diff --git a/.gitignore b/.gitignore index 811254b..d4e96bd 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz /vsftpd-3.0.1.tar.gz /vsftpd-3.0.2.tar.gz /vsftpd-3.0.3.tar.gz +/vsftpd-3.0.5.tar.gz diff --git a/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/0021-Introduce-support-for-DHE-based-cipher-suites.patch index 1abe1e4..cfa23bb 100644 --- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch @@ -36,14 +36,14 @@ index c362983..22b69b3 100644 #include #include -@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); +@@ -38,6 +40,7 @@ + static char* get_ssl_error(); + static SSL* get_ssl(struct vsf_session* p_sess, int fd); + static int ssl_session_init(struct vsf_session* p_sess); ++static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); + static void setup_bio_callbacks(); static long bio_callback( BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); -+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); @@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, static int ssl_inited; static struct mystr debug_str; @@ -140,18 +140,18 @@ index c362983..22b69b3 100644 if (tunable_ssl_ciphers && SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) { -@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) +@@ -184,6 +260,9 @@ /* Ensure cached session doesn't expire */ SSL_CTX_set_timeout(p_ctx, INT_MAX); } -+ ++ + SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; + /* Set up ALPN to check for FTP protocol intention of client. */ + SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); + /* Set up SNI callback for an optional hostname check. */ +@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) } -@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) - return 1; } +#define UNUSED(x) ( (void)(x) ) @@ -162,7 +162,7 @@ index c362983..22b69b3 100644 + // strict compiler bypassing + UNUSED(ssl); + UNUSED(is_export); -+ ++ + return DH_get_dh(keylength); +} + diff --git a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch index 1428b86..9cb56cd 100644 --- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch @@ -36,8 +36,8 @@ index 22b69b3..96bf8ad 100644 if (!tunable_sslv2) { options |= SSL_OP_NO_SSLv2; -@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) - +@@ -244,6 +244,41 @@ + SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + if (tunable_ecdh_param_file) @@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644 +#endif + } + - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } + /* Set up ALPN to check for FTP protocol intention of client. */ + SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); + /* Set up SNI callback for an optional hostname check. */ diff --git a/tunables.c b/tunables.c index 1ea7227..93f85b1 100644 --- a/tunables.c diff --git a/0025-Improve-local_max_rate-option.patch b/0025-Improve-local_max_rate-option.patch index e78f825..2c74c7a 100644 --- a/0025-Improve-local_max_rate-option.patch +++ b/0025-Improve-local_max_rate-option.patch @@ -60,9 +60,9 @@ diff --git a/main.c b/main.c index eaba265..f1e2f69 100644 --- a/main.c +++ b/main.c -@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) +@@ -40,7 +40,7 @@ /* Control connection */ - 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, /* Data connection */ - -1, 0, -1, 0, 0, 0, 0, + -1, 0, -1, 0, 0, 0, 0, 0, diff --git a/0040-Use-system-wide-crypto-policy.patch b/0040-Use-system-wide-crypto-policy.patch index f59ba2b..940a5b2 100644 --- a/0040-Use-system-wide-crypto-policy.patch +++ b/0040-Use-system-wide-crypto-policy.patch @@ -3,7 +3,7 @@ From: Martin Sehnoutka Date: Tue, 29 Aug 2017 10:32:16 +0200 Subject: [PATCH 40/59] Use system wide crypto policy -Resolves: rhbz#1483970 +Resolves: rhbz# --- tunables.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) @@ -16,8 +16,8 @@ index 5440c00..354251c 100644 install_str_setting(0, &tunable_dsa_cert_file); install_str_setting(0, &tunable_dh_param_file); install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -- &tunable_ssl_ciphers); +- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", +- &tunable_ssl_ciphers); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); diff --git a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch index 8b26c7b..93e2ce8 100644 --- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch +++ b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch @@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644 security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with. --Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 +-Default: DES-CBC3-SHA +By default, the system-wide crypto policy is used. See +.BR update-crypto-policies(8) +for further details. + +Default: PROFILE=SYSTEM .TP - .B user_config_dir - This powerful option allows the override of any config option specified in + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the -- 2.14.4 diff --git a/fix-str_open.patch b/fix-str_open.patch index eef52ec..e5d5bd9 100644 --- a/fix-str_open.patch +++ b/fix-str_open.patch @@ -1,11 +1,10 @@ -diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c ---- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100 -+++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100 +--- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200 ++++ sysstr.c 2022-07-27 09:54:24.043081352 +0200 @@ -74,19 +74,11 @@ int str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) { -- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; +- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown; - switch (mode) - { - case kVSFSysStrOpenReadOnly: diff --git a/sources b/sources index 73f8cf5..e0f928f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7 +SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee diff --git a/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch b/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch similarity index 100% rename from vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch rename to vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch diff --git a/vsftpd.spec b/vsftpd.spec index ab63318..18f9361 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -1,8 +1,8 @@ %global _generatorsdir %{_prefix}/lib/systemd/system-generators Name: vsftpd -Version: 3.0.3 -Release: 51%{?dist} +Version: 3.0.5 +Release: 1%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception @@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch -Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch @@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch Patch40: 0040-Use-system-wide-crypto-policy.patch Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch -Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch -Patch43: 0043-Enable-only-TLSv1.2-by-default.patch +#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch @@ -97,10 +97,8 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch Patch68: 0002-Drop-an-unused-global-variable.patch Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch70: fix-str_open.patch +Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch # upstream commits 56402c0, 8b82e73 -Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch -Patch72: vsftpd-3.0.3-ALPACA.patch -Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from @@ -172,6 +170,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Thu Jul 28 2022 Richard Lescak 3.0.5-1 +- rebase to version 3.0.5 + * Sat Jul 23 2022 Fedora Release Engineering - 3.0.3-51 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild