Your message dated Mon, 05 Sep 2011 14:49:25 +0000
with message-id <e1r0auh-0008bs...@franck.debian.org>
and subject line Bug#629373: fixed in vsftpd 2.3.4-1
has caused the Debian Bug report #629373,
regarding Remote DoS with vsftpd on Linux 2.6.32
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
629373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: vsftpd
Version: 2.3.2-3
Tags: security
Severity: important
X-Debbugs-Cc: debian-ker...@lists.debian.org
The bug is described by Serge Hallyn below, and in Ubuntu bug #720095
<https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095>.
In short, I agree with Serge that the network namespace feature in the
kernel is useful and should be retained in squeeze, given that only
privileged users can (directly) use it. vsftpd must not create a
network namespace per connection without a kernel version check.
Ben.
-------- Forwarded Message --------
From: Serge Hallyn <serge.hal...@canonical.com>
To: kernel-t...@lists.ubuntu.com, ubuntu-ser...@lists.ubuntu.com
Subject: CONFIG_NET_NS
Date: Wed, 1 Jun 2011 13:57:38 -0500
Hi,
vsftpd spawns a network namespace in response to each client connection.
Lucid kernel is slow to release network namespaces, which results, in
bug 720095, in an easy remote DOS. The maverick kernel has a fix for
this, but it is hard to cherrypick.
The bug was resolved by compiling the lucid kernel without
CONFIG_NET_NS. I'm emailing to ask that we reconsider that solution.
Turning off CONFIG_NET_NS prevents libvirt from creating all containers
(lxc:///), and prevents lxc from creating most useful containers,
resulting in bug 790863. There is the workaround of installing the
backported kernel, but I don't believe that will satiate users who
really want LTS stability. For those users, we are effectively telling
them that they cannot use containers until 12/04.
What I don't believe has been discussed is that CLONE_NEWNET requires
privilege. The vsftpd bug was bad because anyone could trigger it with
a set of remote connections. But that is easily fixed by patching
vsftpd to not use CLONE_NEWNET. As Stefan noted in irc, there is the
threat that other services use CLONE_NEWNET. Though I've grepped some
of my local sources for samba, dhclient, postfix, apache, mysql, squid
etc, and have found no others using CLONE_NEWNET so far. That doesn't
mean there aren't any, but I argue that the risk is far outweighed by
not supporting containers in lucid.
Thanks for your time :)
thanks,
-serge
--
kernel-team mailing list
kernel-t...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: vsftpd
Source-Version: 2.3.4-1
We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:
vsftpd_2.3.4-1.debian.tar.gz
to main/v/vsftpd/vsftpd_2.3.4-1.debian.tar.gz
vsftpd_2.3.4-1.dsc
to main/v/vsftpd/vsftpd_2.3.4-1.dsc
vsftpd_2.3.4-1_i386.deb
to main/v/vsftpd/vsftpd_2.3.4-1_i386.deb
vsftpd_2.3.4.orig.tar.gz
to main/v/vsftpd/vsftpd_2.3.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 629...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baum...@progress-technologies.net> (supplier of updated
vsftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 05 Sep 2011 15:55:00 +0200
Source: vsftpd
Binary: vsftpd
Architecture: source i386
Version: 2.3.4-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <daniel.baum...@progress-technologies.net>
Changed-By: Daniel Baumann <daniel.baum...@progress-technologies.net>
Description:
vsftpd - lightweight, efficient FTP server written for security
Closes: 629373 630075 634725
Changes:
vsftpd (2.3.4-1) unstable; urgency=low
.
* Merging upstream version 2.3.4:
* Updating maintainer and uploaders fields.
* Removing vcs fields.
* Removing references to my old email address.
* Makging packaging distribution neutral.
* Updating years in copyright file.
* Updating to standards version 3.9.2.
* Compacting copyright file.
* Updating debconf-po files.
* Dropping alpha.patch, not supported anymore.
* Renumbering patches.
* Rediffing s390.patch.
* Simplifying architecture listing for libcap2-dev build-depends,
thanks to Robert Millan <r...@debian.org> (Closes: #634725).
* Adding Catalan debconf translations from Innocent De Marchi
<tangram.pe...@gmail.com> (Closes: #630075).
* Adding patch from Ben Hutchings <b...@decadent.org.uk> to fix a
remote DoS on Linux 2.6.32 (Closes: #629373).
Checksums-Sha1:
618cd1df14b53474a3bbab14d10a93f650643af7 1088 vsftpd_2.3.4-1.dsc
b774cc6b4c50e20f4fe9ca7f6aa74169ce7fe5ea 187043 vsftpd_2.3.4.orig.tar.gz
79cd005b51706dca5ec141454f810e0af6e7be07 25181 vsftpd_2.3.4-1.debian.tar.gz
05b8da03fcc0107d2b286fb2855f7d38be5598bb 152214 vsftpd_2.3.4-1_i386.deb
Checksums-Sha256:
29aa6148c7fa6aeea965fb525946b674f0ba73b7c742bdb784cfa5621c7ccbbd 1088
vsftpd_2.3.4-1.dsc
b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a 187043
vsftpd_2.3.4.orig.tar.gz
10d96d87e13ddb280a8cb3ade64b4962e59e129f698e34415e1a5595751c1f8a 25181
vsftpd_2.3.4-1.debian.tar.gz
c8c6527920f5427287b91aedcdcf86067648e4da35547c3aa267f2e12fcdd2ab 152214
vsftpd_2.3.4-1_i386.deb
Files:
2f5569973a51f8d26df4a69b385f9a1e 1088 net extra vsftpd_2.3.4-1.dsc
2ea5d19978710527bb7444d93b67767a 187043 net extra vsftpd_2.3.4.orig.tar.gz
6724cf294cb2fe6b556d5a26d3950a0f 25181 net extra vsftpd_2.3.4-1.debian.tar.gz
cb503dac460895553b44defa4a1f757e 152214 net extra vsftpd_2.3.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk5k1+cACgkQ+C5cwEsrK54ftACeMY5mdlJwaqkxsBZN4f2SEK+Z
npAAoK3DGOFByV9NNT37q8inCWCMDKQA
=WA5B
-----END PGP SIGNATURE-----
--- End Message ---
