Your message dated Sun, 04 Mar 2012 19:33:44 +0000
with message-id <[email protected]>
and subject line Bug#656900: fixed in vsftpd 2.3.5-3
has caused the Debian Bug report #656900,
regarding vsftpd: please add NEWS.Debian.gz to warn about configuration changes
needed in 2.3.4->2.3.5 upgrade
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
656900: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656900
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: vsftpd
Version: 2.3.5-2
Severity: important
Tags: patch
Jonathan Nieder wrote[1]:
> Regid Ichira wrote:
>> $ zcat /usr/share/doc/vsftpd/changelog.gz | tail -6
>> - Add stronger checks for the configuration error of running with a
>> writeable
>> root directory inside a chroot(). This may bite people who carelessly
>> turned
>> on chroot_local_user but such is life.
>>
>> At this point: v2.3.5 released!
>> ===============================
>>
>> I think those stronger checks are wrong, because it prevents
>> modifying (uploading, deletion, modifying) files. Am I wrong?
>> Such modifications used to work.
>
> I think the stronger checks are right, though they could probably be
> relaxed without harm in some special cases.
That said, breaking existing configurations without warning feels
wrong. How about this patch?
-- >8 --
Subject: Adding NEWS.Debian file to warn about strengthened checks for writable
root directory inside chroot
---
[1] http://lists.debian.org/debian-user/2012/01/msg01514.html
debian/NEWS | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
create mode 100644 debian/NEWS
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 00000000..464bec21
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,9 @@
+vsftpd (2.3.5-1) unstable; urgency=low
+
+ Starting with this version, vsftpd refuses to serve files in dangerous
+ configurations in which the top of the chroot() jail is writable by
+ the user that serves files. You may need to adjust the directory
+ structure or disable the chroot_local_user option. See
+ /usr/share/doc/vsftpd/FAQ.gz for details.
+
+ -- Jonathan Nieder <[email protected]> Sun, 22 Jan 2012 12:35:28 -0600
--
1.7.9.rc2
--- End Message ---
--- Begin Message ---
Source: vsftpd
Source-Version: 2.3.5-3
We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:
vsftpd_2.3.5-3.debian.tar.gz
to main/v/vsftpd/vsftpd_2.3.5-3.debian.tar.gz
vsftpd_2.3.5-3.dsc
to main/v/vsftpd/vsftpd_2.3.5-3.dsc
vsftpd_2.3.5-3_i386.deb
to main/v/vsftpd/vsftpd_2.3.5-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <[email protected]> (supplier of updated
vsftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 04 Mar 2012 20:15:39 +0100
Source: vsftpd
Binary: vsftpd
Architecture: source i386
Version: 2.3.5-3
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <[email protected]>
Changed-By: Daniel Baumann <[email protected]>
Description:
vsftpd - lightweight, efficient FTP server written for security
Closes: 655103 656900 657693
Changes:
vsftpd (2.3.5-3) unstable; urgency=low
.
[ Daniel Baumann ]
* Adding changelog entry from squeeze security update.
.
[ Jonathan Nieder ]
* Adding NEWS file to warn about strengthened checks for writable root
directory inside chroot (Closes: #656900).
.
[ Daniel Baumann ]
* Manually passing CPPFLAGS into CFLAGS when calling make in rules
(Closes: #655103, #657693).
* Updating package to standards version 3.9.3.
Checksums-Sha1:
5c99bc16ef935d4f6c489f1228ac65012f7e2c53 1125 vsftpd_2.3.5-3.dsc
8ec94c374f2cbb508228c6cbe2aa164068ac3ac6 26915 vsftpd_2.3.5-3.debian.tar.gz
8ca8e68a4eab09dc80213c9487610eb82c67e0d3 164742 vsftpd_2.3.5-3_i386.deb
Checksums-Sha256:
d448dd376d2278f1bda8d13209f4e4fb3ebdc32bf30c852523085994b975aa57 1125
vsftpd_2.3.5-3.dsc
eebdbaef55578d03213e1ad75590523a63a82b25776b635c9c217828c71a5252 26915
vsftpd_2.3.5-3.debian.tar.gz
7de0d28945cacf6989845c78f92dcb0e98cc7c7d3de365ffb1201b44302afdd7 164742
vsftpd_2.3.5-3_i386.deb
Files:
8aa45492c5fd52c3986da325d8523d16 1125 net extra vsftpd_2.3.5-3.dsc
3ee1664cb349b2d7c3b2397dbce1245d 26915 net extra vsftpd_2.3.5-3.debian.tar.gz
d530af1dc11a32385c622bbb829d1ab1 164742 net extra vsftpd_2.3.5-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk9TwBgACgkQ+C5cwEsrK55fSQCgn1AxHmZsgSgB4GlCl/soNj4i
03IAoKEGrtgR09IWHLADVN4TR1LuhZPz
=8q61
-----END PGP SIGNATURE-----
--- End Message ---
