OpenSuSE has issued an advisory today (March 5): http://lists.opensuse.org/opensuse-updates/2015-03/msg00012.html The security issue was originally fixed long ago in our package by vsftpd-2.1.0-filter.patch. Apparently that fix was rendered ineffective once vsftpd was updated to version 3.0.2. OpenSuSE has enhanced the patch to make it effective again: https://bugzilla.suse.com/show_bug.cgi?id=915522 Updated patch added in Mageia 4 and Cauldron SVN. Freeze push requested. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated vsftpd package fixes security vulnerability: The vsftp daemon was not handling the "deny_file" option properly, allowing unauthorized access in some specific scenarios (CVE-2015-1419). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1419 http://lists.opensuse.org/opensuse-updates/2015-03/msg00012.html ======================== Updated packages in core/updates_testing: ======================== vsftpd-3.0.2-4.1.mga4 from vsftpd-3.0.2-4.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
MGA4-32 on AcerD620 Xfce. No installation issues. Refer to bug 10962 Comment 5 for test. I had to additionally install heimdal-ftp as it is not included in default installation. Made the changes to /etc/vsftpd/vsftpd.conf as described in testcase. Made sure no other ftp service was running, started vsftpd service. At CLI as normal user: $ ftp localhost Connected to localhost. 220 (vsFTPd 3.0.2) Trying GSSAPI... The server doesn't support the FTP security extensions. *** Using plaintext user and password *** Name (localhost:xxxx): 331 Please specify the password. Password: <wrong password> 530 Login incorrect. ftp: Login failed. ftp> bye 221 Goodbye. [xxxx@yyyy ~]$ ftp localhost Connected to localhost. 220 (vsFTPd 3.0.2) Trying GSSAPI... The server doesn't support the FTP security extensions. *** Using plaintext user and password *** Name (localhost:xxxx): 331 Please specify the password. Password: <correct password> 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-32-OK
MGA4-64 on HP Probook 6555b KDE No installation issues. Followed same procedure as above Comment 2 and get the same results.
Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0103.html
Status: NEW => RESOLVEDResolution: (none) => FIXED