Skip to navigation

Bug Fix Advisory vsftpd bug fix update

Advisory: RHBA-2011:0830-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-07-21
Last updated on: 2011-07-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)

Details

An updated vsftpd package that fixes various bugs is now available.

The vsftpd package includes a Very Secure FTP (File Transfer Protocol) daemon.

This updated vsftpd package includes fixes for the following bugs:

* The previous version of vsftpd did not interpret wildcards correctly. As a
result, applications relying on the wildcard functionality did not function
properly. With this update, supported wildcards ('*' and '?') work as expected.
(BZ#517292)

* When specific options were set in the configuration file, vsftpd prematurely
closed the connection. This was caused by a child process which was responsible
for handling post-auth commands and a patch which influenced the behavior of
that child process. With this update, a termination signal is sent to the child
process when its parent dies with the result that connections no longer
prematurely close. (BZ#530706)

* Under certain circumstances, some clients could hang or behave slow due to a
faulty double call to SSL_shutdown() in the ssl_data_close() function. With this
update, the call has been fixed and a client no longer hangs or performs slowly.
(BZ#556795)

* Prior to this update, vsftpd used the SIGUSR1 signal for signaling between
child and parent processes. However, sending the SIGUSR1 signal could cause
other applications to misbehave. With this update, the SIGUSR1 signal is only
sent when the following parameter is set in the /etc/vsftpd.conf configuration
file: "background=YES". (BZ#579317)

* Attempting to authenticate with an empty username and an empty password
against a vsftpd server with Kerberos authentication failed and returned the
following message: "500 OOPS: zero or big size in vsf_sysutil_malloc". With this
update, vsftpd properly handles an attempt to authenticate with empty
credentials. (BZ#619731)

* Prior to this update, when using the "use_localtime=YES" option, vsftpd did
not take the DST specification into account. This caused the mtime value to be
incorrectly interpreted for files that were last modified before the latest DST
occurred. With this update, the DST is accounted for. (BZ#676254)

* Virtual guest accounts could be incorrectly logged as anonymous accounts in
the xferlog file even if the use of anonymous accounts was disabled. With this
update, a virtual guest account is properly logged. (BZ#680823)

All users of vsftpd are advised to upgrade to this updated package, which
resolves these issues.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
vsftpd-2.0.5-21.el5.src.rpm
File outdated by:  RHBA-2013:0025
    MD5: 21c62af7b1fc59fa422aef6870e254f9
SHA-256: 33fa60834dd5f9467d1c785f2ca4c20b7c03390f5c5d9fa12880fe8511192d13
 
IA-32:
vsftpd-2.0.5-21.el5.i386.rpm
File outdated by:  RHBA-2013:0025
    MD5: abc0377bd9666a1ea68bdef45479847e
SHA-256: 23ac6562f91fc8b5609ad939ba85c4c6b50283cd4c931d10e396e2d96024cd9b
 
x86_64:
vsftpd-2.0.5-21.el5.x86_64.rpm
File outdated by:  RHBA-2013:0025
    MD5: 004b5d7ff5e442ecb14f24b94df72eb0
SHA-256: df7b7118f55292d0b624bc956dc275049a4cc2fae437b480b0ace8659b60311f
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
vsftpd-2.0.5-21.el5.src.rpm
File outdated by:  RHBA-2013:0025
    MD5: 21c62af7b1fc59fa422aef6870e254f9
SHA-256: 33fa60834dd5f9467d1c785f2ca4c20b7c03390f5c5d9fa12880fe8511192d13
 
IA-32:
vsftpd-2.0.5-21.el5.i386.rpm
File outdated by:  RHBA-2013:0025
    MD5: abc0377bd9666a1ea68bdef45479847e
SHA-256: 23ac6562f91fc8b5609ad939ba85c4c6b50283cd4c931d10e396e2d96024cd9b
 
IA-64:
vsftpd-2.0.5-21.el5.ia64.rpm
File outdated by:  RHBA-2013:0025
    MD5: 86ef3b8d7bd79ab14c570444cdc3e115
SHA-256: 739a58ce403c29a1f4cd27d29f004ec1a77bbf04f91fbe8140c40456a371ab39
 
PPC:
vsftpd-2.0.5-21.el5.ppc.rpm
File outdated by:  RHBA-2013:0025
    MD5: 7fa5c04a9c78d41842e7fa4a38b4d3c0
SHA-256: 21c5d0af26d02066c221fe098e663537cf5a9ebc3ac0f8cc52b4795e77878865
 
s390x:
vsftpd-2.0.5-21.el5.s390x.rpm
File outdated by:  RHBA-2013:0025
    MD5: f6ba91610cc71ad52fde70abd31bd277
SHA-256: b1ff7999ecae44ef3671cf2b2f643d4055782649390e33aa6dfc2ac9f54884e9
 
x86_64:
vsftpd-2.0.5-21.el5.x86_64.rpm
File outdated by:  RHBA-2013:0025
    MD5: 004b5d7ff5e442ecb14f24b94df72eb0
SHA-256: df7b7118f55292d0b624bc956dc275049a4cc2fae437b480b0ace8659b60311f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

530706 - [RHEL5] vsftpd prematurely closes connection just before processing of post-auth commands
556795 - an introduction of double call to SSL_shutdown() in ssl_data_close() make some clients hang or behave slower
619731 - vsftpd OOPS when using Kerberos authentication and no username/password
676254 - vsftpd/ Timestamp problem
680823 - Vsftpd is incorrectly logging virtual guest FTP accounts as anonymous accounts in the xferlog file



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/