rpms/vsftpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

rebase to version 3.0.5

Browse Source
This commit is contained in:
Richard Lescak 2022-07-29 20:10:46 +02:00
parent b7d0384436
commit 63f4fa04b2
10 changed files with 40 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz
/vsftpd-3.0.1.tar.gz /vsftpd-3.0.1.tar.gz
/vsftpd-3.0.2.tar.gz /vsftpd-3.0.2.tar.gz
/vsftpd-3.0.3.tar.gz /vsftpd-3.0.3.tar.gz
/vsftpd-3.0.5.tar.gz

22
0021-Introduce-support-for-DHE-based-cipher-suites.patch
View File

@ -36,14 +36,14 @@ index c362983..22b69b3 100644
#include <errno.h> #include <errno.h>
#include <limits.h> #include <limits.h>
@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); @@ -38,6 +40,7 @@
static char* get_ssl_error();
static SSL* get_ssl(struct vsf_session* p_sess, int fd);
static int ssl_session_init(struct vsf_session* p_sess);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
static void setup_bio_callbacks();
static long bio_callback( static long bio_callback(
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
static int ssl_cert_digest(
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, @@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
static int ssl_inited; static int ssl_inited;
static struct mystr debug_str; static struct mystr debug_str;
@ -140,18 +140,18 @@ index c362983..22b69b3 100644
if (tunable_ssl_ciphers && if (tunable_ssl_ciphers &&
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
{ {
@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) @@ -184,6 +260,9 @@
/* Ensure cached session doesn't expire */ /* Ensure cached session doesn't expire */
SSL_CTX_set_timeout(p_ctx, INT_MAX); SSL_CTX_set_timeout(p_ctx, INT_MAX);
} }
+ +
+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
+ +
p_sess->p_ssl_ctx = p_ctx; /* Set up ALPN to check for FTP protocol intention of client. */
ssl_inited = 1; SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
/* Set up SNI callback for an optional hostname check. */
@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
} }
@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
return 1;
} }
+#define UNUSED(x) ( (void)(x) ) +#define UNUSED(x) ( (void)(x) )

8
0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
View File

@ -36,7 +36,7 @@ index 22b69b3..96bf8ad 100644
if (!tunable_sslv2) if (!tunable_sslv2)
{ {
options |= SSL_OP_NO_SSLv2; options |= SSL_OP_NO_SSLv2;
@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) @@ -244,6 +244,41 @@
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644
+#endif +#endif
+ } + }
+ +
p_sess->p_ssl_ctx = p_ctx; /* Set up ALPN to check for FTP protocol intention of client. */
ssl_inited = 1; SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
} /* Set up SNI callback for an optional hostname check. */
diff --git a/tunables.c b/tunables.c diff --git a/tunables.c b/tunables.c
index 1ea7227..93f85b1 100644 index 1ea7227..93f85b1 100644
--- a/tunables.c --- a/tunables.c

4
0025-Improve-local_max_rate-option.patch
View File

@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
index eaba265..f1e2f69 100644 index eaba265..f1e2f69 100644
--- a/main.c --- a/main.c
+++ b/main.c +++ b/main.c
@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) @@ -40,7 +40,7 @@
/* Control connection */ /* Control connection */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
/* Data connection */ /* Data connection */
- -1, 0, -1, 0, 0, 0, 0, - -1, 0, -1, 0, 0, 0, 0,
+ -1, 0, -1, 0, 0, 0, 0, 0, + -1, 0, -1, 0, 0, 0, 0, 0,

4
0040-Use-system-wide-crypto-policy.patch
View File

@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 29 Aug 2017 10:32:16 +0200 Date: Tue, 29 Aug 2017 10:32:16 +0200
Subject: [PATCH 40/59] Use system wide crypto policy Subject: [PATCH 40/59] Use system wide crypto policy
Resolves: rhbz#1483970 Resolves: rhbz#
--- ---
tunables.c | 3 +-- tunables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-) 1 file changed, 1 insertion(+), 2 deletions(-)
@ -16,7 +16,7 @@ index 5440c00..354251c 100644
install_str_setting(0, &tunable_dsa_cert_file); install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file); install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file); install_str_setting(0, &tunable_ecdh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", - install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
- &tunable_ssl_ciphers); - &tunable_ssl_ciphers);
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_rsa_private_key_file);

6
0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
View File

@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
security precaution as it prevents malicious remote parties forcing a cipher security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with. which they have found problems with.
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 -Default: DES-CBC3-SHA
+By default, the system-wide crypto policy is used. See +By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8) +.BR update-crypto-policies(8)
+for further details. +for further details.
+ +
+Default: PROFILE=SYSTEM +Default: PROFILE=SYSTEM
.TP .TP
.B user_config_dir .B ssl_sni_hostname
This powerful option allows the override of any config option specified in If set, SSL connections will be rejected unless the SNI hostname in the
-- --
2.14.4 2.14.4

7
fix-str_open.patch
View File

@ -1,11 +1,10 @@
diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c --- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200
--- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100 +++ sysstr.c 2022-07-27 09:54:24.043081352 +0200
+++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100
@@ -74,19 +74,11 @@ @@ -74,19 +74,11 @@
int int
str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
{ {
- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; - enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
- switch (mode) - switch (mode)
- { - {
- case kVSFSysStrOpenReadOnly: - case kVSFSysStrOpenReadOnly:

2
sources
View File

@ -1 +1 @@
SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7 SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee

0
vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch → vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
View File

17
vsftpd.spec
View File

@ -1,8 +1,8 @@
%global _generatorsdir %{_prefix}/lib/systemd/system-generators %global _generatorsdir %{_prefix}/lib/systemd/system-generators
Name: vsftpd Name: vsftpd
Version: 3.0.3 Version: 3.0.5
Release: 51%{?dist} Release: 1%{?dist}
Summary: Very Secure Ftp Daemon Summary: Very Secure Ftp Daemon
# OpenSSL link exception # OpenSSL link exception
@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch #Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
Patch40: 0040-Use-system-wide-crypto-policy.patch Patch40: 0040-Use-system-wide-crypto-policy.patch
Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch #Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
Patch43: 0043-Enable-only-TLSv1.2-by-default.patch #Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@ -97,10 +97,8 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
Patch68: 0002-Drop-an-unused-global-variable.patch Patch68: 0002-Drop-an-unused-global-variable.patch
Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
Patch70: fix-str_open.patch Patch70: fix-str_open.patch
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
# upstream commits 56402c0, 8b82e73 # upstream commits 56402c0, 8b82e73
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
Patch72: vsftpd-3.0.3-ALPACA.patch
Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
%description %description
vsftpd is a Very Secure FTP daemon. It was written completely from vsftpd is a Very Secure FTP daemon. It was written completely from
@ -172,6 +170,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
%{_var}/ftp %{_var}/ftp
%changelog %changelog
* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
- rebase to version 3.0.5
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild