0000 @@ -486,7 +486,7 @@ Default: YES Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. Default: NO .TP @@ -494,7 +494,7 @@ Default: NO Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. Default: NO .TP @@ -502,7 +502,23 @@ Default: NO Only applies if .BR ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_1 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.1 protocol connections. +TLS v1.2 connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_2 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.2 protocol connections. +TLS v1.2 connections are preferred. Default: YES .TP @@ -1001,7 +1017,7 @@ man page for further details. Note that security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with. -Default: DES-CBC3-SHA +Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 .TP .B user_config_dir This powerful option allows the override of any config option specified in ++++++ 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch ++++++ From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <[email protected]> Date: Thu, 21 Dec 2017 14:29:25 +0100 Subject: [PATCH] When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2 Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1 or ssl_tlsv1_2 configuration option is enabled. The patch was written by Martin Sehnoutka. Resolves: rhbz#1432054 --- features.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/features.c b/features.c index 1212980..d024366 100644 --- a/features.c +++ b/features.c @@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) { vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); } - if (tunable_tlsv1) + if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) { vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); } -- 2.29.0 _______________________________________________ openSUSE Commits mailing list -- [email protected] To unsubscribe, email [email protected] List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/[email protected]
