View Issue Details

IDProjectCategoryView StatusLast Update
0003311CentOS-5vsftpdpublic2009-10-17 22:48
Reporterkai 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.2 
Target VersionFixed in Version5.4 
Summary0003311: vsftpd doesn't correctly shut down TLS connections (FTPS)
DescriptionThis is a security and an interoperability bug (see additional information links for more on both).
Interoperability:
It appears that all Filezilla versions newer than 3.0.11.1 won't work with vsftpd when using FTPS/FTPES because they error out because of the missing TLS shutdown. Error message: ECONNABORTED. This may apply to other clients over time (as they fix this) as well.
Security:
It seems that both, Filezilla and vsftpd developers, see this as a security issue. It was fixed in version 2.0.7 of vsftpd. So, this should get fixed/backported ASAP by upstream.
Additional Informationcompare:
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.7/Changelog
(- Shutdown the SSL data connections properly. This prevents clients such as
recent FileZilla from complaining. Reported by various people.)
http://scarybeastsecurity.blogspot.com/2008/07/on-ftp-ssl-and-broken-interfaces.html
http://forum.filezilla-project.org/viewtopic.php?f=2&t=8110&hilit=vsftpd
my posting on centos-users: <VA.0000355e.0a83d782@news.conactive.com>
Tagsfixed in 5.4

Activities

tru

tru

2008-12-21 17:33

administrator   ~0008485

please fill a RFE upstream and cross-link back to here (5.3 beta still have the vsftpd-2.0.5-12.el5. version)
kai

kai

2008-12-21 17:38

reporter   ~0008486

I thought I can only file a bug there if I'm a RedHat Network subscriber or so? No?
tru

tru

2008-12-21 17:50

administrator   ~0008488

afaik, bugzilla is open to everyone to report bugs/RFE. Of course, upstream does not have to fix it and one doesn't always get solutions/support there. Neverheless the issue/RFE is at least known/public and the package maintainer is aware of the issue.
kai

kai

2008-12-21 18:08

reporter   ~0008489

Found https://bugzilla.redhat.com/show_bug.cgi?id=459607
I added a comment whatever it's worth. It would apparently need a subscriber to "ask your support representative to set the next rhel-x.y flag to "?".
rayvd

rayvd

2009-01-02 17:57

reporter   ~0008522

Opened a SR with upstream to backport this officially. It should be noted that there is a patch included in the bz report.

I built some RPM's against this patch and they are available here:

  http://rayvd.fedorapeople.org/vsftpd/
kai

kai

2009-01-03 12:48

reporter   ~0008526

I can confirm that an FTPES connect with Filezilla to the vsftpd from these rpms works.
rayvd

rayvd

2009-01-08 16:36

reporter   ~0008552

Per RH, this should be fixed shortly in 4.x:

  http://rhn.redhat.com/errata/RHBA-2008-1012.html

And is slated to be addressed in RHEL 5.4. No idea if there will be an interim errata release for RHEL5 however...

Issue History

Date Modified Username Field Change
2008-12-21 13:46 kai New Issue
2008-12-21 17:33 tru Note Added: 0008485
2008-12-21 17:38 kai Note Added: 0008486
2008-12-21 17:50 tru Note Added: 0008488
2008-12-21 18:08 kai Note Added: 0008489
2009-01-02 17:57 rayvd Note Added: 0008522
2009-01-03 12:48 kai Note Added: 0008526
2009-01-08 16:36 rayvd Note Added: 0008552
2009-08-05 20:38 range Tag Attached: fixed in 5.4
2009-10-17 22:47 range Status new => resolved
2009-10-17 22:47 range Fixed in Version => 5.4
2009-10-17 22:47 range Resolution open => fixed