SUSE-RU-2022:0655-1: moderate: Recommended update for vsftpd

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Mar 2 14:22:56 UTC 2022 

   SUSE Recommended Update: Recommended update for vsftpd
______________________________________________________________________________

Announcement ID:    SUSE-RU-2022:0655-1
Rating:             moderate
References:         #1042673 #1070653 #1083705 #1089088 #1125951 
                    #1144062 #1179553 #1180314 #1181400 #1187188 
                    #786024 
Affected Products:
                    SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________

   An update that has 11 recommended fixes can now be
   installed.

Description:

   This update for vsftpd fixes the following issues:

   This update enables vsftpd to speak TLS 1.3 in ssl FTP mode by linking
   against openssl 1.1.1.

   Bugfixes added:

   - Fixed a seccomp failure in FIPS mode when SSL was enabled. [bsc#1052900]
   - allow stat() to be called, which is required during SSL initialization
     by RAND_load_file().
   - allow wait4() to be called so that the broker can wait for its child
     processes. [bsc#1021387]
   - Revert the "ssl_tlsv1_X"-style config file options back to their
     original spelling. The changes that dropped the underscore from the
      version numbers in release 3.0.4 breaks existing configurations and it
      was never documented anywhere -- not in the package's changelog and not
      in the packages's own man page.
   - vsftpd follows the system-wide TLS cipher policy "DEFAULT_SUSE" by
     default. Run the command "openssl ciphers -v DEFAULT_SUSE" to see which
     ciphers this includes.
   - allow sendto() syscall when /dev/log support is enabled. [bsc#786024]
   - allow sendto() to be called from check_limits(), which is necessary for
     vsftpd to write to the system log.
   - Added hardening to systemd service(s) (bsc#1181400).

   Update to version 3.0.5:

   * Fix ALPN callback to correctly select the 'ftp' string if present. Works
     with FileZilla-3.55.0.
   * Fix a couple of seccomp policy issues with Fedora 34.

   Update to version 3.0.4.

   * Fix runtime SIGSYS crashes (seccomp sandbox policy tweaks).
   * Reject HTTP verbs pre-login.
   * Disable TLS prior to v1.2 by default.
   * Close the control connection after 10 unknown commands pre-login.
   * Reject any TLS ALPN advertisement that's not 'ftp'.
   * Add ssl_sni_hostname option to require a match on incoming SNI hostname.
   * The options "ssl_tlsv1_1", "ssl_tlsv1_2", and "ssl_tlsv1_3" have been
     renamed to "ssl_tlsv11", "ssl_tlsv12", and "ssl_tlsv13" respectively.
     Note that the man page has not been updated accordingly.

   - OpenSSL was updated to version 1.1.1 in SLE-15-SP2, adding support for
     the TLSv1.3 protocol. As a consequence, some SLE-15 applications that
     link OpenSSL for TLS support -- like vsftpd --, gained the ability to
     use the newer TLS protocol, which created interoperability problems with
     FTP clients in some cases. To remedy the situation,
     "0001-Introduce-TLSv1.3-option.patch" was applied in a forked SLE-15-SP2
     version of vsftpd. The patch adds the configuration option "ssl_tlsv1_3"
     that system administrators can use to disable TLSv1.3 support on their
     servers. [bsc#1187188]

   - allow getdents64 syscall in seccomp sandbox, fixes bsc#1179553
   - Add pam_keyinit.so to PAM config file.  [bsc#1144062]
   - Fixed a segmentation fault that occurred while trying to write to an
     invalid TLS context. [bsc#1125951]
   - Enable wait4(), sysinfo(), and shutdown() syscalls in seccomp sandbox.
     These are required for the daemon to work properly on SLE-15.
     [bsc#1089088, bsc#1180314]
   - Add firewalld service file (bsc#1083705)
   - Make sure to also require group nobody and user ftp bsc#1070653
   - Fixed interoperability issue with various ftp clients that arose when
     vsftpd is configured with option "use_localtime=YES". Basically, it's
     fine to use local time stamps in directory listings, but responding to
     MDTM commands with any time zone other than UTC directly violates
     RFC3659 and leads FTP clients to misinterpret the file's time stamp.
     [bsc#1024961]

   - Conditionally install xinetd service only on older releases
     * On current distributions we support the same functionality via systemd
       socket activation
   - Fix build against OpenSSL 1.1.  (bsc#1042673)

   - Version bump to 3.0.3:

   * Increase VSFTP_AS_LIMIT to 200MB; various reports.
   * Make the PWD response more RFC compliant; report from Barry Kelly
     <barry at modeltwozero.com>.
   * Remove the trailing period from EPSV response to work around BT Internet
     issues; report from Tim Bishop <tdb at mirrorservice.org>.
   * Fix syslog_enable issues vs. seccomp filtering. Report from Michal
     Vyskocil <mvyskocil at suse.cz>. At least, syslogging seems to work on my
     Fedora now.
   * Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but
     I probably have a different distro / libc / etc. and there are multiple
     reports.
   * Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so
     handle this case gracefully. Report from Vasily Averin <vvs at odin.com>.
   * List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
   * Make some compile-time SSL defaults (such as correct client shutdown
     handling) stricter.
   * Disable Nagle algorithm during SSL data connection shutdown, to avoid
     200ms delays. From Tim Kosse <tim.kosse at filezilla-project.org>.
   * Kill the FTP session if we see HTTP protocol commands, to avoid
     cross-protocol attacks. A report from Jann Horn <jann at thejh.net>.
   * Kill the FTP session if we see session re-use failure. A report from Tim
     Kosse <tim.kosse at filezilla-project.org>.
   * Enable ECDHE, Tim Kosse <tim.kosse at filezilla-project.org>.
   * Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
   * Minor SSL logging improvements.
   * Un-default tunable_strict_ssl_write_shutdown again. We still have
     tunable_strict_ssl_read_eof defaulted now, which is the important one to
     prove upload integrity.


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-655=1



Package List:

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      vsftpd-3.0.5-48.3.1
      vsftpd-debuginfo-3.0.5-48.3.1
      vsftpd-debugsource-3.0.5-48.3.1


References:

   https://bugzilla.suse.com/1042673
   https://bugzilla.suse.com/1070653
   https://bugzilla.suse.com/1083705
   https://bugzilla.suse.com/1089088
   https://bugzilla.suse.com/1125951
   https://bugzilla.suse.com/1144062
   https://bugzilla.suse.com/1179553
   https://bugzilla.suse.com/1180314
   https://bugzilla.suse.com/1181400
   https://bugzilla.suse.com/1187188
   https://bugzilla.suse.com/786024

More information about the sle-updates mailing list