Ubuntu
vsftpd package

Current vsftpd builds are still lacking ssl_tlsv1_[123] options

Bug #1804430 reported by Markus Ueberall
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
vsftpd (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Fedora has introduced "ssl_tslv1_[12]" options more than two years ago (as part of their "0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch", see https://marc.info/?l=fedora-extras-commits&m=148062086205518&w=2).

It "would be nice" if this can eventually be adopted in order to stay compliant with, e.g., the current PCI DSS requirements. At one point, this has to be considered a security vulnerability.

Related branches

~sergiodj/ubuntu/+source/vsftpd:update-3.0.5-jammy
Utkarsh Gupta (community): Approve
Andreas Hasenack: Approve
Diff: 1116 lines (+392/-124)
25 files modified
Changelog (+19/-0)
README (+1/-1)
debian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/0002-config.patch (+16/-16)
debian/patches/0004-link-local.patch (+13/-13)
debian/patches/0005-whitespaces.patch (+20/-20)
debian/patches/0007-utf8.patch (+21/-21)
debian/patches/0055-set_default_listen.patch (+4/-4)
debian/patches/0060-seccomp_sandbox.patch (+4/-4)
debian/patches/0065-upload_download_filename_pattern.patch (+35/-21)
debian/patches/0077-fix-typo.patch (+4/-4)
main.c (+1/-1)
parseconf.c (+4/-0)
prelogin.c (+13/-0)
seccompsandbox.c (+15/-0)
session.h (+1/-0)
ssl.c (+152/-0)
sysstr.c (+1/-1)
sysutil.h (+2/-1)
tunables.c (+9/-1)
tunables.h (+5/-1)
vsf_findlibs.sh (+8/-9)
vsftpd.conf.5 (+34/-4)
vsftpver.h (+1/-1)
Revision history for this message
Markus Ueberall (ueberall) wrote :

Addendum:
  * The Fedora patch(es) is/are contained in the .src.rpms which are available here: https://rpms.remirepo.net/rpmphp/zoom.php?rpm=vsftpd
  * In order to quickly view individual changes, see here: https://src.fedoraproject.org/cgit/rpms/vsftpd.git/log/

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Please report the vsftpd packaging version numbers and Ubuntu releases affected. In other words, I need to know exactly what you mean by "Current vsftpd builds".

Changed in vsftpd (Ubuntu):
status: New → Incomplete
importance: Undecided → Wishlist
Revision history for this message
Markus Ueberall (ueberall) wrote :

Robie, "Current vsftpd builds" refers to *all* available packages atm; according to https://launchpad.net/ubuntu/+source/vsftpd, these are
  - v3.0.3-11 (Disco Dingo, Cosmic Cuttlefish)
  - v3.0.3-9build1 (Bionic Beaver)
  - v3.0.3-3ubuntu2 (Xenial Xerus)
  - v3.0.2-1ubuntu2.14.04.1 (Trusty Tahr)
  - v2.3.5-1ubuntu2 (Precise Pangolin)

(Re-verified just now by inspecting the contents/patches of all vsftpd_*.debian.tar.* archives using grep -i "TLSv1", i.e., they do not alter the original upstream code which never contained said "tlsv1_[12]" options.)

Sebastien Bacher (seb128)
Changed in vsftpd (Ubuntu):
status: Incomplete → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vsftpd (Ubuntu):
status: New → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Yeah,
upstream releases rarely (2015 was the last) and while [1] is public the source [2] is behind some login it seems.

There also is a longer list of accrued bugs in Debian [3].

The particular issue reported here these days is fixed in [4][5][6] but I've not seen TLSv1.3 there.

Maybe more of [7] is worth a check to be included and vsftpd worth of some attention.

[1]: https://security.appspot.com/vsftpd.html
[2]: https://security.appspot.com/vsftpd.html#docs
[3]: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=vsftpd
[4]: https://src.fedoraproject.org/rpms/vsftpd/blob/master/f/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
[5]: https://src.fedoraproject.org/rpms/vsftpd/blob/master/f/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
[6]: https://src.fedoraproject.org/rpms/vsftpd/blob/master/f/0043-Enable-only-TLSv1.2-by-default.patch
[7]: https://src.fedoraproject.org/rpms/vsftpd/tree/master

Revision history for this message
Paride Legovini (paride) wrote :

Marking this as Triaged as it's going to be fixed by Sergio's branch packaging v3.0.5.

Changed in vsftpd (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vsftpd - 3.0.5-0ubuntu1

---------------
vsftpd (3.0.5-0ubuntu1) jammy; urgency=medium

  * New upstream release: 3.0.5 (LP: #1960837, #1804430)
  * d/p: Refresh patches against new upstream release.

 -- Sergio Durigan Junior <email address hidden> Wed, 23 Feb 2022 13:31:08 -0500

Changed in vsftpd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.