RHBA-2009:1282 - Bug Fix Advisory

Topic

A vsftpd update that increases the maximum username length and fixes
several bugs is now available.

Description

The vsftpd package deploys the Very Secure File Transfer Protocol daemon.
This daemon enables secure and fast FTP service on Unix-like systems,
providing SSL encryption, IPv6, bandwidth throttling, PAM integration,
virtual users, virtual IPs and per-user/per-IP configuration.

This update applies the following bug fixes:

• in Red Hat Enterprise Linux 5, the default value for the 'background'

option was changed to 'NO'. This revealed a race condition in the way
vsftpd processed signals whenever child processes were forked. As a result
of this race condition, attempts to run vsftpd could fail without returning
an error code if another FTP service was also running. In this situation, a
user would not be notified that vsftpd failed to run. This update
implements extra routines for signal handling that fixes the race
condition, ensuring that vsftpd returns a proper error code whenever it
fails to start. (BZ#236707)

• the init script for this update is now POSIX-compliant. This corrects a

bug that could cause vsftpd to incorrectly return a zero exit code when it
failed to start. (BZ#431451)

• a bug in the dependencies between vsftpd parent and child processes

allowed those child processes to run even though their parent process was
already terminated. As such, terminating the vsftpd service did not
reliably stop all FTP connections initiated by vsftpd, which could pose a
security risk. This update fixes the child-parent process dependency bug by
adding several functions that terminate all vsftpd child processes whenever
their parent process is stopped. (BZ#441485)

• a bug caused the vsftpd daemon to not properly shut down SSL (Secure

Socket Layer) data connections, which led to interoperability problems
between the vsftpd daemon and client programs such as FileZilla. This has
been fixed in this update so that vsftpd no longer causes problems with
client applications. (BZ#459607)

• in previous versions of vsftpd, /etc/vsftpd/vsftpd.conf specified

/var/log/vsftpd.log as its default log file. However, this was different
from the specified default log file (i.e. /var/log/xferlog) in
/etc/logrotate.d/vsftpd.log. This prevented the logrotate script from
finding -- and consequently, rotating -- the vsftpd log file, resulting in
an unnecessarily large vsftpd log. This update corrects this issue by
specifying /var/log/xferlog as its default log file in
/etc/vsftpd/vsftpd.conf, which enables log rotation on vsftpd log files.
(BZ#460067)

• this update also fixes several typographical errors in the documentation

of some parameters in the vsftpd man page. (BZ#478526)

• vsftpd cannot locate usernames specified by the chown_username parameter

if the username is trailed by whitespace. This update contains a workaround
that trims trailing whitespaces from username values of chown_username.
(BZ#486259)

• the maximum username length is now 128 characters. In previous versions,

the maximum username was only 32 characters. (BZ#486524)

• the DNS reverse lookup feature was implemented without any way to disable

it. This update contains the parameter 'reverse_lookup_enable', which
allows users to enable or disable the DNS reverse lookup functionality.
(BZ#498548)

Users of vsftpd are advised to upgrade to this update.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 236707 - vsftpd would crash without any error messages on bind fail
• BZ - 431451 - Wrong init script
• BZ - 441485 - "service vsftpd stop" not stopping all vsftpd processes
• BZ - 459607 - SSL connections are not correctly shutdown
• BZ - 478526 - man page error about some config options
• BZ - 486259 - white space after chown_username value causes failure
• BZ - 486524 - maximum username length is too short for vsftpd user in RHEL5

CVEs

(none)

References

(none)