vsftpd-3.0.3-lp150.5.6.1<>,[j׸/=„>U' "Ol-$n6=]J(uheW{EYY8.dcwdH lY q))bg$̊ѪaD`7mGGI83oB6'>x-PTl(oYe X}VS9]siVY}L2n/ zf-nU)q>iW(|dج6.mdC"9A.o i9A$^>F0? d   I (L e L8,8 8  8 8 8 8 8!8"#8#$("$"'K"('8'B9(B:-B=p>p?p@qFq Gq8Hq8Ir8XsYs$\s\8]t<8^veby'cydz_ezdfzglziuz|8v{\w|8x}8y~z~~~~Cvsftpd3.0.3lp150.5.6.1Very Secure FTP Daemon - Written from ScratchVsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but the entire codebase was written with security in mind, and carefully designed to be resilient to attack. Recent evidence suggests that vsftpd is also extremely fast (and this is before any explicit performance tuning!). In tests against wu-ftpd, vsftpd was always faster, supporting over twice as many users in some tests.[jbuild34SopenSUSE Leap 15.0openSUSESUSE-GPL-2.0-with-openssl-exceptionhttp://bugs.opensuse.orgProductivity/Networking/Ftp/Servershttps://security.appspot.com/vsftpd.htmllinuxx86_64getent passwd ftpsecure >/dev/null || useradd -r -g nobody -s /bin/false -c "Secure FTP User" -d /var/lib/empty ftpsecure test -n "$FIRST_ARG" || FIRST_ARG="$1" # disable migration if initial install under systemd [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$FIRST_ARG" -eq 1 ]; then for service in vsftpd.service vsftpd.socket ; do sysv_service="${service%.*}" touch "/var/lib/systemd/migrated/$sysv_service" || : done else for service in vsftpd.service vsftpd.socket ; do # The tag file might have been left by a preceding # update (see 1059627) rm -f "/run/rpm-vsftpd-update-$service-new-in-upgrade" if [ ! -e "/usr/lib/systemd/system/$service" ]; then touch "/run/rpm-vsftpd-update-$service-new-in-upgrade" fi done for service in vsftpd.service vsftpd.socket ; do sysv_service="${service%.*}" if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --save $sysv_service || : done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -eq 1 ]; then if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl preset vsftpd.service vsftpd.socket || : fi elif [ "$FIRST_ARG" -gt 1 ]; then for service in vsftpd.service vsftpd.socket ; do if [ ! -e "/run/rpm-vsftpd-update-$service-new-in-upgrade" ]; then continue fi rm -f "/run/rpm-vsftpd-update-$service-new-in-upgrade" if [ ! -x /usr/bin/systemctl ]; then continue fi /usr/bin/systemctl preset "$service" || : done for service in vsftpd.service vsftpd.socket ; do sysv_service=${service%.*} if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --apply $sysv_service || : touch /var/lib/systemd/migrated/$sysv_service || : done fi test -f /usr/bin/firewall-cmd && firewall-cmd --reload --quiet || : test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable vsftpd.service vsftpd.socket || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop vsftpd.service vsftpd.socket ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart vsftpd.service vsftpd.socket ) || : fi else # package uninstall for service in vsftpd.service vsftpd.socket ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi fi9J>hqp6 5/pe2Q$p}6)Gp8+AA큤A큤AA큤A큤A큤A큤A큤A큤A큤AA큤[j[j[j[j[j[j[j[j[j[j[j[jGǿOrUSGGGGGGGGGGGGGG[jGGG[jGGNUp[jGGǿJ`iJ`hGGGGGǿO|G[j[jGG[j[jd924ad4270611a453564df16c199410d08ecb3544ba19db19f3b12645a68859a573b5092d5b1bea1b0c4b2ba221a2f89287c33c1d02d0319bbad486cf2ef91fe54a2643bf511596dabed3454abb2bd3774041a5d3b90044cf015e6e60469e6fcff59cefeded709da635c1212256e6d417d82fa456319f90e4db85ddb03f7d1a25a2a2b1b89b10cc22c9baaf7d55dc1cbc7d19c0c93601878beaba807f58f1e3a9fdbfd2ec0207170371ca3cf2b0ddca2dc2fe3d062e5792e0d3e51474c3198c96f5f21db930b9a8d89b56a6654780954bdc2a41d2bc9529c0b8efb3817c45ef1e4c039e3b6e304a02c5aa01c0f1cfab3b3c395ae6a906a34861c0a6706c721727dedf833fb8a3bcfa96b48d309f3892b3ae3340d271e518ecd998750fe11a0b74690662cf0bbf289900b0ddb4c2e0cfc555dda870633440d852f7d4b1b783d61b94af32e64a236252236cc554051cafe52751b96b0838ddf82033168f33702ea8b12b05b7d664e344d4d59a26c3f6b13c645f1b53ce6045780791350b278606b4326d89a39bea92a0dbcaaee0f658d7bf810c8f322688b6b1303f3b357a0971ffb26bd0055e5875fb2d1083326b272685de7b017da65000a21f99081c1a300156ed67ebc32ca688633732308ba23c7601a463df9a8f6d4d349cf1e0fc770c8f5ee162751cf714e1ab6b5894fd08b0a95e788a462311cf7da47988ee5fa55aa6247ffd29f468e22eb304a368bb987510fd44f0486894de293dc7dbd3d48e78f5c4935bc943f442e358d7a9c81f4ce2ae1ec098543e726868d423eac55beb91b7b87274257549cc60d5fd2d873326b22eb89a4d8199bb5841fed3bf6c82b5494f2519b63d63c4f1517a1e7cf3373f19df4c8a697d1823814f425340bbebf5fa8f17dad436bf918a2f81a540847a9a46946370c2d796ffd5bb5d98cb8a69b2e926e181e70be2fcc7d0dbf34f8626e2e026b10ee91108f84dea93670caac57b394c2182acb8b70a360dda945df11a1598cf493774f017db569a57f07447119bb0713c55f01df06b2d4ef2c26d0d679c6782a60331fcb0f3991d0015458820819893b60b8129dd74b2e4779f1ac8344127e47a7847584b8cd79eb36a055208ca553e3517941f8d5bbb5970cedbef05d0593cada2185557053b9574c11524841d80749eb5f86e9731c2ba8801f018680be063040ecf60be710ca3db3742bddcec1834961de85b72629f20996b3124be21877871518388548636459df9ad6cb5a3e31ba1f0b372b2f63fc08f5e195f0d1e958dfed03c57d8868a3f90317bcb3125852289cf0afbf0552928f37cd4b068a2cc039f4200175d65dcead6701de158a17c95797d0cab32f477176059b7799b3f92c90136440aa84ee7c5005f0d964a311df66595fd71183207e0297b8ea5d1f0f2ad1681e16c1df530ac11844e7fa010e7d5490c4a70c9df7c3b090e7a1822f3bb0cdff5a559a4cdd58f98c9536f23c5f43ba47a2ac8924cec7a864d3482f2fdb9bbef552c8c0123b8647b6ccbfc2d3cf717c0662397b33b84f9827d238703e7ac36fa9f129fa227640956bbf87e0233cdd821ce6627358df144f933424c8b81c40d70729bed51f634c6205ac6b8da43eec413bc084f62d987705c810dc2512fd4eec4269ae5e1373c19b9b21e5e089f31e173f54cac8362cd97c646c8e034e4676c2a053660b033e2011fe24297e93e0a74ec9cf119e2f9dbcf187fb805ba5aded105db26a693803636fb7228c98460ffbf22225485a2ca5e00cafd96ecb4336cfd34dc6064ec16f560c1d7b26d213de6e81533c3e551dc49b5ab957f904c9b8dbc247b7595374113d47a5cee19ad9db11546477bf3ae7199ce5c0604dc83fb34b04de1f91f96929532c4918c32caaf94bbaservicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootvsftpd-3.0.3-lp150.5.6.1.src.rpmconfig(vsftpd)ftp-servervsftpdvsftpd(x86-64) @@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/shconfig(vsftpd)firewall-macrosgroup(nobody)group(nobody)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libcap.so.2()(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libpam.so.0()(64bit)libpam.so.0(LIBPAM_1.0)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)logrotaterpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)shadowsystemdsystemdsystemdsystemduser(ftp)3.0.3-lp150.5.6.13.0.4-14.6.0-14.0-15.2-14.14.1[4[+@Z@ZmZlZ1@Y4YA%@Y>@Y.@YtW@WWV@V3V@VaU@U@UUJ@U0U!#U@U@U@U@T!T@TeS@S,S,S,SFSFS;S;S:@RJ@Ra@Q{Q]k@QU@Q/FQ/FPpPpP5@P7lOD@O OC@O;@Nm@NNσ@N{#@MgL@La?@KK @Ka|@KV@psimons@suse.compsimons@suse.compsimons@suse.compsimons@suse.comvcizek@suse.comtchvatal@suse.compsimons@suse.comtchvatal@suse.comdaniel.molkentin@suse.compsimons@suse.comkukuk@suse.depsimons@suse.comdimstar@opensuse.orgtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comjcejka@suse.comtchvatal@suse.comjoop.boonen@opensuse.orgtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comdimstar@opensuse.orgjmatejek@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.commvyskocil@suse.commvyskocil@suse.comcrrodriguez@opensuse.orgmvyskocil@suse.commvyskocil@suse.comlnussel@suse.demvyskocil@suse.comsbrabec@suse.czdimstar@opensuse.orgmvyskocil@suse.commvyskocil@suse.czbrian@aljex.commvyskocil@suse.czmvyskocil@suse.czmvyskocil@suse.czandreas.stieger@gmx.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgmvyskocil@suse.czcrrodriguez@opensuse.orgcristian.rodriguez@opensuse.orgcristian.rodriguez@opensuse.orgcristian.rodriguez@opensuse.orgmseben@novell.commseben@novell.comcoolo@novell.com- Extend "vsftpd-3.0.3-address_space_limit.patch" to mention the new 'address_space_limit' option in the installed vsftpd.conf(5) man page. [bsc#1075060]- Apply "vsftpd-support-dsa-only-setups.patch" to disable the problematic default setting for rsa_cert_file. Upstream initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and vsftpd won't start up if that file does not exist (or if it does not contain an RSA certificate). Therefore, users who copy a DSA certificate into that location or properly configure a DSA certificate via dsa_cert_file without explicitly disabling the RSA certificate won't be able to start vsftpd. [bsc#975538]- Don't start/stop parameterized systemd units in pre/post actions. These units cannot be used without an explicit parameter and attempts to do so lead to a confusing "failed to try-restart" error message. [bsc#1093179, bsc#1010177]- vsftpd-enable-syscalls-needed-by-sle15.patch: Enable wait4(), sysinfo(), and shutdown() syscalls in seccomp sandbox. These are required for the daemon to work properly on SLE-15. [bsc#1089088]- Add firewalld service file (bsc#1083705)- Make sure to also require group nobody and user ftp bsc#1070653- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever system errors occurred that were supposed to be non-fatal. [bsc#1044292] - Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with various ftp clients that arose when vsftpd is configured with option "use_localtime=YES". Basically, it's fine to use local time stamps in directory listings, but responding to MDTM commands with any time zone other than UTC directly violates RFC3659 and leads FTP clients to misinterpret the file's time stamp. [bsc#1024961] - Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to append to a file system pipe. [bsc#1048427] - Add "vsftpd-3.0.3-address_space_limit.patch" to create the new configuration option "address_space_limit", which determines the memory limit vsftpd configures for its own process (given in bytes). The previously hard-coded limit (100 MB) may not be sufficient for vsftpd servers running with certain PAM modules enabled, and in such cases administrators may wish to raise the limit to match their system's requirements. [bsc#1042137] - Don't rely on the vsf_findlibs.sh script to figure out the list of libraries the build needs to link. The script is wildly unreliable and it's hard to predict what results it will produce. Also, the results it *does* produce are invisble in the build log. We stumbled across this issue when vsftpd suddendly had build failures on i586 platforms because the script decided to try and link "-lnsl" even though the library was neither installed nor required. - Drop the explicit specification of the LDFLAGS and LINK variables from the call to make. The value of LDFLAGS we passed is the default anyway and giving LINK has no effect since it's not used anywhere in the Makefile.- Conditionally install xinetd service only on older releases * On current distributions we support the same functionality via systemd socket activation- Fix build against OpenSSL 1.1. Remove lock on 1.0.x libs adds vsftpd-3.0.3-build-with-openssl-1.1.patch (bsc#1042673)- Explicitly depend on OpenSSL version 1.0.x since vsftpd doesn't compile against the API provided by newer versions.- Adjust to new system user/group RPMs- Add vsftpd-3.0.2-fix-chown-uploads.patch to fix a bug in vsftpd where files uploaded by an anonymous user could not be chown()ed to the desired UID as specified in the daemon's configuration file. [bnc#996370]- Extend vsftpd-2.0.4-lib64.diff to also find libcap.so.* in /usr/lib64.- Do not bother with omc xml configs, useless nowdays- Require shadow and do not output the error out of useradd- Fix user creation to not report error when user alredy exist bnc#972169- Fix bnc#970982 hanging on pam_exec in pam.d * Add patch vsftpd-3.0.2-wnohang.patch- Fix memory leaks in ls.c bnc#968138 * Add patch vsftpd-ls-memleak.patch * Update patch vsftpd-path-normalize.patch - Fix wildcard ? matching bnc#969411 * Update patch vsftpd-2.3.4-sqb.patch- Clean-up the init.d support to be bit more readable and add missing dep- Brought back additional systemv support so it also builds for SLES 10 and 11- Version bump to 3.0.3: * Increase VSFTP_AS_LIMIT to 200MB; various reports. * Make the PWD response more RFC compliant; report from Barry Kelly . * Remove the trailing period from EPSV response to work around BT Internet issues; report from Tim Bishop . * Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil . At least, syslogging seems to work on my Fedora now. * Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I probably have a different distro / libc / etc. and there are multiple reports. * Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle this case gracefully. Report from Vasily Averin . * List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default. * Make some compile-time SSL defaults (such as correct client shutdown handling) stricter. * Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms delays. From Tim Kosse . * Kill the FTP session if we see HTTP protocol commands, to avoid cross-protocol attacks. A report from Jann Horn . * Kill the FTP session if we see session re-use failure. A report from Tim Kosse . * Enable ECDHE, Tim Kosse . * Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384. * Minor SSL logging improvements. * Un-default tunable_strict_ssl_write_shutdown again. We still have tunable_strict_ssl_read_eof defaulted now, which is the important one to prove upload integrity. - Drop patch vsftpd-allow-dev-log-socket.patch should be included upstream, se above bullet with mvyskocil's email- Fix logrotate script to not fail when vsftpd is not running, bnc#935279- Fix hide_file option wrt bnc#927612: * vsftpd-path-normalize.patch- bnc#925963 stat is sometimes run on wrong path and results with ENOENT, ensure we sent both dir+file to filter verification: * vsftpd-path-normalize.patch- Update patch bit more for sanity checks. Done by rsassu@suse.de: * vsftpd-path-normalize.patch- Add back patch attempting to fix bnc#900326 bnc#915522 and bnc#922538: * vsftpd-path-normalize.patch- Reset filter patch to match fedora, my work will be restarted in one-off patch to make the changes stand out. Add rest of RH filtering patches: * vsftpd-2.2.0-wildchar.patch * vsftpd-2.3.4-sqb.patch * vsftpd-2.1.0-filter.patch- Work on the filter patch and split out the normalisation of the path to separate str function, currently commented out so I avoid huge diffing. * vsftpd-2.1.0-filter.patch- Add service calls for other unit files too - Udate filter patch to work as expected: * vsftpd-2.1.0-filter.patch- Try to fix deny_file parsing to do more what is expected. Taken from fedora. bnc#900326 bnc#915522 CVE-2015-1419 * vsftpd-2.1.0-filter.patch- No longer perform gpg validation; osc source_validator does it implicit: + Drop gpg-offline BuildRequires. + No longer execute gpg_verify.- force using fork() instead of clone() on s390 - fixes bnc#890469 * vsftpd-3.0.2-s390.patch- Cleanup with spec-cleaner - Remove conditions about init files as we do not build for < 12.1 anyway. - Update the README.SUSE file to describe more the listen option.- Add socket service for vsftpd to avoid the need for xinetd here.- Add comment about listen variables for xinetd configuration. Fixes bnc#872221. - Add default configuration as arg to xinetd started vsftpd. - Updated patch: * vsftpd-2.0.4-xinetd.diff- Move the enabling of timeofday and alarm one level deeper to be sure it is whitelisted everytime. Also should possibly fix bnc#872215. - Updated patch: * vsftpd-enable-gettimeofday-sec.patch- Remove forking from service type as it hangs in endless loop.- Fix warning about dangling symlink on rcvsftpd from rpmlint and remove also clean section while at it.- Add patch to allow gettimeofday and alarm calls with seccomp enabled. bnc#870122 - Added patch: * vsftpd-enable-gettimeofday-sec.patch- Specify that the service type is forking- changed license to SUSE-GPL-2.0-with-openssl-exception * suggested by legal team- add allow_root_squashed_chroot option to enable chroot on nsf mounted with squash_root option (fate#311051) * vsftpd-root-squashed-chroot.patch- build with OPENSSL_NO_SSL_INTERN this hides internal struct members or functions that if changed in future openssl versions will break the ABI of the calling applications.- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1) * this enabled a sendto on /dev/log socket when syslog is enabled - provide more verbose explanation about isolate_network and seccomp_sanbox in config file template - don't install init file on openSUSE 13.1+ - drop a build support for SL 10 and older- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38) * drop CLONE_NEWPID from clone to enable audit system - add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406) * unconditionally enable F_SETFL patch - might be safe to do- add isolate_network and seccomp_sandbox options to template to make them easier to find (bnc#786024)- add vsftpd-allow-dev-log-socket.patch (bnc#786024) * whitelist /dev/log related socket syscall- Verify GPG signature.- Fix useradd invocation: -o is useless without -u and newer versions of pwdutils/shadowutils fail on this now.- update to 3.0.2 (bnc#786024) * Fix some seccomp related build errors on certain CentOS and Debian versions. * Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort() opens and maps /proc/meminfo but only for larger item counts? * Seccomp filter sandbox: deny socket() gracefully for text_userdb_names. * Fix various NULL crashes with nonsensical config settings. Noted by Tianyin Xu . * Force cast to unsigned char in is* char functions. * Fix harmless integer issues in strlist.c. * Started on a (possibly ill-advised?) crusade to compile cleanly with Wconversion. Decided to suspend the effort half-way through. * One more seccomp policy fix: mremap (denied). * Support STOU with no filename, uses a STOU. prefix.- make seccomp sandbox enabled by default * dropped vsftpd-3.0.0-turn-seccomp-sandbox-off.patch- fix building on 11.4 x86_64 and lower * fix where, when, & how __USE_GNU gets #defined * make seccomp optional and disable it on 10.3 and lower- update to upstream 3.0.0: * Make listen mode the default. * Fix missing "const" in ssl.c * Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu 12.04 ABI. * Rearrange ftppolicy.c a bit so the syscall list is easily comparable with seccompsandbox.c * Rename deprecated "sandbox" to "ptrace_sandbox". * Add a few more state checks to the privileged helper processes. * Add tunable "seccomp_sandbox", default on. * Use hardened build flags. * Retry creating a PASV socket upon port reuse race between bind() and listen(), patch from Ralph Wuerthner . * Don't die() if recv() indicates a closed remote connection. Problem report on a Windows client from Herbert van den Bergh, . * Add new config setting "allow_writeable_chroot" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous. * Remove a couple of fixed things from BUGS. * strlen() trunction fix -- no particular impact. * Apply some tidyups from mmoufid@yorku.ca. * Fix delete_failed_uploads if there is a timeout. Report from Alejandro Hernández Hdez . * Fix other data channel bugs such as failure to log failure upon timeout. * Use exit codes a bit more consistently. * Fix bad interaction between SSL and trans_chunk_size. * Redo data timeout to fire properly for SSL sessions. * Redo idle timeout to fire properly for SSL sessions. * Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing. * Use 10 minutes as a max linger time just in case an alarm gets lost. * Change PR_SET_NO_NEW_PRIVS define, from Kees Cook. * Add AES128-SHA to default SSL cipher suites for FileZilla compatibility. Unfortunately the default vsftpd SSL confiuration still doesn't fully work with FileZilla, because FileZilla has a data connection security problem: no client certificate presentation and no session reuse. At least the error message is now very clear. * Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst a data transfer is in progress. * Fix delete_failed_uploads for anonymous sessions. * Don't listen for urgent data if the control connection is SSL, due to possible protocol synchronization issues. - SUSE specific changes: * turn off the listen mode (listen=NO) by default and change README.SUSE * merge new hardended flags for build and linking * fix the wrong Type=forking from systemd service file * turn off the seccomp_sandbox off by default as SUSE kernel does not support it (yet)- follow Systemd Packaging guidelines http://en.opensuse.org/openSUSE:Systemd_packaging_guidelines - add $local_fs and $remote_fs to init script- use the original tarball, because the bz2 repacking madness disables gpg --verify - revert a part oc changes utf converting- update to upstream 2.3.5: * Try and force glibc to cache zoneinfo files in an attempt to work around glibc parsing vulnerability. Thanks to Kingcope. * Only report CHMOD in SITE HELP if it's enabled. Thanks to Martin Schwenke . * Some simple fixes and cleanups from Thorsten Brehm . * Only advertise "AUTH SSL" if one of SSLv2, SSLv3 is enabled. Thanks to steve willing . * Handle connect() failures properly. Thanks to Takayuki Nagata . * Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life. - convert .changes file to unicode - refresh vsftpd-2.0.4-conf.diff to vsftpd-2.3.5-conf.patch - name patches explicitly without macro as per recommendations - remove INSTALL file from binary package - update license to GPL-2.0+ - mark /etc/sysconfig/SuSEfirewall2/services/vsftpd as config file- fis copy/paste error in previous change- Add systemd unit- fix bnc#713588 - bogus logrotate config for vsftpd call /sbin/killproc -HUP /usr/sbin/vsftpd like init script - change the url and service file to the new location at security.appspot.com/vsftpd- Update to 2.3.4 - Avoid consuming excessive CPU when matching filenames to patterns. Thanks to Maksymilian Arciemowicz . - Some bugfixes from Raphaël Rigo -- good bugs but no apparent security impact.- Update to version 2.3.2 - Fix silly regression re: log files being overwritten from the start. - Rename a few file-open functions to make it clearer what they do- Update to 2.3.0 - Add extremely simply HTTP support. It's very experimental, ignorant of HTTP protocol and headers, and likely has all sorts of other issues. The use case it might satisfy is if you need to serve simple static unathenticated content with large levels of paranoia. - Fix port_promiscuous breakage. - Minor FAQ update. - Use a larger address space limit if using text_userdb_names=YES - Always use CLONE_NEWNET if possible when in HTTP mode. - Change REST + STOR so that it's possible to overwrite part of file without truncating it. - Boot the session if we see a USER where encryption was required. May prevent the transmission of plaintext passwords by buggy clients. - Fix failure to transmit a large ASCII file over SSL, if it contains \n -> \r\n fixups.- $remote_fs --> network-remotefs- updated to version 2.2.2 * Change "File receive OK." to "Transfer complete." to placate some broken clients. Thanks Holger Kiehl . * Fix erroneous "child died" upon FTP client connect, when under load. Awesome thanks to Holger Kiehl for running diagnostic tests on his live server. * Boot the session if an overly long line is encountered. - see Changelog file for changes in 2.1.0, 2.1.1, 2.1.2 and 2.2.0 releases - deprecated use-ipv6-scope-id.patch,libcap2-fix.diff,write_race.patch nowarn.patch- added use-ipv6-scope-id.patch to fix connection issues with ipv6-link local address (bnc#574366)- fix typo in the package description - and remove authors/bin/sh/bin/sh/bin/sh/bin/shbuild34 1533680343  !"#$%&'()*+,-./0123456783.0.3-lp150.5.6.13.0.3-lp150.5.6.13.0.3-lp150.5.6.1     vsftpdvsftpdvsftpd.conffirewalldservicesvsftpd.xmlvsftpd.servicevsftpd.socketvsftpd@.servicercvsftpdvsftpdvsftpdAUDITBUGSChangelogEXAMPLEINTERNET_SITEREADMEvsftpd.confvsftpd.xinetdINTERNET_SITE_NOINETDREADMEvsftpd.confPER_IP_CONFIGREADMEhosts.allowREADMEVIRTUAL_HOSTSREADMEVIRTUAL_USERSREADMElogins.txtvsftpd.confvsftpd.pamVIRTUAL_USERS_2READMEFAQREADMEREADME.SUSEREADME.securityREWARDSECURITYDESIGNIMPLEMENTATIONOVERVIEWTRUSTSIZESPEEDTODOTUNINGemptyvsftpdCOPYINGLICENSEvsftpd.conf.5.gzvsftpd.8.gz/etc/logrotate.d//etc/pam.d//etc//usr/lib//usr/lib/firewalld//usr/lib/firewalld/services//usr/lib/systemd/system//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/vsftpd//usr/share/doc/packages/vsftpd/EXAMPLE//usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE//usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD//usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG//usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_HOSTS//usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS//usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS_2//usr/share/doc/packages/vsftpd/SECURITY//usr/share//usr/share/licenses//usr/share/licenses/vsftpd//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:8566/openSUSE_Leap_15.0_Update/89aacae22103943e0d60bcb0d3c2b665-vsftpd.openSUSE_Leap_15.0_Updatedrpmxz5x86_64-suse-linuxASCII textdirectoryXML 1.0 document, ASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=89119d97529e03970d1ff1cf6fde317c142a1906, strippedISO-8859 texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRR R R RRR R RRRRR-0P nnyutf-84e68347f21b470cc6a2745cac8877eadcb1577a0b23d524150a5eca81fd24dd8?7zXZ !t/o3G]"k%fF1j(}̛/CH'1-Q0 >RRxݺ0\(Lap؆Z?4<.E36oI(DgD#aB]/&QKJS*6rI]QbΧ cB uv-~Ӑ@sp[@b-Y+_ (sv@zf;^*qV8ׯۍwŮt㒸GPؓ|˭823Ѧy گZݯ9"ZGK%] ɈD| NȽ2Ѷ@?Gxn`sH:.Ƌ#1<Uڠ0=?W-nxWWdƘؐԫU LkT7>/J́~{/*&ig|LxL?fz-~hu2kpdM$<+$=~le1f#=yq8 K?^ 2WQJ1 ]vCRu_v̝%x=/p8Etf Con#{r c 筞mr̡7ڪ-Ł^Y*-il'.E~b ^DT ymŠCX3֧*"S:;8(gB(EmCI<V_48umJb†:`MNa#Sؠ%YS o` Zo_-;e<*^KArN7*V ,]¹ =lr2qy`ψ b*/L,S,,g( `O! Dwnt}J(m iOLC Eb :+uMCd|6m&#xJ#/1RsD]{DL9!"Mm=4,P{ Ifq JjWnFchi R~Ҳc}#Y4V#f㽏Ihʡ?6 xbHb[iS/ YUm_8G`[M ss!D,Zd?ɢ߱:A`1bez"+N-c=R'F-$+jc1]Dy>cF))ײ%53(BԥtAWtVܹ#MY1g/s&tvsk:NiP?=ablТT%J}Д厧ncU7~d!_? TNt+:?;2$ɭSHDŽ$O[iY5sW g+8lΝpFm פqzYwk>Дoqno_@4#ʃgEx|#jsPgFmJ4a\eOz5bP mFU̬/ C֬Tuni>x4&K1jE&\nO6J~?V "ۉ}ʿ_zKFrA`Aњc*^*KŞSZI_?޶i'tAtmD[ R˹='P.4aH@=F5;.Wc/R(6d 2~'sXQrY{+n$V"=ԙ}$P=6oP~ ~ ER|(GAt}u`?Bñ6O6;PHJ&󝢪 x3hDJg/7~['opĊj~YŵYVZc7YtSC`*:a}f1}!I~>O6OG9)揧 '%mMXsPXq:Nsy$KGzfJ{/)\D́$8=:҃Xx ٶ|(/qįPzy=R$vJyWTTݎwh[U [yD0y =m½Lqt0Q59 6zJBqtAMwSE31t]U͘ 6$KioOyclAqOY?N~}qZ^;_|nm Zlρl13ΪT z'o-Jk&5,#<H׍U\SpnT2+^gC}4ԟ|N:֝J\z}WpS-]W'”(&O/rҋM G[{^qr[ό/_ž(+Owwz]q>=ZlaB CIތu*Mfzpar]7-$+F:1̡)Us9S._+rEU-jŲ4nV~u+/4p :FMTeהD6nɸq;ݏ mkh =~B( 5SNʖ_3{}$y >ށ ,뇨gi{*w=]9(#ܗyp$J%k1!ŧFOHVԊH U.vzXOZc,,P9ݰ$gIlYl=/H?ɍ7<-,c-C˞/#=UPqpHĩ%I=,Гi b/^n!)]/<ơΤ.߇61WÂ؎e% ֛t/jv{M g!lAV_+>~lݡq04kE׃#!qJ_l\J痝#V\HĿEq&Xa<00!\7p1CLDj'Me*^bz}W.SصnGd@ Q+>b_bq$A\#-x059G[.)fbLʂd+;y!ܓFE@z/poVU[Zהpv,e8\}(PX"V i E!b)4 ώ-1C OZdd-z FYV8Lj <<,4lxtlm 5ȿg,< k6k碗7:󕢶-m3Nj>S.̤ԅ$cVylc/Zyގ@?AʂU3w]A.nrQt`9N­cK-L<{?d8:x yq09Қ #Q*'?l֋aܯBVOzn>Y*?).gRy+ퟄ{5,] ħ N^elr|7@pg~Yʿl3\K;1wF4ieN:+c 'Oo%1&VvKgqSj7>)36|UEhw /Y[p9Be'86n U|"zºXh"Tsfw"HVIgP1mC\%ZN p |voF3 AgF@D`@>qswh:w5 ٴiʤ;蝑9[o\ׅ"qjwC[!<7z7!b:4#C2+1Lm-W4hM/(k?пf:š_K:F#[;CкkDJu{W=䪰-hh? M8+ ،nˑWE|׿@r:2"gP+p  &%,.:`JZD21#T !6þZI!πa@ufJR #I c`sG&J M_}{nt%L-h~ PN@+0M9@~MJ0w᯾1`7}0ĀI;;v$+9K<xYžҾ}x(Bb i L%>*D q1H8@&w.NY|L8 'y+7Ff[0R'\uY.'c/M%8s1߸ir9@\"Ο:sߡS0a[X}m-| ̍N71|͉zY)w[D܌5i?o3ux5mpIђ ˘ƀcN%RR!m(0l4յ)q^ut̏x7c foS<0ý|)'d@+_(a=kdQ Y#x%':?iyAR mO M&Bf>˧pyn]7&)t1dQF9t9e/aP}58)1uܭ'WoB^ɛY9ɜ R{m"ٍ:Te7x;8l6Us}97\.bQdfL9C1WWZhCeFYc_FN}3yjLRM,z)+ c*(6Mfa,>i` ho椫'ߌ 󪸨SAq"#ZW*E ZH>؝qVh2ecV{J"~ՖI]?~&VgOr',-||&K-1ñUƒy~3`|]wV W_qvԺK\ K AugD@n Z6hz}H; ^3,k_.s=`22y,/I6Bp`X*@-艏+0 lD8P.E7ܸ\IN{< (Mooc@\#tK򥏔ョ`vƐ:ǟf.xw0ғ'Ps&/vK`YO0ԖeG9157R|I=ۡ{V@C?MW'M3SOu߭RRȽ=f|*`u+'Cv'x7{Hgg?+o~}zv?f (g36%ul/%,jo|;S]ޟe}`*k <ž?`crZ ˃a ʓ40kҖq%- hNh/9=CAPAkvR3X|*Y "BՁq z0a͹P|UЌ>:CVrZ'ަfdud,}ƺ9I.}MW-y!J7eb+3h,a}|G.J1>D,"\k@S@8*I(|VB+cX9/)}#5e\x˲Z16Qr9[p@J,Eogt9tGĊ~YLˣm:z(+|IJ4ZvXA)|Zx+%O|#Dk I[ߛR9+dXOwȜbq kG3Pp+bfOUOzg55fUvL crt[8T-=(-.cRX#4W7pq͆zXos`(3)|yx x{.Se{U x 1@'oG ?[v\ǩc=vWio~|~fz o1DՆQNg[z.x̏irUPhoi nӼB!SI*W!v3{l>"+odnݞ|THRt#JtBaQԩ`zL:dlmUBiϮ&.-\pȡ蝹t(bxnޮVn i=x0Rr jX JDjǖ,=#C 1y(_XhԛRB֑8|])f3>TuñWХKd'gE3V3s{ w4O{!27d`UͅX /&4L t>J%Vkɽr-@b N dtIi8.k&VćΚX3f·Cc8 )Z.j =G 2zʔM=rov"è_:Y[, ,=mK&d;tjj^%G C PHXf 9U- a*똪jc~-V"9mVVNt{x Dzխ b: n}q|m( sSE)1P@> -==XVƜ&q]1՝[~bo3&cB)5a*Ťe7C5KBaoJ!OFD 9IWix M"+ʊ[Y?K/Kڭ3ǀ` Zkd|Db cPT_kG'k#El?FJȌrMWnlU7 g4 GjG̗RޓYפCft)XjV:,64L״Xn`ZK}a7@[-ʓ hnߍ{IJGb˹Cɛ@#N ` 4_Ϊpc16Dn&nNB|؇)ìPزu. C,GwovIvuhw.x%U(6z扨*)}4;I@DM(IV.mo+#K&۷uFPԍΗHQVfa߀ u5j &$GU W>I 0 8 $8YU΋GbAݦ@a;mvK|ήLŢЌ 3,wgw! Md#S+Jir8S>:=c 7{V9kC0 9CKu~8YB0KnZN)Z\π"f,})2 ID Z}:dXPPu77D[ТxfqX^DqYeή,x; x5^b%{J| *SqP)_$"IJ1`7fĚ|6;k z$$]!mh%SРIZ[+딂Q{(o7drf3yOX9m0{ `b=Bj?MS.`9pȼ[T@1ebar/~]Ōl@;lôE_uܙD$r1YjMXh=zcР—}v +<?6#lT-o|CI~jϣ]E5d? 1 ݈ /HDahӷKTX?x/tPsAYnF^;$Ψt580B! vIYv6c뚋EK:X_lj!LX`NPy,S>8g%DnPhĢ)R0 ^ቘZ25 qׁa(+/Jǡ4> XLϐB8`?G{|.UjU.ѷk6ᾚVftkB1舎w.&#qXS:8V~~`)xg,Y4Bް:#\G@ k,aQx 2X+LW7Xw$X? XM s j2owv `u{)2ڏ;B&tjfgUx ptm~Pmt{GOD>mu#In/9rq}F,sEg|N^֫dzzOM{UZ0/MTYXΜ7ߐC6nN{=H[l<ߑ_2 \SljW7raTUNYM|==$cr[jtaʼbp~1&.L9Dtu+ GS-EʮD$gToLQ#XMDD}_Aa 6Dr!7z Sѕj,k]cP@s~8e)APvZ|׮||\bzgcnHircĠhqOf' I&.))FۏAZH *VӃwğ1:g>N2F&SV 2s!,7=.잽vqIeEeRp-]',ʦ-lnQe16R}{!gtWQ9P#p:\*'Dn#Y4S؎5=eD^)`%7Ѫpz\ƹa }>Tm?<CUN O i1B !X0vͯMN wPqU9kYn2J jRid Oh{Ď1洰FWIûsvݰV rbdKN/N7Rx3bAJ,t2Y`(֟} sTYq"<~L F؆9|@*:\^W2B`vKw]Vf[T8?J;=Jw.$Ea}fP&{ۇkQQj ʑE~>@H4bRZZ¨!1¶kU ߼V\Kɥ?(yO jެ |pJ ؒ,3TXWC8_Ӧ4qǣDaJe[A"puWuGCeՓݹ"в7ﲗЧc@Nlt4Ԇ<.40J }>qZ;Fxwwi< s_o/k-{ MaUm':p#=sOuJxŠunAzWڪjH!0A1׊ ww_Y\Bͦ}. {ڙE85]ȷp+sh-T ~@w( 0mt^Oѡ?B={3|qm!ΐ$A0Ѻkt7ҨȄ 1u6Ů)::wqGL(ht!6A@f/g;EG+/ y|r*1:f!ژOb7! A)9!_nи&)c67nッ,s%d 述2aCD Z5<к2,ys kyt޺v ,aAQ]7\4ߋogX w=. qҰA߲ cP+*:"\[U¸+*￟]f gc&GŮq\Hc%IUئ6uP/øRNm  d+UVĪ0WD& KI|_c{ٳюP r:k osGȅtp.Š1kߡDOe8L7Z!n_q&@,Giv;UG i!\oӂ7,.&#ȾAǸϳ_:*ŒCUhs|nl#8>#>inJųOanT^}ڈsх./P,P+șRJWi~t ,N$֑շ־> %'q\"ktIƆi'wTU; ld;\04n"v>v%)cCU,lsc{ # a2g}'PdGRZ_Xh#)7/H_w, "6?hb]o0,~j'nL qT6S^~@ۨN }`k$F>|V:Xgb5Ku~ GS8R> X$q(HR|"gZʦu1H'Ģih <=C<_EHkJq38,u-5VwbZ(bhّ\"E61'+]]E3@7 ϣҬDn7n4 X'~9J|>!sI/F}u⸠xd1Op6!hcJ1ʼn}+"f(ld> _Cm^] @tB}j))ytIʦL+َЯ;,r~4E(B\q/?&@9:>kAaKOoR҉mjI~[TӮ✿VRj;Mmi]8m6I t$^3V)D$k`87I! J,T5zt)Z6n\׻KJb%I/inf1|fiG`0t & q[k`.9Ÿ4$ʣkoLH~JIEql/)/5=t0?*-Ǭ6#vr4ʻJ#+eЬID;ʽRZ P2B;XepnA #m;G2<.+tVHT~"%ndG#fm#BꚳS齼.N@{w%KPY$~`uEcw.">֫E1aAaXÕXJB*$G#7Fh' 画T Es\(ep?ʺO'[/SdW-L?LkdYZܬ ySx8׳d7^?*"$l(hx˳q< 7߆ʩ[N+_, Z^{Pҋ#rѣ hZ 0zfQBMd!=ʵx…5(Q7pR$%&,m_Kݡ”:Ifbs2])K&c{Tj̍!T=!ruᛋS?GL끳\B"qmosy\k[Y?ew|X;Ñ4|X縞}[ 8T*xkXĢ.o=0ސ17AaQ;tBr5JtvùO8,$dctve.w4ͥ=zN;QֻS%&:4IEMQ;Rц8wT@rLFCo$P"=ts׾Ւ۴c~' #@/յg9| nr zYEmO?ў9+ ª ba CJ![BQrx1!#;䚬߉$ (̇P-rbY+}4mW[|zc@@jnUL <Kvdw(vTP;hSm=cVuiD$U| d'BAYM Ȃz-+,`nWoћ=BUtǠ$]%&8Q)4q_c &C:j`*f69|3Zٵ=!E|bԄԈ:'ǨJE(ɡHCpeY\$ɓD`O+Fs3I/7YZ@4K%Rk0հ}'2Ѕ%66t(įng}qA~H%3?Y u4ǯ]U-6%eC^.{HCyJ.gD( B~d1DpXȚBCV㰵}xv_Di0施tEFǕc>,f-(I+4%p8$3Kak@!ґle2|XpaaN[C 0"͊y; (z8KCRJ&o)YK)N,2מijOuoN .ɕ%0 lf`Q@ݶ+MR"h~I' ZGtohFهSBt3 anw'7m7c[3p S4? **@ͧay 3=UIД'y'{:XA`s|hhwN=-{ $`|qׂ3 vt N#q$&G'wzu$B4zxLmtt '#:_~g3pI×R\nAyX#8F OjV;1|o -r?ͯ@k W^p%\ʗ2T"Q2 +VFQӓF=a'[`8mf&n:i?7=CPs9:s (P?RP7X1amR)/6H`JFnZk98.WFzv+TNc$b VœC@i|}tΕĂ_,\yOIn:f \ %9(+2_4(';Z ὥm K9h$"Aj%W'*?+Dfdvp,cdy~m-7,YD XӧxX|O*tN4¢ɮ2n }p!j A+*P7BsŬ'5BlҰن-gr~yX+E-'<F \\?i"s=M\C)UgyNsBw,L`%)PeLh5qL ;&.~ +a1G~:u <p~ekA6۫NX1 @hx /{0yB0vJK+i.;5T2z@\nֽdqeo*+_7Cpv} EjA?8) V1hbYo1qB?ƶɠM<:gLl\ʎfZhjB!]`r'{;hnuuS L}*CVYXLwSf;2:aF)-E,LjP mmJ;ad]p)QU-N!tK}9Ha <8}S`p`_`U}dy.H U w e9<1/qk.Z;>ڮ̥2{q'CL?/0:oPF 4Q^RwjF[R19y V cK4bn(V# G. YZ