Public bug reported:
According to testssl (from https://testssl.sh/testssl.sh) vsftpd is
vulnerable to heartbleed, with now obvious way (in the config) to secure
it:
testssl@will:~$ ./testssl.sh -t ftp lll.lu:21
...
Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok)
Or is this a shortcoming of the testssl script, which reports a
vulnerability where there is none? If this is the case, could anybody
explain how the error happens, so that we can get testssl fixed?
1) root@lll:~# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
2) root@lll:~# apt-cache policy vsftpd
vsftpd:
Installed: 3.0.2-1ubuntu2.14.04.1
Candidate: 3.0.2-1ubuntu2.14.04.1
Version table:
*** 3.0.2-1ubuntu2.14.04.1 0
500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
100 /var/lib/dpkg/status
3.0.2-1ubuntu2 0
500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
3) What I expected to happen
Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out)
4) What did happen
Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok)
** Affects: vsftpd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591552
Title:
vsftpd vulnerable to heartbleed (according to testssl)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1591552/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
