Package: vsftpd Version: 2.3.5-2 Severity: important Tags: patch Jonathan Nieder wrote[1]: > Regid Ichira wrote:
>> $ zcat /usr/share/doc/vsftpd/changelog.gz | tail -6 >> - Add stronger checks for the configuration error of running with a >> writeable >> root directory inside a chroot(). This may bite people who carelessly >> turned >> on chroot_local_user but such is life. >> >> At this point: v2.3.5 released! >> =============================== >> >> I think those stronger checks are wrong, because it prevents >> modifying (uploading, deletion, modifying) files. Am I wrong? >> Such modifications used to work. > > I think the stronger checks are right, though they could probably be > relaxed without harm in some special cases. That said, breaking existing configurations without warning feels wrong. How about this patch? -- >8 -- Subject: Adding NEWS.Debian file to warn about strengthened checks for writable root directory inside chroot --- [1] http://lists.debian.org/debian-user/2012/01/msg01514.html debian/NEWS | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) create mode 100644 debian/NEWS diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 00000000..464bec21 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,9 @@ +vsftpd (2.3.5-1) unstable; urgency=low + + Starting with this version, vsftpd refuses to serve files in dangerous + configurations in which the top of the chroot() jail is writable by + the user that serves files. You may need to adjust the directory + structure or disable the chroot_local_user option. See + /usr/share/doc/vsftpd/FAQ.gz for details. + + -- Jonathan Nieder <[email protected]> Sun, 22 Jan 2012 12:35:28 -0600 -- 1.7.9.rc2 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
