Debian Bug report logs - #656900
vsftpd: please add NEWS.Debian.gz to warn about configuration changes needed in 2.3.4->2.3.5 upgrade

version graph

Package: vsftpd; Maintainer for vsftpd is Keng-Yu Lin <kengyu@debian.org>; Source for vsftpd is src:vsftpd (PTS, buildd, popcon).

Reported by: Jonathan Nieder <jrnieder@gmail.com>

Date: Sun, 22 Jan 2012 19:03:01 UTC

Severity: important

Tags: patch

Found in versions vsftpd/2.3.5-2, vsftpd/2.3.5-1

Fixed in version vsftpd/2.3.5-3

Done: Daniel Baumann <daniel.baumann@progress-technologies.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, regid23@yahoo.com, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#656900; Package vsftpd. (Sun, 22 Jan 2012 19:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Nieder <jrnieder@gmail.com>:
New Bug report received and forwarded. Copy sent to regid23@yahoo.com, Daniel Baumann <daniel.baumann@progress-technologies.net>. (Sun, 22 Jan 2012 19:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Nieder <jrnieder@gmail.com>
To: submit@bugs.debian.org
Subject: vsftpd: please add NEWS.Debian.gz to warn about configuration changes needed in 2.3.4->2.3.5 upgrade
Date: Sun, 22 Jan 2012 12:58:51 -0600
Package: vsftpd
Version: 2.3.5-2
Severity: important
Tags: patch

Jonathan Nieder wrote[1]:
> Regid Ichira wrote:

>>     $ zcat /usr/share/doc/vsftpd/changelog.gz | tail -6
>>     - Add stronger checks for the configuration error of running with a writeable
>>     root directory inside a chroot(). This may bite people who carelessly turned
>>     on chroot_local_user but such is life.
>>
>>     At this point: v2.3.5 released!
>>     ===============================
>>
>>   I think those stronger checks are wrong, because it prevents
>> modifying (uploading, deletion, modifying) files.  Am I wrong?
>> Such modifications used to work.
>
> I think the stronger checks are right, though they could probably be
> relaxed without harm in some special cases.

That said, breaking existing configurations without warning feels
wrong.  How about this patch?

-- >8 --
Subject: Adding NEWS.Debian file to warn about strengthened checks for writable root directory inside chroot
---
[1] http://lists.debian.org/debian-user/2012/01/msg01514.html
 debian/NEWS |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)
 create mode 100644 debian/NEWS

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 00000000..464bec21
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,9 @@
+vsftpd (2.3.5-1) unstable; urgency=low
+
+  Starting with this version, vsftpd refuses to serve files in dangerous
+  configurations in which the top of the chroot() jail is writable by
+  the user that serves files. You may need to adjust the directory
+  structure or disable the chroot_local_user option. See
+  /usr/share/doc/vsftpd/FAQ.gz for details.
+
+ -- Jonathan Nieder <jrnieder@gmail.com>  Sun, 22 Jan 2012 12:35:28 -0600
-- 
1.7.9.rc2

Bug Marked as found in versions vsftpd/2.3.5-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Mon, 23 Jan 2012 10:03:28 GMT) (full text, mbox, link).

Reply sent to Daniel Baumann <daniel.baumann@progress-technologies.net>:
You have taken responsibility. (Sun, 04 Mar 2012 19:52:44 GMT) (full text, mbox, link).

Notification sent to Jonathan Nieder <jrnieder@gmail.com>:
Bug acknowledged by developer. (Sun, 04 Mar 2012 19:52:44 GMT) (full text, mbox, link).

Message #12 received at 656900-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: 656900-close@bugs.debian.org
Subject: Bug#656900: fixed in vsftpd 2.3.5-3
Date: Sun, 04 Mar 2012 19:33:44 +0000
Source: vsftpd
Source-Version: 2.3.5-3

We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:

vsftpd_2.3.5-3.debian.tar.gz
  to main/v/vsftpd/vsftpd_2.3.5-3.debian.tar.gz
vsftpd_2.3.5-3.dsc
  to main/v/vsftpd/vsftpd_2.3.5-3.dsc
vsftpd_2.3.5-3_i386.deb
  to main/v/vsftpd/vsftpd_2.3.5-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 656900@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baumann@progress-technologies.net> (supplier of updated vsftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 Mar 2012 20:15:39 +0100
Source: vsftpd
Binary: vsftpd
Architecture: source i386
Version: 2.3.5-3
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <daniel.baumann@progress-technologies.net>
Changed-By: Daniel Baumann <daniel.baumann@progress-technologies.net>
Description: 
 vsftpd     - lightweight, efficient FTP server written for security
Closes: 655103 656900 657693
Changes: 
 vsftpd (2.3.5-3) unstable; urgency=low
 .
   [ Daniel Baumann ]
   * Adding changelog entry from squeeze security update.
 .
   [ Jonathan Nieder ]
   * Adding NEWS file to warn about strengthened checks for writable root
     directory inside chroot (Closes: #656900).
 .
   [ Daniel Baumann ]
   * Manually passing CPPFLAGS into CFLAGS when calling make in rules
     (Closes: #655103, #657693).
   * Updating package to standards version 3.9.3.
Checksums-Sha1: 
 5c99bc16ef935d4f6c489f1228ac65012f7e2c53 1125 vsftpd_2.3.5-3.dsc
 8ec94c374f2cbb508228c6cbe2aa164068ac3ac6 26915 vsftpd_2.3.5-3.debian.tar.gz
 8ca8e68a4eab09dc80213c9487610eb82c67e0d3 164742 vsftpd_2.3.5-3_i386.deb
Checksums-Sha256: 
 d448dd376d2278f1bda8d13209f4e4fb3ebdc32bf30c852523085994b975aa57 1125 vsftpd_2.3.5-3.dsc
 eebdbaef55578d03213e1ad75590523a63a82b25776b635c9c217828c71a5252 26915 vsftpd_2.3.5-3.debian.tar.gz
 7de0d28945cacf6989845c78f92dcb0e98cc7c7d3de365ffb1201b44302afdd7 164742 vsftpd_2.3.5-3_i386.deb
Files: 
 8aa45492c5fd52c3986da325d8523d16 1125 net extra vsftpd_2.3.5-3.dsc
 3ee1664cb349b2d7c3b2397dbce1245d 26915 net extra vsftpd_2.3.5-3.debian.tar.gz
 d530af1dc11a32385c622bbb829d1ab1 164742 net extra vsftpd_2.3.5-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk9TwBgACgkQ+C5cwEsrK55fSQCgn1AxHmZsgSgB4GlCl/soNj4i
03IAoKEGrtgR09IWHLADVN4TR1LuhZPz
=8q61
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Apr 2012 07:33:45 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Oct 9 07:37:59 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.