Your message dated Sun, 21 Dec 2008 16:41:55 +0100
with message-id <[email protected]>
and subject line Re: Bug#509333: vsftpd discloses whether usernames are valid
or not
has caused the Debian Bug report #509333,
regarding vsftpd discloses whether usernames are valid or not
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
509333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509333
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: vsftpd
Severity: grave
Tags: security
Justification: user security hole
The vsftpd daemon discloses whether usernames supplied by the client are
valid or not.
On connection to the server via a client, if an invalid username is
supplied, a 530 error is immediately returned, instead of a password
prompt being returned before failure.
Here is a sample session:
ftp despina
Connected to despina.markhobley.yi.org
220 Welcome to vsftpd server daemon
Name (despina:mark): shaggy
530 Permission denied. <--- We should prompt for password
Login failed. before failing here.
By prompting for a password, the user would not know whether the
username or the password is invalid. Without the password prompt, the
user knows that the username is not valid, and can quickly perform a
dictionary attack to obtain system usernames.
This vulnerability was first discovered in September 2003, and has not
yet been patched.
http://securitytracker.com/id?1008628
Testing in December 2008 confirms that the bug is not fixed.
Mark.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-486
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages vsftpd depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libcap1 1:1.10-14 support for getting/setting POSIX.
ii libpam-modules 1.0.1-4 Pluggable Authentication Modules f
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii netbase 4.34 Basic TCP/IP networking system
Versions of packages vsftpd recommends:
ii logrotate 3.7.7-2 Log rotation utility
vsftpd suggests no packages.
--- End Message ---
--- Begin Message ---
* Mark Hobley:
>> From: Florian Weimer <[email protected]>
>> Subject: Re: Bug#509333: vsftpd discloses whether usernames are valid or
>> not
>>
>> Have you configured an explicit userlist?
>
> Yes I have. Configuration file /etc/vsftpd.conf is as follows:
Then this is the documented behavior, as explained by Nico.
--- End Message ---
