Your message dated Mon, 05 Sep 2011 14:49:25 +0000 with message-id <e1r0auh-0008bs...@franck.debian.org> and subject line Bug#629373: fixed in vsftpd 2.3.4-1 has caused the Debian Bug report #629373, regarding Remote DoS with vsftpd on Linux 2.6.32 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 629373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629373 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: vsftpd Version: 2.3.2-3 Tags: security Severity: important X-Debbugs-Cc: debian-ker...@lists.debian.org The bug is described by Serge Hallyn below, and in Ubuntu bug #720095 <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095>. In short, I agree with Serge that the network namespace feature in the kernel is useful and should be retained in squeeze, given that only privileged users can (directly) use it. vsftpd must not create a network namespace per connection without a kernel version check. Ben. -------- Forwarded Message -------- From: Serge Hallyn <serge.hal...@canonical.com> To: kernel-t...@lists.ubuntu.com, ubuntu-ser...@lists.ubuntu.com Subject: CONFIG_NET_NS Date: Wed, 1 Jun 2011 13:57:38 -0500 Hi, vsftpd spawns a network namespace in response to each client connection. Lucid kernel is slow to release network namespaces, which results, in bug 720095, in an easy remote DOS. The maverick kernel has a fix for this, but it is hard to cherrypick. The bug was resolved by compiling the lucid kernel without CONFIG_NET_NS. I'm emailing to ask that we reconsider that solution. Turning off CONFIG_NET_NS prevents libvirt from creating all containers (lxc:///), and prevents lxc from creating most useful containers, resulting in bug 790863. There is the workaround of installing the backported kernel, but I don't believe that will satiate users who really want LTS stability. For those users, we are effectively telling them that they cannot use containers until 12/04. What I don't believe has been discussed is that CLONE_NEWNET requires privilege. The vsftpd bug was bad because anyone could trigger it with a set of remote connections. But that is easily fixed by patching vsftpd to not use CLONE_NEWNET. As Stefan noted in irc, there is the threat that other services use CLONE_NEWNET. Though I've grepped some of my local sources for samba, dhclient, postfix, apache, mysql, squid etc, and have found no others using CLONE_NEWNET so far. That doesn't mean there aren't any, but I argue that the risk is far outweighed by not supporting containers in lucid. Thanks for your time :) thanks, -serge -- kernel-team mailing list kernel-t...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: vsftpd Source-Version: 2.3.4-1 We believe that the bug you reported is fixed in the latest version of vsftpd, which is due to be installed in the Debian FTP archive: vsftpd_2.3.4-1.debian.tar.gz to main/v/vsftpd/vsftpd_2.3.4-1.debian.tar.gz vsftpd_2.3.4-1.dsc to main/v/vsftpd/vsftpd_2.3.4-1.dsc vsftpd_2.3.4-1_i386.deb to main/v/vsftpd/vsftpd_2.3.4-1_i386.deb vsftpd_2.3.4.orig.tar.gz to main/v/vsftpd/vsftpd_2.3.4.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 629...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Baumann <daniel.baum...@progress-technologies.net> (supplier of updated vsftpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 05 Sep 2011 15:55:00 +0200 Source: vsftpd Binary: vsftpd Architecture: source i386 Version: 2.3.4-1 Distribution: unstable Urgency: low Maintainer: Daniel Baumann <daniel.baum...@progress-technologies.net> Changed-By: Daniel Baumann <daniel.baum...@progress-technologies.net> Description: vsftpd - lightweight, efficient FTP server written for security Closes: 629373 630075 634725 Changes: vsftpd (2.3.4-1) unstable; urgency=low . * Merging upstream version 2.3.4: * Updating maintainer and uploaders fields. * Removing vcs fields. * Removing references to my old email address. * Makging packaging distribution neutral. * Updating years in copyright file. * Updating to standards version 3.9.2. * Compacting copyright file. * Updating debconf-po files. * Dropping alpha.patch, not supported anymore. * Renumbering patches. * Rediffing s390.patch. * Simplifying architecture listing for libcap2-dev build-depends, thanks to Robert Millan <r...@debian.org> (Closes: #634725). * Adding Catalan debconf translations from Innocent De Marchi <tangram.pe...@gmail.com> (Closes: #630075). * Adding patch from Ben Hutchings <b...@decadent.org.uk> to fix a remote DoS on Linux 2.6.32 (Closes: #629373). Checksums-Sha1: 618cd1df14b53474a3bbab14d10a93f650643af7 1088 vsftpd_2.3.4-1.dsc b774cc6b4c50e20f4fe9ca7f6aa74169ce7fe5ea 187043 vsftpd_2.3.4.orig.tar.gz 79cd005b51706dca5ec141454f810e0af6e7be07 25181 vsftpd_2.3.4-1.debian.tar.gz 05b8da03fcc0107d2b286fb2855f7d38be5598bb 152214 vsftpd_2.3.4-1_i386.deb Checksums-Sha256: 29aa6148c7fa6aeea965fb525946b674f0ba73b7c742bdb784cfa5621c7ccbbd 1088 vsftpd_2.3.4-1.dsc b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a 187043 vsftpd_2.3.4.orig.tar.gz 10d96d87e13ddb280a8cb3ade64b4962e59e129f698e34415e1a5595751c1f8a 25181 vsftpd_2.3.4-1.debian.tar.gz c8c6527920f5427287b91aedcdcf86067648e4da35547c3aa267f2e12fcdd2ab 152214 vsftpd_2.3.4-1_i386.deb Files: 2f5569973a51f8d26df4a69b385f9a1e 1088 net extra vsftpd_2.3.4-1.dsc 2ea5d19978710527bb7444d93b67767a 187043 net extra vsftpd_2.3.4.orig.tar.gz 6724cf294cb2fe6b556d5a26d3950a0f 25181 net extra vsftpd_2.3.4-1.debian.tar.gz cb503dac460895553b44defa4a1f757e 152214 net extra vsftpd_2.3.4-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk5k1+cACgkQ+C5cwEsrK54ftACeMY5mdlJwaqkxsBZN4f2SEK+Z npAAoK3DGOFByV9NNT37q8inCWCMDKQA =WA5B -----END PGP SIGNATURE-----
--- End Message ---