diff options
author | triaxx <triaxx@pkgsrc.org> | 2018-02-09 16:46:42 +0000 |
---|---|---|
committer | triaxx <triaxx@pkgsrc.org> | 2018-02-09 16:46:42 +0000 |
commit | acd19e8844a802eb7746feaff91c60425760dced (patch) | |
tree | 4bd1f46c568f2e3afd66a84fcadc9d4a10a3216a /net/vsftpd/Makefile | |
parent | 733ff142928501652b5a686f0868a853331b53fb (diff) | |
download | pkgsrc-acd19e8844a802eb7746feaff91c60425760dced.tar.gz |
vsftpd: updated to 3.0.3
v2.3.5
======
- Try and force glibc to cache zoneinfo files in an attempt to work around
glibc parsing vulnerability. Thanks to Kingcope.
- Only report CHMOD in SITE HELP if it's enabled. Thanks to Martin Schwenke
<martin@meltin.net>.
- Some simple fixes and cleanups from Thorsten Brehm <tbrehm@dspace.de>.
- Only advertise "AUTH SSL" if one of SSLv2, SSLv3 is enabled. Thanks to
steve willing <eiji-gravion@hotmail.com>.
- Handle connect() failures properly. Thanks to Takayuki Nagata
<tnagata@redhat.com>.
- Add stronger checks for the configuration error of running with a writeable
root directory inside a chroot(). This may bite people who carelessly turned
on chroot_local_user but such is life.
v3.0.0
======
- Update vsf_findlibs.sh to work on Ubuntu 11.10+
- Make listen mode the default.
- Add -Werror to build flags.
- Fix missing "const" in ssl.c
- Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu
12.04 ABI.
- Rearrange ftppolicy.c a bit so the syscall list is easily comparable with
seccompsandbox.c
- Rename deprecated "sandbox" to "ptrace_sandbox".
- Add a few more state checks to the privileged helper processes.
- Add tunable "seccomp_sandbox", default on.
- Use hardened build flags. Distros of course override these and provide their
own build flags but no harm in showing how it could be done.
- Retry creating a PASV socket upon port reuse race between bind() and listen(),
patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>.
- Don't die() if recv() indicates a closed remote connection. Problem report
on a Windows client from Herbert van den Bergh,
<herbert.van.den.bergh@oracle.com>.
- Add new config setting "allow_writeable_chroot" to help people in a bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.
- Remove a couple of fixed things from BUGS.
- strlen() trunction fix -- no particular impact.
- Apply some tidyups from mmoufid@yorku.ca.
(vsftpd-3.0.0-pre1)
- Fix delete_failed_uploads if there is a timeout. Report from Alejandro
Hernández Hdez <aalejandrohdez@gmail.com>.
- Fix other data channel bugs such as failure to log failure upon timeout.
- Use exit codes a bit more consistently.
- Fix bad interaction between SSL and trans_chunk_size.
- Redo data timeout to fire properly for SSL sessions.
- Redo idle timeout to fire properly for SSL sessions.
- Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing.
- Use 10 minutes as a max linger time just in case an alarm gets lost.
(vsftpd-3.0.0-pre2)
- Change PR_SET_NO_NEW_PRIVS define, from Kees Cook.
- Add AES128-SHA to default SSL cipher suites for FileZilla compatibility.
Unfortunately the default vsftpd SSL confiuration still doesn't fully work
with FileZilla, because FileZilla has a data connection security problem:
no client certificate presentation and no session reuse. At least the error
message is now very clear.
- Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst
a data transfer is in progress.
- Fix delete_failed_uploads for anonymous sessions.
- Don't listen for urgent data if the control connection is SSL, due to possible
protocol synchronization issues.
v3.0.1
======
- Fix some seccomp related build errors on certain CentOS and Debian versions.
- Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort()
opens and maps /proc/meminfo but only for larger item counts?
- Seccomp filter sandbox: deny socket() gracefully for text_userdb_names.
- Fix various NULL crashes with nonsensical config settings. Noted by Tianyin Xu
<tixu@cs.ucsd.edu>.
- Force cast to unsigned char in is* char functions.
- Fix harmless integer issues in strlist.c.
- Started on a (possibly ill-advised?) crusade to compile cleanly with
Wconversion. Decided to suspend the effort half-way through.
v3.0.2
======
- One more seccomp policy fix: mremap (denied).
- Support STOU with no filename, uses a STOU. prefix.
v3.0.3
======
- Increase VSFTP_AS_LIMIT to 200MB; various reports.
- Make the PWD response more RFC compliant; report from Barry Kelly
<barry@modeltwozero.com>.
- Remove the trailing period from EPSV response to work around BT Internet
issues; report from Tim Bishop <tdb@mirrorservice.org>.
- Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
- Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
probably have a different distro / libc / etc. and there are multiple reports.
- Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
this case gracefully. Report from Vasily Averin <vvs@odin.com>.
- List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
- Make some compile-time SSL defaults (such as correct client shutdown
handling) stricter.
- Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
- Kill the FTP session if we see HTTP protocol commands, to avoid
cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
- Kill the FTP session if we see session re-use failure. A report from
Tim Kosse <tim.kosse@filezilla-project.org>.
(vsftpd-3.0.3pre1)
- Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
- Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
- Minor SSL logging improvements.
- Un-default tunable_strict_ssl_write_shutdown again. We still have
tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
upload integrity.
(vsftpd-3.0.3pre2)
Diffstat (limited to 'net/vsftpd/Makefile')
-rw-r--r-- | net/vsftpd/Makefile | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/net/vsftpd/Makefile b/net/vsftpd/Makefile index 014e99b7c30..3309415b257 100644 --- a/net/vsftpd/Makefile +++ b/net/vsftpd/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.43 2016/04/12 08:07:50 wiz Exp $ +# $NetBSD: Makefile,v 1.44 2018/02/09 16:46:42 triaxx Exp $ -DISTNAME= vsftpd-2.3.4 -PKGREVISION= 5 +DISTNAME= vsftpd-3.0.3 CATEGORIES= net MASTER_SITES= http://security.appspot.com/downloads/ @@ -32,6 +31,7 @@ INSTALLATION_DIRS= libexec ${PKGMANDIR}/man5 ${PKGMANDIR}/man8 \ SUBST_CLASSES+= paths SUBST_FILES.paths= vsftpd.8 vsftpd.conf.5 vsftpd.conf SUBST_SED.paths+= -e 's,@PKG_SYSCONFDIR@,${PKG_SYSCONFDIR},g' +SUBST_SED.paths+= -e 's,@VARBASE@,${VARBASE},g' SUBST_STAGE.paths= post-patch MAKE_ENV+= LIBS=${LIBS:Q} @@ -44,6 +44,13 @@ SUBST_STAGE.dirfd= pre-build SUBST_FILES.dirfd= port/solaris_bogons.h SUBST_SED.dirfd= -e '/dirfd_extras/d' .endif +.if ${OPSYS} == "FreeBSD" +SUBST_CLASSES+= idirafter +SUBST_MESSAGE.idirafter=Fix buggy -idirafter for clang +SUBST_STAGE.idirafter= pre-build +SUBST_FILES.idirafter= Makefile +SUBST_SED.idirafter= -e 's,-idirafter ,-I,' +.endif VSFTPD_USER?= vsftpd VSFTPD_GROUP?= vsftpd @@ -53,7 +60,7 @@ PKG_USERS= ${VSFTPD_USER}:${VSFTPD_GROUP} PKG_GROUPS_VARS+= VSFTPD_GROUP PKG_USERS_VARS+= VSFTPD_USER -CFLAGS+= -DPKG_SYSCONFDIR="\"${PKG_SYSCONFDIR}\"" +CFLAGS+= -DPKG_SYSCONFDIR="\"${PKG_SYSCONFDIR}\"" -DVARBASE="\"${VARBASE}\"" LIBS.SunOS= -lsocket -lnsl -lrt -lsendfile -lresolv .include "options.mk" |