RHBA-2011:0830 - Bug Fix Advisory

Topic

An updated vsftpd package that fixes various bugs is now available.

Description

The vsftpd package includes a Very Secure FTP (File Transfer Protocol) daemon.

This updated vsftpd package includes fixes for the following bugs:

• The previous version of vsftpd did not interpret wildcards correctly. As a

result, applications relying on the wildcard functionality did not function
properly. With this update, supported wildcards ('*' and '?') work as expected.
(BZ#517292)

• When specific options were set in the configuration file, vsftpd prematurely

closed the connection. This was caused by a child process which was responsible
for handling post-auth commands and a patch which influenced the behavior of
that child process. With this update, a termination signal is sent to the child
process when its parent dies with the result that connections no longer
prematurely close. (BZ#530706)

• Under certain circumstances, some clients could hang or behave slow due to a

faulty double call to SSL_shutdown() in the ssl_data_close() function. With this
update, the call has been fixed and a client no longer hangs or performs slowly.
(BZ#556795)

• Prior to this update, vsftpd used the SIGUSR1 signal for signaling between

child and parent processes. However, sending the SIGUSR1 signal could cause
other applications to misbehave. With this update, the SIGUSR1 signal is only
sent when the following parameter is set in the /etc/vsftpd.conf configuration
file: "background=YES". (BZ#579317)

• Attempting to authenticate with an empty username and an empty password

against a vsftpd server with Kerberos authentication failed and returned the
following message: "500 OOPS: zero or big size in vsf_sysutil_malloc". With this
update, vsftpd properly handles an attempt to authenticate with empty
credentials. (BZ#619731)

• Prior to this update, when using the "use_localtime=YES" option, vsftpd did

not take the DST specification into account. This caused the mtime value to be
incorrectly interpreted for files that were last modified before the latest DST
occurred. With this update, the DST is accounted for. (BZ#676254)

• Virtual guest accounts could be incorrectly logged as anonymous accounts in

the xferlog file even if the use of anonymous accounts was disabled. With this
update, a virtual guest account is properly logged. (BZ#680823)

All users of vsftpd are advised to upgrade to this updated package, which
resolves these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 530706 - [RHEL5] vsftpd prematurely closes connection just before processing of post-auth commands
• BZ - 556795 - an introduction of double call to SSL_shutdown() in ssl_data_close() make some clients hang or behave slower
• BZ - 619731 - vsftpd OOPS when using Kerberos authentication and no username/password
• BZ - 676254 - vsftpd/ Timestamp problem
• BZ - 680823 - Vsftpd is incorrectly logging virtual guest FTP accounts as anonymous accounts in the xferlog file

CVEs

(none)

References

(none)