SOURCES/0001-Fix-timestamp-handling-in-MDTM.patch

@@ -1,7 +1,7 @@
 From 6a4dc470e569df38b8a7ea09ee6aace3c73b7353 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Wed, 28 Mar 2018 09:06:34 +0200
-Subject: [PATCH 1/2] Fix timestamp handling in MDTM
+Subject: [PATCH] Fix timestamp handling in MDTM
 
 There were two problems with the timestamp handling with MDTM:
 

SOURCES/0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch

@@ -1,7 +1,7 @@
 From 96698a525784ad91cb27b572dd5f871c183fdfa5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Sun, 28 Jul 2019 12:25:35 +0200
-Subject: [PATCH 1/2] Set s_uwtmp_inserted only after record insertion/removal
+Subject: [PATCH 1/3] Set s_uwtmp_inserted only after record insertion/removal
 
 pututxline() is the function that actually inserts the new record, so
 setting 's_uwtmp_inserted' before calling pututxline() doesn't make

SOURCES/0002-Drop-an-unused-global-variable.patch

@@ -1,56 +0,0 @@
-From d0045e35674d64d166d17c3c079ae03e8c2e6361 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Thu, 13 Feb 2020 17:29:06 +0100
-Subject: [PATCH 2/2] Drop an unused global variable
-
-The global variable `s_timezone` is not used anymore, so we can drop
-it.
----
- sysutil.c | 17 +++--------------
- 1 file changed, 3 insertions(+), 14 deletions(-)
-
-diff --git a/sysutil.c b/sysutil.c
-index 66d4c5e..0ccf551 100644
---- a/sysutil.c
-+++ b/sysutil.c
-@@ -72,8 +72,6 @@ static struct timeval s_current_time;
- static int s_current_pid = -1;
- /* Exit function */
- static exitfunc_t s_exit_func;
--/* Difference in timezone from GMT in seconds */
--static long s_timezone;
- 
- /* Our internal signal handling implementation details */
- static struct vsf_sysutil_sig_details
-@@ -2661,7 +2659,6 @@ char* vsf_sysutil_get_tz()
- void
- vsf_sysutil_tzset(void)
- {
--  int retval;
-   char *tz=NULL, tzbuf[sizeof("+HHMM!")];
-   time_t the_time = time(NULL);
-   struct tm* p_tm;
-@@ -2681,17 +2678,9 @@ vsf_sysutil_tzset(void)
-   {
-     die("localtime");
-   }
--  retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
--  tzbuf[sizeof(tzbuf) - 1] = '\0';
--  if (retval == 5)
--  {
--    s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60;
--    s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60;
--    if (tzbuf[0] == '+')
--    {
--      s_timezone *= -1;
--    }
--  }
-+  /* Not sure if the following call to strftime() has any desired side
-+     effects, so I'm keeping it to be safe. */
-+  (void) strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
-   /* Call in to the time subsystem again now that TZ is set, trying to force
-    * caching of the actual zoneinfo for the timezone.
-    */
--- 
-2.24.1
-

SOURCES/0002-Repeat-pututxline-if-it-fails-with-EINTR.patch

@@ -1,7 +1,7 @@
 From 896b3694ca062d747cd67e9e9ba246adb3fc706b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Mon, 5 Aug 2019 13:55:37 +0200
-Subject: [PATCH 2/2] Repeat pututxline() if it fails with EINTR
+Subject: [PATCH 2/3] Repeat pututxline() if it fails with EINTR
 
 This is a partial fix for rhbz#1688848. We cannot resolve it
 completely until glibc bug rhbz#1734791 is fixed. See

SOURCES/0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch

@@ -1,7 +1,8 @@
 From 7957425ef5ab365fc96ea0615f99705581c6dbd8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Mon, 12 Aug 2019 18:15:36 +0200
-Subject: [PATCH] Repeat pututxline() until it succeeds if it fails with EINTR
+Subject: [PATCH 3/3] Repeat pututxline() until it succeeds if it fails with
+ EINTR
 
 Since the pututxline() bug rhbz#1749439 is now fixed in glibc in
 Fedora and RHEL-8, we can implement a complete solution for the stale

SOURCES/fix-str_open.patch

@@ -1,28 +0,0 @@
-diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c
---- vsftpd-3.0.3.orig/sysstr.c	2020-11-17 09:47:03.872923383 +0100
-+++ vsftpd-3.0.3/sysstr.c	2020-11-17 09:48:41.219754145 +0100
-@@ -74,19 +74,11 @@
- int
- str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
- {
--  enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
--  switch (mode)
--  {
--    case kVSFSysStrOpenReadOnly:
--      open_mode = kVSFSysUtilOpenReadOnly;
--      break;
--    case kVSFSysStrOpenUnknown:
--      /* Fall through */
--    default:
--      bug("unknown mode value in str_open");
--      break;
--  }
--  return vsf_sysutil_open_file(str_getbuf(p_str), open_mode);
-+  if (mode == kVSFSysStrOpenReadOnly)
-+    return vsf_sysutil_open_file(str_getbuf(p_str), kVSFSysUtilOpenReadOnly);
-+
-+  bug("unknown mode value in str_open");
-+  return -1;
- }
- 
- int

SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch

@@ -0,0 +1,132 @@
+diff --git a/features.c b/features.c
+index d024366..3a60b88 100644
+--- a/features.c
++++ b/features.c
+@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+     }
+-    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
++    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+     }
+diff --git a/parseconf.c b/parseconf.c
+index 3729818..2c5ffe6 100644
+--- a/parseconf.c
++++ b/parseconf.c
+@@ -87,6 +87,7 @@ parseconf_bool_array[] =
+   { "ssl_tlsv1", &tunable_tlsv1 },
+   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
++  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
+diff --git a/ssl.c b/ssl.c
+index 09ec96a..5d9c595 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess)
+     {
+       options |= SSL_OP_NO_TLSv1_2;
+     }
++    if (!tunable_tlsv1_3)
++    {
++      options |= SSL_OP_NO_TLSv1_3;
++    }
+     SSL_CTX_set_options(p_ctx, options);
+     if (tunable_rsa_cert_file)
+     {
+diff --git a/tunables.c b/tunables.c
+index c96c1ac..e6fbb9d 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -68,6 +68,7 @@ int tunable_sslv3;
+ int tunable_tlsv1;
+ int tunable_tlsv1_1;
+ int tunable_tlsv1_2;
++int tunable_tlsv1_3;
+ int tunable_tilde_user_enable;
+ int tunable_force_anon_logins_ssl;
+ int tunable_force_anon_data_ssl;
+@@ -217,8 +218,9 @@ tunables_load_defaults()
+   tunable_sslv3 = 0;
+   tunable_tlsv1 = 0;
+   tunable_tlsv1_1 = 0;
+-  /* Only TLSv1.2 is enabled by default */
++  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
+   tunable_tlsv1_2 = 1;
++  tunable_tlsv1_3 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+   tunable_force_anon_data_ssl = 0;
+diff --git a/tunables.h b/tunables.h
+index 8d50150..6e1d301 100644
+--- a/tunables.h
++++ b/tunables.h
+@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
+ extern int tunable_tlsv1;                     /* Allow TLSv1 */
+ extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
+ extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
++extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
+ extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
+ extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
+ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 815773f..c37a536 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -555,7 +555,7 @@ Default: YES
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit SSL v2 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -563,7 +563,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit SSL v3 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -571,7 +571,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -579,7 +579,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -587,7 +587,15 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
++
++Default: YES
++.TP
++.B ssl_tlsv1_3
++Only applies if
++.BR ssl_enable
++is activated. If enabled, this option will permit TLS v1.3 protocol connections.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: YES
+ .TP

SPECS/vsftpd.spec

@@ -2,9 +2,10 @@
 
 Name:    vsftpd
 Version: 3.0.3
-Release: 47%{?dist}
+Release: 35%{?dist}
 Summary: Very Secure Ftp Daemon
 
+Group:    System Environment/Daemons
 # OpenSSL link exception
 License:  GPLv2 with exceptions
 URL:      https://security.appspot.com/vsftpd.html
@@ -19,7 +20,6 @@ Source8:  vsftpd@.service
 Source9:  vsftpd.target
 Source10: vsftpd-generator
 
-BuildRequires: make
 BuildRequires: pam-devel
 BuildRequires: libcap-devel
 BuildRequires: openssl-devel
@@ -88,17 +88,15 @@ Patch56: 0056-Log-die-calls-to-syslog.patch
 Patch57: 0057-Improve-error-message-when-max-number-of-bind-attemp.patch
 Patch58: 0058-Make-the-max-number-of-bind-retries-tunable.patch
 Patch59: 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch
-Patch61: 0001-Move-closing-standard-FDs-after-listen.patch
-Patch62: 0002-Prevent-recursion-in-bug.patch
-Patch63: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
-Patch64: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
-Patch65: 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
-Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
-Patch68: 0002-Drop-an-unused-global-variable.patch
-Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
-Patch70: fix-str_open.patch
-# upstream commits 56402c0, 8b82e73 rhbz#1948570
-Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
+Patch60: 0001-Move-closing-standard-FDs-after-listen.patch
+Patch61: 0002-Prevent-recursion-in-bug.patch
+Patch62: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
+Patch63: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
+Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
+Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
+Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
+Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
+Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -109,16 +107,12 @@ scratch.
 cp %{SOURCE1} .
 
 %build
-# temporary ignore deprecated warnings to be able to build against OpenSSL 3.0
-# upstram tracking bug: rhbz#1962603
-%define ignore_deprecated -Wno-deprecated-declarations
-
 %ifarch s390x sparcv9 sparc64
-%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror %ignore_deprecated" \
+make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
 %else
-%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror %ignore_deprecated" \
+make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
 %endif
-        LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags}
+        LINK="-pie -lssl" %{?_smp_mflags}
 
 %install
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
@@ -171,76 +165,34 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 
 %changelog
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-47
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
+- add option to disable TLSv1.3
+- Resolves: rhbz#1638375
 
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-46
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Thu May 20 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-45
-- Temporary pass -Wno-deprecated-declarations to gcc to ignore
-  deprecated warnings to be able to build against OpenSSL-3.0
-- Resolves: rhbz#1958028
-
-* Fri Apr 16 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-44
+* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-34
 - Enable support for wide-character strings in logs
 - Replace unprintables with HEX code, not question marks
-- Resolves: rhbz#1948570
+- Resolves: rhbz#1947900
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-43
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-42
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Fri Nov 27 2020 Timm Bäder<tbaeder@redhat.com> - 3.0.3-41
-- Fix str_open() so it doesn't warn when compiled with clang
-- Pass $RPM_LD_FLAGS when linking
-
-* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-40
+* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-33
 - Unit files fixed "After=network-online.target"
+- Resolves: rhbz#1893636
 
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-39
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-38
+* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
 - Removed a hint about the ftp_home_dir SELinux boolean from the config file
 - Resolves: rhbz#1623424
 
-* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-37
+* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
 - Fix timestamp handling in MDTM
 - Resolves: rhbz#1567855
 
-* Fri Feb 07 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-36
-- Fix build with gcc 10
-- Resolves: rhbz#1800239
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-35
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Jan 17 2020 Tom Stellard <tstellar@redhat.com> - 3.0.3-34
-- Use make_build macro
-
-* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-33
-- Finish up the fix to the problem with bad utmp entries when pututxline() fails
+* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-30
+- Fix a problem with bad utmp entries when pututxline() fails
 - Resolves: rhbz#1688852
-- Resolves: rhbz#1737433
 
-* Mon Aug 05 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
-- Partially fix problem with bad utmp entries when pututxline() fails
-- Resolves: rhbz#1688848
-
-* Sat Aug 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
+* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-29
 - Fix segfault when listen() returns an error
-- Resolves: rhbz#1666380
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-30
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-29
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+- Resolves: rhbz#1734340
 
 * Wed Jul 25 2018 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-28
 - Rebuilt, switched to SHA512 source tarball hash