2018-07-04 15:40:45 by Jonathan Perkin | Files touched by this commit (423) |
Log message:
*: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
|
2018-02-09 17:46:42 by =?UTF-8?B?RnLDqWTDqXJpYyBGYXViZXJ0ZWF1?= | Files touched by this commit (7) | |
Log message:
vsftpd: updated to 3.0.3
v2.3.5
======
- Try and force glibc to cache zoneinfo files in an attempt to work around
glibc parsing vulnerability. Thanks to Kingcope.
- Only report CHMOD in SITE HELP if it's enabled. Thanks to Martin Schwenke
<martin@meltin.net>.
- Some simple fixes and cleanups from Thorsten Brehm <tbrehm@dspace.de>.
- Only advertise "AUTH SSL" if one of SSLv2, SSLv3 is enabled. Thanks to
steve willing <eiji-gravion@hotmail.com>.
- Handle connect() failures properly. Thanks to Takayuki Nagata
<tnagata@redhat.com>.
- Add stronger checks for the configuration error of running with a writeable
root directory inside a chroot(). This may bite people who carelessly turned
on chroot_local_user but such is life.
v3.0.0
======
- Update vsf_findlibs.sh to work on Ubuntu 11.10+
- Make listen mode the default.
- Add -Werror to build flags.
- Fix missing "const" in ssl.c
- Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu
12.04 ABI.
- Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
seccompsandbox.c
- Rename deprecated "sandbox" to "ptrace_sandbox".
- Add a few more state checks to the privileged helper processes.
- Add tunable "seccomp_sandbox", default on.
- Use hardened build flags. Distros of course override these and provide their
own build flags but no harm in showing how it could be done.
- Retry creating a PASV socket upon port reuse race between bind() and listen(),
patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>.
- Don't die() if recv() indicates a closed remote connection. Problem report
on a Windows client from Herbert van den Bergh,
<herbert.van.den.bergh@oracle.com>.
- Add new config setting "allow_writeable_chroot" to help people in a \
bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
- Remove a couple of fixed things from BUGS.
- strlen() trunction fix -- no particular impact.
- Apply some tidyups from mmoufid@yorku.ca.
(vsftpd-3.0.0-pre1)
- Fix delete_failed_uploads if there is a timeout. Report from Alejandro
Hernández Hdez <aalejandrohdez@gmail.com>.
- Fix other data channel bugs such as failure to log failure upon timeout.
- Use exit codes a bit more consistently.
- Fix bad interaction between SSL and trans_chunk_size.
- Redo data timeout to fire properly for SSL sessions.
- Redo idle timeout to fire properly for SSL sessions.
- Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing.
- Use 10 minutes as a max linger time just in case an alarm gets lost.
(vsftpd-3.0.0-pre2)
- Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
- Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
Unfortunately the default vsftpd SSL confiuration still doesn't fully work
with FileZilla, because FileZilla has a data connection security problem:
no client certificate presentation and no session reuse. At least the error
message is now very clear.
- Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
a data transfer is in progress.
- Fix delete_failed_uploads for anonymous sessions.
- Don't listen for urgent data if the control connection is SSL, due to possible
protocol synchronization issues.
v3.0.1
======
- Fix some seccomp related build errors on certain CentOS and Debian versions.
- Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
opens and maps /proc/meminfo but only for larger item counts?
- Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
- Fix various NULL crashes with nonsensical config settings. Noted by Tianyin Xu
<tixu@cs.ucsd.edu>.
- Force cast to unsigned char in is* char functions.
- Fix harmless integer issues in strlist.c.
- Started on a (possibly ill-advised?) crusade to compile cleanly with
Wconversion. Decided to suspend the effort half-way through.
v3.0.2
======
- One more seccomp policy fix: mremap (denied).
- Support STOU with no filename, uses a STOU. prefix.
v3.0.3
======
- Increase VSFTP_AS_LIMIT to 200MB; various reports.
- Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
- Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
- Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
- Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
- Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
- List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
- Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
- Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
- Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
- Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
(vsftpd-3.0.3pre1)
- Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
- Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
- Minor SSL logging improvements.
- Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
(vsftpd-3.0.3pre2)
|
2016-04-12 10:07:50 by Thomas Klausner | Files touched by this commit (1) |
Log message:
No reason to have MASTER_SITE_LOCAL here, there's a valid upstream.
|
2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) |
Log message:
Bump PKGREVISION for security/openssl ABI bump.
|
2015-11-04 01:35:47 by Alistair G. Crooks | Files touched by this commit (748) |
Log message:
Add SHA512 digests for distfiles for net category
Problems found with existing digests:
Package haproxy distfile haproxy-1.5.14.tar.gz
159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package bsddip: missing distfile bsddip-1.02.tar.Z
Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
Package djbdns: missing distfile djbdns-cachestats.patch
Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
Package gated: missing distfile gated-3-5-11.tar.gz
Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
Package poink: missing distfile poink-1.6.tar.gz
Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz
Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
Package waste: missing distfile waste-source.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
2014-10-12 12:25:05 by David Brownlee | Files touched by this commit (2) |
Log message:
Enable ssl by default, bump PKGREVISION
|
2014-03-11 15:05:19 by Jonathan Perkin | Files touched by this commit (350) |
Log message:
Remove example rc.d scripts from PLISTs.
These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
|
2014-02-13 00:18:57 by Matthias Scheler | Files touched by this commit (1568) |
Log message:
Recursive PKGREVISION bump for OpenSSL API version bump.
|
2013-07-12 12:45:05 by Jonathan Perkin | Files touched by this commit (181) |
Log message:
Bump PKGREVISION of all packages which create users, to pick up change of
sysutils/user_* packages.
|
2013-07-05 16:47:41 by Jonathan Perkin | Files touched by this commit (1) |
Log message:
Build fix for SunOS >= 5.11.
|