Public bug reported: According to testssl (from https://testssl.sh/testssl.sh) vsftpd is vulnerable to heartbleed, with now obvious way (in the config) to secure it:
testssl@will:~$ ./testssl.sh -t ftp lll.lu:21 ... Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok) Or is this a shortcoming of the testssl script, which reports a vulnerability where there is none? If this is the case, could anybody explain how the error happens, so that we can get testssl fixed? 1) root@lll:~# lsb_release -rd Description: Ubuntu 14.04.4 LTS Release: 14.04 2) root@lll:~# apt-cache policy vsftpd vsftpd: Installed: 3.0.2-1ubuntu2.14.04.1 Candidate: 3.0.2-1ubuntu2.14.04.1 Version table: *** 3.0.2-1ubuntu2.14.04.1 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-1ubuntu2 0 500 http://be.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 3) What I expected to happen Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out) 4) What did happen Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok) ** Affects: vsftpd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1591552 Title: vsftpd vulnerable to heartbleed (according to testssl) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1591552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs