Package: vsftpd Version: 3.0.3-13.1 Severity: normal Tags: patch pending Dear maintainer,
I've prepared an NMU for vsftpd (versioned as 3.0.5-0.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards.
diff -Nru vsftpd-3.0.3/Changelog vsftpd-3.0.5/Changelog --- vsftpd-3.0.3/Changelog 2015-07-23 08:01:55.000000000 +0200 +++ vsftpd-3.0.5/Changelog 2021-08-02 08:23:45.000000000 +0200 @@ -1375,3 +1375,22 @@ At this point: v3.0.3 released! =============================== + +- Fix build on Fedora 33 (one warning, one incorrect libcap used). +- Fix SSL build (terrible grep for symbol in vsf_findlibs.sh)! +- Fix runtime SIGSYS crashes on Fedora 33 (seccomp sandbox policy tweaks). +- Reject HTTP verbs pre-login. +- Disable TLS prior to v1.2 by default. +- Close the control connection after 10 unknown commands pre-login. +- Reject any TLS ALPN advertisement that's not 'ftp'. +- Add ssl_sni_hostname option to require a match on incoming SNI hostname. + +At this point: v3.0.4 released! +=============================== + +- Fix ALPN callback to correctly select the 'ftp' string if present. Works +with FileZilla-3.55.0. +- Fix a couple of seccomp policy issues with Fedora 34. + +At this point: v3.0.5 released! +=============================== diff -Nru vsftpd-3.0.3/debian/changelog vsftpd-3.0.5/debian/changelog --- vsftpd-3.0.3/debian/changelog 2024-07-07 14:39:11.000000000 +0200 +++ vsftpd-3.0.5/debian/changelog 2025-01-15 12:19:33.000000000 +0100 @@ -1,3 +1,14 @@ +vsftpd (3.0.5-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release. (Closes: #991329) + Fixes CVE-2021-3618 + + [ Svante Signelle ] + * Fix init script for Hurd (Closes: #975585) + + -- Chris Hofstaedtler <[email protected]> Wed, 15 Jan 2025 12:19:33 +0100 + vsftpd (3.0.3-13.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru vsftpd-3.0.3/debian/patches/0065-upload_download_filename_pattern.patch vsftpd-3.0.5/debian/patches/0065-upload_download_filename_pattern.patch --- vsftpd-3.0.3/debian/patches/0065-upload_download_filename_pattern.patch 2015-12-25 15:09:58.000000000 +0100 +++ vsftpd-3.0.5/debian/patches/0065-upload_download_filename_pattern.patch 2025-01-15 12:19:33.000000000 +0100 @@ -12,8 +12,10 @@ tunables.h vsftpd.conf.5 ---- vsftpd.orig/access.c -+++ vsftpd/access.c +Index: vsftpd-3.0.5/access.c +=================================================================== +--- vsftpd-3.0.5.orig/access.c ++++ vsftpd-3.0.5/access.c @@ -12,11 +12,27 @@ #include "tunables.h" #include "str.h" @@ -43,7 +45,7 @@ if (!tunable_deny_file) { -@@ -26,27 +42,21 @@ +@@ -26,27 +42,21 @@ vsf_access_check_file(const struct mystr { str_alloc_text(&s_access_str, tunable_deny_file); } @@ -74,7 +76,7 @@ if (!tunable_hide_file) { -@@ -56,19 +66,47 @@ +@@ -56,19 +66,47 @@ vsf_access_check_file_visible(const stru { str_alloc_text(&s_access_str, tunable_hide_file); } @@ -130,9 +132,11 @@ + + return vsf_match_filter(p_filename_str, &s_access_str); +} ---- vsftpd.orig/access.h -+++ vsftpd/access.h -@@ -25,5 +25,27 @@ +Index: vsftpd-3.0.5/access.h +=================================================================== +--- vsftpd-3.0.5.orig/access.h ++++ vsftpd-3.0.5/access.h +@@ -25,5 +25,27 @@ int vsf_access_check_file(const struct m */ int vsf_access_check_file_visible(const struct mystr* p_filename_str); @@ -160,9 +164,11 @@ + #endif /* VSF_ACCESS_H */ ---- vsftpd.orig/parseconf.c -+++ vsftpd/parseconf.c -@@ -171,6 +171,8 @@ +Index: vsftpd-3.0.5/parseconf.c +=================================================================== +--- vsftpd-3.0.5.orig/parseconf.c ++++ vsftpd-3.0.5/parseconf.c +@@ -174,6 +174,8 @@ parseconf_str_array[] = { "cmds_allowed", &tunable_cmds_allowed }, { "hide_file", &tunable_hide_file }, { "deny_file", &tunable_deny_file }, @@ -171,9 +177,11 @@ { "user_sub_token", &tunable_user_sub_token }, { "email_password_file", &tunable_email_password_file }, { "rsa_cert_file", &tunable_rsa_cert_file }, ---- vsftpd.orig/postlogin.c -+++ vsftpd/postlogin.c -@@ -671,7 +671,8 @@ +Index: vsftpd-3.0.5/postlogin.c +=================================================================== +--- vsftpd-3.0.5.orig/postlogin.c ++++ vsftpd-3.0.5/postlogin.c +@@ -671,7 +671,8 @@ handle_retr(struct vsf_session* p_sess, vsf_log_start_entry(p_sess, kVSFLogEntryDownload); str_copy(&p_sess->log_str, &p_sess->ftp_arg_str); prepend_path_to_filename(&p_sess->log_str); @@ -183,7 +191,7 @@ { vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied."); return; -@@ -1040,7 +1041,8 @@ +@@ -1040,7 +1041,8 @@ handle_upload_common(struct vsf_session* vsf_log_start_entry(p_sess, kVSFLogEntryUpload); str_copy(&p_sess->log_str, &p_sess->ftp_arg_str); prepend_path_to_filename(&p_sess->log_str); @@ -193,9 +201,11 @@ { vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied."); return; ---- vsftpd.orig/tunables.c -+++ vsftpd/tunables.c -@@ -135,6 +135,8 @@ +Index: vsftpd-3.0.5/tunables.c +=================================================================== +--- vsftpd-3.0.5.orig/tunables.c ++++ vsftpd-3.0.5/tunables.c +@@ -138,6 +138,8 @@ const char* tunable_cmds_allowed; const char* tunable_cmds_denied; const char* tunable_hide_file; const char* tunable_deny_file; @@ -204,7 +214,7 @@ const char* tunable_user_sub_token; const char* tunable_email_password_file; const char* tunable_rsa_cert_file; -@@ -280,6 +282,8 @@ +@@ -287,6 +289,8 @@ tunables_load_defaults() install_str_setting(0, &tunable_cmds_denied); install_str_setting(0, &tunable_hide_file); install_str_setting(0, &tunable_deny_file); @@ -213,9 +223,11 @@ install_str_setting(0, &tunable_user_sub_token); install_str_setting("/etc/vsftpd.email_passwords", &tunable_email_password_file); ---- vsftpd.orig/tunables.h -+++ vsftpd/tunables.h -@@ -137,6 +137,8 @@ +Index: vsftpd-3.0.5/tunables.h +=================================================================== +--- vsftpd-3.0.5.orig/tunables.h ++++ vsftpd-3.0.5/tunables.h +@@ -140,6 +140,8 @@ extern const char* tunable_listen_addres extern const char* tunable_cmds_allowed; extern const char* tunable_hide_file; extern const char* tunable_deny_file; @@ -224,9 +236,11 @@ extern const char* tunable_user_sub_token; extern const char* tunable_email_password_file; extern const char* tunable_rsa_cert_file; ---- vsftpd.orig/vsftpd.conf.5 -+++ vsftpd/vsftpd.conf.5 -@@ -847,6 +847,16 @@ +Index: vsftpd-3.0.5/vsftpd.conf.5 +=================================================================== +--- vsftpd-3.0.5.orig/vsftpd.conf.5 ++++ vsftpd-3.0.5/vsftpd.conf.5 +@@ -871,6 +871,16 @@ Example: deny_file={*.mp3,*.mov,.private Default: (none) .TP @@ -243,9 +257,9 @@ .B dsa_cert_file This option specifies the location of the DSA certificate to use for SSL encrypted connections. -@@ -982,6 +992,16 @@ +@@ -1012,6 +1022,16 @@ incoming handshakes matches this value. - Default: DES-CBC3-SHA + Default: (none) .TP +.B upload_file +This option may be set to restrict uploads to files with names matching the diff -Nru vsftpd-3.0.3/debian/vsftpd.init vsftpd-3.0.5/debian/vsftpd.init --- vsftpd-3.0.3/debian/vsftpd.init 2019-03-06 07:51:33.000000000 +0100 +++ vsftpd-3.0.5/debian/vsftpd.init 2025-01-15 12:19:33.000000000 +0100 @@ -51,7 +51,7 @@ while [ ${n} -le 5 ] do _PID="$(if [ -e /var/run/vsftpd/vsftpd.pid ]; then cat /var/run/vsftpd/vsftpd.pid; fi)" - if ps -C vsftpd | grep -qs "${_PID}" + if `pidof vsftpd | tr '' '\n' | grep -oqs "${_PID}"` then break fi @@ -59,7 +59,7 @@ n=$(( $n + 1 )) done - if ! ps -C vsftpd | grep -qs "${_PID}" + if `! pidof vsftpd | tr '' '\n' | grep -oqs "${_PID}"` then log_warning_msg "vsftpd failed - probably invalid config." exit 1 diff -Nru vsftpd-3.0.3/main.c vsftpd-3.0.5/main.c --- vsftpd-3.0.3/main.c 2012-09-16 06:27:13.000000000 +0200 +++ vsftpd-3.0.5/main.c 2021-05-20 11:37:27.000000000 +0200 @@ -38,7 +38,7 @@ struct vsf_session the_session = { /* Control connection */ - 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, /* Data connection */ -1, 0, -1, 0, 0, 0, 0, /* Login */ diff -Nru vsftpd-3.0.3/parseconf.c vsftpd-3.0.5/parseconf.c --- vsftpd-3.0.3/parseconf.c 2012-09-16 09:15:07.000000000 +0200 +++ vsftpd-3.0.5/parseconf.c 2021-05-29 23:39:19.000000000 +0200 @@ -85,6 +85,9 @@ { "ssl_sslv2", &tunable_sslv2 }, { "ssl_sslv3", &tunable_sslv3 }, { "ssl_tlsv1", &tunable_tlsv1 }, + { "ssl_tlsv11", &tunable_tlsv1_1 }, + { "ssl_tlsv12", &tunable_tlsv1_2 }, + { "ssl_tlsv13", &tunable_tlsv1_3 }, { "tilde_user_enable", &tunable_tilde_user_enable }, { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, @@ -178,6 +181,7 @@ { "rsa_private_key_file", &tunable_rsa_private_key_file }, { "dsa_private_key_file", &tunable_dsa_private_key_file }, { "ca_certs_file", &tunable_ca_certs_file }, + { "ssl_sni_hostname", &tunable_ssl_sni_hostname }, { "cmds_denied", &tunable_cmds_denied }, { 0, 0 } }; diff -Nru vsftpd-3.0.3/prelogin.c vsftpd-3.0.5/prelogin.c --- vsftpd-3.0.3/prelogin.c 2012-04-03 07:22:11.000000000 +0200 +++ vsftpd-3.0.5/prelogin.c 2021-05-20 11:40:20.000000000 +0200 @@ -164,8 +164,21 @@ { /* Deliberately ignore to avoid NAT device bugs, as per ProFTPd. */ } + else if (str_equal_text(&p_sess->ftp_cmd_str, "GET") || + str_equal_text(&p_sess->ftp_cmd_str, "POST") || + str_equal_text(&p_sess->ftp_cmd_str, "HEAD") || + str_equal_text(&p_sess->ftp_cmd_str, "OPTIONS") || + str_equal_text(&p_sess->ftp_cmd_str, "CONNECT")) + { + vsf_cmdio_write_exit(p_sess, FTP_BADCMD, + "HTTP protocol commands not allowed.", 1); + } else { + p_sess->prelogin_errors++; + if (p_sess->prelogin_errors > 10) { + vsf_cmdio_write_exit(p_sess, FTP_BADCMD, "Too many errors.", 1); + } vsf_cmdio_write(p_sess, FTP_LOGINERR, "Please login with USER and PASS."); } diff -Nru vsftpd-3.0.3/README vsftpd-3.0.5/README --- vsftpd-3.0.3/README 2015-07-21 00:06:54.000000000 +0200 +++ vsftpd-3.0.5/README 2021-07-31 22:08:40.000000000 +0200 @@ -1,4 +1,4 @@ -This is vsftpd, version 3.0.3 +This is vsftpd, version 3.0.5 Author: Chris Evans Contact: [email protected] Website: http://vsftpd.beasts.org/ diff -Nru vsftpd-3.0.3/seccompsandbox.c vsftpd-3.0.5/seccompsandbox.c --- vsftpd-3.0.3/seccompsandbox.c 2015-07-22 21:47:35.000000000 +0200 +++ vsftpd-3.0.5/seccompsandbox.c 2021-08-01 03:32:53.000000000 +0200 @@ -45,6 +45,15 @@ #ifndef __NR_openat #define __NR_openat 257 #endif +#ifndef __NR_newfstatat + #define __NR_newfstatat 262 +#endif +#ifndef __NR_pselect6 + #define __NR_pselect6 270 +#endif +#ifndef __NR_getrandom + #define __NR_getrandom 318 +#endif #ifndef O_LARGEFILE #define O_LARGEFILE 00100000 @@ -267,6 +276,7 @@ 3, IPPROTO_TCP); allow_nr(__NR_bind); allow_nr(__NR_select); + allow_nr(__NR_pselect6); if (tunable_port_enable) { allow_nr(__NR_connect); @@ -350,6 +360,8 @@ /* For file locking. */ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW); allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK); + /* Newer kernel / glibc hit this. */ + allow_nr(__NR_getrandom); } if (tunable_ssl_enable) { @@ -396,6 +408,7 @@ allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_LINGER); allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_IP, 3, IP_TOS); allow_nr(__NR_fstat); + allow_nr(__NR_newfstatat); allow_nr(__NR_lseek); /* Since we use chroot() to restrict filesystem access, we can just blanket * allow open(). @@ -409,8 +422,10 @@ allow_nr(__NR_getcwd); allow_nr(__NR_chdir); allow_nr(__NR_getdents); + allow_nr(__NR_getdents64); /* Misc */ allow_nr(__NR_umask); + reject_nr(__NR_sysinfo, EPERM); /* Config-dependent items follow. */ if (tunable_use_sendfile) diff -Nru vsftpd-3.0.3/session.h vsftpd-3.0.5/session.h --- vsftpd-3.0.3/session.h 2012-04-05 03:27:19.000000000 +0200 +++ vsftpd-3.0.5/session.h 2021-05-20 11:39:12.000000000 +0200 @@ -23,6 +23,7 @@ char* p_control_line_buf; int idle_timeout; int data_timeout; + int prelogin_errors; /* Details of the data connection */ int pasv_listen_fd; diff -Nru vsftpd-3.0.3/ssl.c vsftpd-3.0.5/ssl.c --- vsftpd-3.0.3/ssl.c 2015-07-23 06:14:04.000000000 +0200 +++ vsftpd-3.0.5/ssl.c 2021-08-02 08:24:35.000000000 +0200 @@ -38,6 +38,13 @@ static long bio_callback( BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); +static int ssl_alpn_callback(SSL* p_ssl, + const unsigned char** p_out, + unsigned char* outlen, + const unsigned char* p_in, + unsigned int inlen, + void* p_arg); +static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg); static int ssl_cert_digest( SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); static void maybe_log_shutdown_state(struct vsf_session* p_sess); @@ -78,6 +85,18 @@ { options |= SSL_OP_NO_TLSv1; } + if (!tunable_tlsv1_1) + { + options |= SSL_OP_NO_TLSv1_1; + } + if (!tunable_tlsv1_2) + { + options |= SSL_OP_NO_TLSv1_2; + } + if (!tunable_tlsv1_3) + { + options |= SSL_OP_NO_TLSv1_3; + } SSL_CTX_set_options(p_ctx, options); if (tunable_rsa_cert_file) { @@ -165,6 +184,12 @@ /* Ensure cached session doesn't expire */ SSL_CTX_set_timeout(p_ctx, INT_MAX); } + /* Set up ALPN to check for FTP protocol intention of client. */ + SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); + /* Set up SNI callback for an optional hostname check. */ + SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback); + SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess); + p_sess->p_ssl_ctx = p_ctx; ssl_inited = 1; } @@ -702,6 +727,133 @@ return 1; } +static int +ssl_alpn_callback(SSL* p_ssl, + const unsigned char** p_out, + unsigned char* outlen, + const unsigned char* p_in, + unsigned int inlen, + void* p_arg) { + unsigned int i; + struct vsf_session* p_sess = (struct vsf_session*) p_arg; + int is_ok = 0; + + (void) p_ssl; + + /* Initialize just in case. */ + *p_out = p_in; + *outlen = 0; + + for (i = 0; i < inlen; ++i) { + unsigned int left = (inlen - i); + if (left < 4) { + continue; + } + if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' && + p_in[i + 3] == 'p') + { + is_ok = 1; + *p_out = &p_in[i + 1]; + *outlen = 3; + break; + } + } + + if (!is_ok) + { + str_alloc_text(&debug_str, "ALPN rejection"); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + if (!is_ok || tunable_debug_ssl) + { + str_alloc_text(&debug_str, "ALPN data: "); + for (i = 0; i < inlen; ++i) { + str_append_char(&debug_str, p_in[i]); + } + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + + if (is_ok) + { + return SSL_TLSEXT_ERR_OK; + } + else + { + return SSL_TLSEXT_ERR_ALERT_FATAL; + } +} + +static long +ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg) +{ + static struct mystr s_sni_expected_hostname; + static struct mystr s_sni_received_hostname; + + int servername_type; + const char* p_sni_servername; + struct vsf_session* p_sess = (struct vsf_session*) p_arg; + int is_ok = 0; + + (void) p_ssl; + (void) p_arg; + + if (tunable_ssl_sni_hostname) + { + str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname); + } + + /* The OpenSSL documentation says it is pre-initialized like this, but set + * it just in case. + */ + *p_al = SSL_AD_UNRECOGNIZED_NAME; + + servername_type = SSL_get_servername_type(p_ssl); + p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name); + if (p_sni_servername != NULL) { + str_alloc_text(&s_sni_received_hostname, p_sni_servername); + } + + if (str_isempty(&s_sni_expected_hostname)) + { + is_ok = 1; + } + else if (servername_type != TLSEXT_NAMETYPE_host_name) + { + /* Fail. */ + str_alloc_text(&debug_str, "SNI bad type: "); + str_append_ulong(&debug_str, servername_type); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + else + { + if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname)) + { + is_ok = 1; + } + else + { + str_alloc_text(&debug_str, "SNI rejection"); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + } + + if (!is_ok || tunable_debug_ssl) + { + str_alloc_text(&debug_str, "SNI hostname: "); + str_append_str(&debug_str, &s_sni_received_hostname); + vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); + } + + if (is_ok) + { + return SSL_TLSEXT_ERR_OK; + } + else + { + return SSL_TLSEXT_ERR_ALERT_FATAL; + } +} + void ssl_add_entropy(struct vsf_session* p_sess) { diff -Nru vsftpd-3.0.3/sysstr.c vsftpd-3.0.5/sysstr.c --- vsftpd-3.0.3/sysstr.c 2011-12-14 11:26:39.000000000 +0100 +++ vsftpd-3.0.5/sysstr.c 2021-05-18 08:50:28.000000000 +0200 @@ -74,7 +74,7 @@ int str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) { - enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; + enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown; switch (mode) { case kVSFSysStrOpenReadOnly: diff -Nru vsftpd-3.0.3/sysutil.h vsftpd-3.0.5/sysutil.h --- vsftpd-3.0.3/sysutil.h 2012-09-16 08:13:13.000000000 +0200 +++ vsftpd-3.0.5/sysutil.h 2021-05-18 08:50:21.000000000 +0200 @@ -75,7 +75,8 @@ /* File create/open/close etc. */ enum EVSFSysUtilOpenMode { - kVSFSysUtilOpenReadOnly = 1, + kVSFSysUtilOpenUnknown = 0, + kVSFSysUtilOpenReadOnly, kVSFSysUtilOpenWriteOnly, kVSFSysUtilOpenReadWrite }; diff -Nru vsftpd-3.0.3/tunables.c vsftpd-3.0.5/tunables.c --- vsftpd-3.0.3/tunables.c 2015-07-23 06:13:07.000000000 +0200 +++ vsftpd-3.0.5/tunables.c 2021-05-29 23:39:00.000000000 +0200 @@ -66,6 +66,9 @@ int tunable_sslv2; int tunable_sslv3; int tunable_tlsv1; +int tunable_tlsv1_1; +int tunable_tlsv1_2; +int tunable_tlsv1_3; int tunable_tilde_user_enable; int tunable_force_anon_logins_ssl; int tunable_force_anon_data_ssl; @@ -142,6 +145,7 @@ const char* tunable_rsa_private_key_file; const char* tunable_dsa_private_key_file; const char* tunable_ca_certs_file; +const char* tunable_ssl_sni_hostname; static void install_str_setting(const char* p_value, const char** p_storage); @@ -205,7 +209,10 @@ tunable_force_local_data_ssl = 1; tunable_sslv2 = 0; tunable_sslv3 = 0; - tunable_tlsv1 = 1; + tunable_tlsv1 = 0; + tunable_tlsv1_1 = 0; + tunable_tlsv1_2 = 1; + tunable_tlsv1_3 = 1; tunable_tilde_user_enable = 0; tunable_force_anon_logins_ssl = 0; tunable_force_anon_data_ssl = 0; @@ -288,6 +295,7 @@ install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); + install_str_setting(0, &tunable_ssl_sni_hostname); } void diff -Nru vsftpd-3.0.3/tunables.h vsftpd-3.0.5/tunables.h --- vsftpd-3.0.3/tunables.h 2012-03-28 05:10:39.000000000 +0200 +++ vsftpd-3.0.5/tunables.h 2021-05-29 23:38:42.000000000 +0200 @@ -66,7 +66,10 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ extern int tunable_sslv2; /* Allow SSLv2 */ extern int tunable_sslv3; /* Allow SSLv3 */ -extern int tunable_tlsv1; /* Allow TLSv1 */ +extern int tunable_tlsv1; /* Allow TLSv1.0 */ +extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ +extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ +extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ @@ -144,6 +147,7 @@ extern const char* tunable_rsa_private_key_file; extern const char* tunable_dsa_private_key_file; extern const char* tunable_ca_certs_file; +extern const char* tunable_ssl_sni_hostname; extern const char* tunable_cmds_denied; #endif /* VSF_TUNABLES_H */ diff -Nru vsftpd-3.0.3/vsf_findlibs.sh vsftpd-3.0.5/vsf_findlibs.sh --- vsftpd-3.0.3/vsf_findlibs.sh 2012-03-28 04:17:41.000000000 +0200 +++ vsftpd-3.0.5/vsf_findlibs.sh 2021-05-18 09:14:35.000000000 +0200 @@ -48,15 +48,12 @@ locate_library /usr/lib/libsec.sl && echo "-lsec"; # Look for libcap (capabilities) -if locate_library /lib/libcap.so.1; then - echo "/lib/libcap.so.1"; -elif locate_library /lib/libcap.so.2; then - echo "/lib/libcap.so.2"; -else - locate_library /usr/lib/libcap.so && echo "-lcap"; - locate_library /lib/libcap.so && echo "-lcap"; - locate_library /lib64/libcap.so && echo "-lcap"; -fi +# Note that link may fail with: +# /usr/bin/ld: cannot find -lcap +# If the libcap-devel package isn't installed. +locate_library /usr/lib/libcap.so && echo "-lcap"; +locate_library /lib/libcap.so && echo "-lcap"; +locate_library /lib64/libcap.so && echo "-lcap"; # Solaris needs this for nanosleep().. locate_library /lib/libposix4.so && echo "-lposix4"; @@ -71,6 +68,8 @@ # OpenSSL if find_func SSL_library_init ssl.o; then echo "-lssl -lcrypto"; +elif find_func SSL_new ssl.o; then + echo "-lssl -lcrypto"; fi exit 0; diff -Nru vsftpd-3.0.3/vsftpd.conf.5 vsftpd-3.0.5/vsftpd.conf.5 --- vsftpd-3.0.3/vsftpd.conf.5 2009-10-19 04:46:30.000000000 +0200 +++ vsftpd-3.0.5/vsftpd.conf.5 2021-05-30 00:46:13.000000000 +0200 @@ -479,7 +479,7 @@ Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. -TLS v1 connections are preferred. +TLS v1.2+ connections are preferred. Default: NO .TP @@ -487,15 +487,39 @@ Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. -TLS v1 connections are preferred. +TLS v1.2+ connections are preferred. Default: NO .TP .B ssl_tlsv1 Only applies if .BR ssl_enable -is activated. If enabled, this option will permit TLS v1 protocol connections. -TLS v1 connections are preferred. +is activated. If enabled, this option will permit TLS v1.0 protocol connections. +TLS v1.2+ connections are preferred. + +Default: NO +.TP +.B ssl_tlsv1_1 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.1 protocol connections. +TLS v1.2+ connections are preferred. + +Default: NO +.TP +.B ssl_tlsv1_2 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.2 protocol connections. +TLS v1.2+ connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_3 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.3 protocol connections. +TLS v1.2+ connections are preferred. Default: YES .TP @@ -981,6 +1005,12 @@ Default: DES-CBC3-SHA .TP +.B ssl_sni_hostname +If set, SSL connections will be rejected unless the SNI hostname in the +incoming handshakes matches this value. + +Default: (none) +.TP .B user_config_dir This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated diff -Nru vsftpd-3.0.3/vsftpver.h vsftpd-3.0.5/vsftpver.h --- vsftpd-3.0.3/vsftpver.h 2015-07-21 00:07:04.000000000 +0200 +++ vsftpd-3.0.5/vsftpver.h 2021-07-31 22:08:48.000000000 +0200 @@ -1,7 +1,7 @@ #ifndef VSF_VERSION_H #define VSF_VERSION_H -#define VSF_VERSION "3.0.3" +#define VSF_VERSION "3.0.5" #endif /* VSF_VERSION_H */
