diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2021-06-07 18:53:49 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2021-06-07 23:59:59 +0200 |
commit | 3e486d66d253cd7a7436d1771c2f7403a5e87240 (patch) | |
tree | ae9a1fad7e5bd3eb0ab7092bcc8e363e38e97673 /source/n/vsftpd | |
parent | 603621fccbcad6b15c25e6ffb1657d3618e79c20 (diff) | |
download | current-3e486d66d253cd7a7436d1771c2f7403a5e87240.tar.gz |
Mon Jun 7 18:53:49 UTC 202120210607185349
Hey folks! Sorry about the delay in getting this batch out but I had other
distractions going on here last week that prevented getting this one wrapped
up. Anyway, probably the highlight of this update set is that we've decided
to abandon the 5.10 LTS kernel in favor of following the latest one. We've
never really had a policy that required LTS in a stable release although that
is how it has been done for years, but based on comments from the Slackware
community it seems like 5.10 LTS isn't getting a lot of love and lacks
hardware support that people need now. Conversely, the reports on 5.12 have
been almost entirely positive, so we're going to provide what we think is the
best available kernel. It's unlikely that we'll see another LTS prior to
release, so the plan for maintenance is to keep following the latest kernels
as needed for security purposes. If that means we have to jump to a new branch
while supporting the stable release, we'll start the kernel out in testing
first until we've had some feedback that it's safe to move it to the patches
directory. Sooner or later we will end up on an LTS kernel again, and at that
point we'll just roll with that one. Feel free to comment (or complain) about
this plan on LQ... I'll be curious to see what people think. Anyway, enjoy!
a/hwdata-0.348-noarch-1.txz: Upgraded.
a/kernel-generic-5.12.9-x86_64-1.txz: Upgraded.
a/kernel-huge-5.12.9-x86_64-1.txz: Upgraded.
a/kernel-modules-5.12.9-x86_64-1.txz: Upgraded.
ap/ispell-3.4.04-x86_64-1.txz: Upgraded.
ap/mpg123-1.28.0-x86_64-1.txz: Upgraded.
ap/slackpkg-15.0.5-noarch-1.txz: Upgraded.
Add "--" option to "command cd" in bash completion file. (akinomyoga)
shell-completions/slackpkg.bash: add "show-changelog".
Import bash-completion file from upstream project.
Added the new-config actions for specific files. (Piter PUNK)
Harden slackpkg with respect to obtaining GPG key. (CRTS)
d/clisp-2.50_20191103_c26de7873-x86_64-5.txz: Rebuilt.
Upgraded to libffcall-2.3.
d/git-2.32.0-x86_64-1.txz: Upgraded.
d/kernel-headers-5.12.9-x86-1.txz: Upgraded.
d/poke-1.3-x86_64-1.txz: Upgraded.
d/vala-0.52.4-x86_64-1.txz: Upgraded.
k/kernel-source-5.12.9-noarch-1.txz: Upgraded.
kde/calligra-3.2.1-x86_64-9.txz: Rebuilt.
Recompiled against poppler-21.06.1.
kde/cantor-21.04.1-x86_64-2.txz: Rebuilt.
Recompiled against poppler-21.06.1.
kde/digikam-7.2.0-x86_64-3.txz: Rebuilt.
Recompiled against imagemagick-7.0.11_14.
kde/kfilemetadata-5.82.0-x86_64-2.txz: Rebuilt.
Recompiled against poppler-21.06.1.
kde/kile-2.9.93-x86_64-9.txz: Rebuilt.
Recompiled against poppler-21.06.1.
kde/kitinerary-21.04.1-x86_64-2.txz: Rebuilt.
Recompiled against poppler-21.06.1.
kde/krita-4.4.3-x86_64-5.txz: Rebuilt.
Recompiled against poppler-21.06.1.
kde/okular-21.04.1-x86_64-2.txz: Rebuilt.
Recompiled against poppler-21.06.1.
l/alsa-lib-1.2.5-x86_64-2.txz: Rebuilt.
Account for unexpected packing of the conf file tarballs. We'll see if this
is enough to make things work well again.
l/at-spi2-core-2.40.2-x86_64-1.txz: Upgraded.
l/dvdauthor-0.7.2-x86_64-5.txz: Rebuilt.
Recompiled against imagemagick-7.0.11_14.
l/libogg-1.3.5-x86_64-1.txz: Upgraded.
l/librsvg-2.50.7-x86_64-1.txz: Upgraded.
l/pipewire-0.3.29-x86_64-1.txz: Upgraded.
l/polkit-0.119-x86_64-1.txz: Upgraded.
This update includes a mitigation for local privilege escalation using
polkit_system_bus_name_get_creds_sync().
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560
(* Security fix *)
l/poppler-21.06.1-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
l/pycairo-1.20.1-x86_64-1.txz: Upgraded.
l/qca-2.3.3-x86_64-1.txz: Upgraded.
l/vte-0.64.2-x86_64-1.txz: Upgraded.
n/epic5-2.1.5-x86_64-1.txz: Upgraded.
n/httpd-2.4.48-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
mod_http2: Fix a potential NULL pointer dereference.
Unexpected <Location> section matching with 'MergeSlashes OFF'.
mod_auth_digest: possible stack overflow by one nul byte while validating
the Digest nonce.
mod_session: Fix possible crash due to NULL pointer dereference, which
could be used to cause a Denial of Service with a malicious backend
server and SessionHeader.
mod_session: Fix possible crash due to NULL pointer dereference, which
could be used to cause a Denial of Service.
mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
could be used to cause a Denial of Service.
mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
negotiation.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567
(* Security fix *)
n/libmbim-1.24.8-x86_64-1.txz: Upgraded.
n/libqmi-1.28.6-x86_64-1.txz: Upgraded.
n/nettle-3.7.3-x86_64-1.txz: Upgraded.
n/openldap-2.4.59-x86_64-1.txz: Upgraded.
n/p11-kit-0.24.0-x86_64-1.txz: Upgraded.
n/php-7.4.20-x86_64-1.txz: Upgraded.
n/vsftpd-3.0.4-x86_64-1.txz: Upgraded.
n/whois-5.5.10-x86_64-1.txz: Upgraded.
x/libX11-1.7.2-x86_64-1.txz: Upgraded.
This is a bug fix release, correcting a regression introduced by and
improving the checks from the fix for CVE-2021-31535.
x/libinput-1.18.0-x86_64-1.txz: Upgraded.
x/mesa-21.1.2-x86_64-1.txz: Upgraded.
xap/blueman-2.2.1-x86_64-1.txz: Upgraded.
xap/gnuplot-5.4.2-x86_64-1.txz: Upgraded.
xap/mozilla-thunderbird-78.11.0-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/78.11.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-26/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29967
(* Security fix *)
xap/pidgin-2.14.5-x86_64-1.txz: Upgraded.
xap/xine-lib-1.2.11-x86_64-6.txz: Rebuilt.
Recompiled against poppler-21.06.1.
extra/bash-completion/bash-completion-2.11-noarch-2.txz: Rebuilt.
Removed the slackpkg completion file.
extra/php8/php8-8.0.7-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/n/vsftpd')
5 files changed, 3 insertions, 326 deletions
diff --git a/source/n/vsftpd/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/source/n/vsftpd/0021-Introduce-support-for-DHE-based-cipher-suites.patch deleted file mode 100644 index ad7e5bae..00000000 --- a/source/n/vsftpd/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka <msehnout@redhat.com> -Date: Thu, 17 Nov 2016 10:48:28 +0100 -Subject: [PATCH 21/33] Introduce support for DHE based cipher suites. - ---- - parseconf.c | 1 + - ssl.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - tunables.c | 5 +++- - tunables.h | 1 + - vsftpd.conf.5 | 6 ++++ - 5 files changed, 104 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 3e0dba4..38e3182 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -176,6 +176,7 @@ parseconf_str_array[] = - { "email_password_file", &tunable_email_password_file }, - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, -+ { "dh_param_file", &tunable_dh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index c362983..22b69b3 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -28,6 +28,8 @@ - #include <openssl/err.h> - #include <openssl/rand.h> - #include <openssl/bio.h> -+#include <openssl/dh.h> -+#include <openssl/bn.h> - #include <errno.h> - #include <limits.h> - -@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); - static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); -+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); -@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, - static int ssl_inited; - static struct mystr debug_str; - -+ -+// Grab prime number from OpenSSL; <openssl/bn.h> -+// (get_rfc*) for all available primes. -+// wraps selection of comparable algorithm strength -+#if !defined(match_dh_bits) -+ #define match_dh_bits(keylen) \ -+ keylen >= 8191 ? 8192 : \ -+ keylen >= 6143 ? 6144 : \ -+ keylen >= 4095 ? 4096 : \ -+ keylen >= 3071 ? 3072 : \ -+ keylen >= 2047 ? 2048 : \ -+ keylen >= 1535 ? 1536 : \ -+ keylen >= 1023 ? 1024 : 768 -+#endif -+ -+#if !defined(DH_get_prime) -+ BIGNUM * -+ DH_get_prime(int bits) -+ { -+ switch (bits) { -+ case 768: return get_rfc2409_prime_768(NULL); -+ case 1024: return get_rfc2409_prime_1024(NULL); -+ case 1536: return get_rfc3526_prime_1536(NULL); -+ case 2048: return get_rfc3526_prime_2048(NULL); -+ case 3072: return get_rfc3526_prime_3072(NULL); -+ case 4096: return get_rfc3526_prime_4096(NULL); -+ case 6144: return get_rfc3526_prime_6144(NULL); -+ case 8192: return get_rfc3526_prime_8192(NULL); -+ // shouldn't happen when used match_dh_bits; strict compiler -+ default: return NULL; -+ } -+} -+#endif -+ -+#if !defined(DH_get_dh) -+ // Grab DH parameters -+ DH * -+ DH_get_dh(int size) -+ { -+ DH *dh = DH_new(); -+ if (!dh) { -+ return NULL; -+ } -+ dh->p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&dh->g, "2"); -+ if (!dh->p || !dh->g) -+ { -+ DH_free(dh); -+ return NULL; -+ } -+ return dh; -+ } -+#endif -+ - void - ssl_init(struct vsf_session* p_sess) - { -@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) - die("SSL: cannot load DSA private key"); - } - } -+ if (tunable_dh_param_file) -+ { -+ BIO *bio; -+ DH *dhparams = NULL; -+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) -+ { -+ die("SSL: cannot load custom DH params"); -+ } -+ else -+ { -+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ -+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) -+ { -+ die("SSL: setting custom DH params failed"); -+ } -+ } -+ } - if (tunable_ssl_ciphers && - SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) - { -@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) - /* Ensure cached session doesn't expire */ - SSL_CTX_set_timeout(p_ctx, INT_MAX); - } -+ -+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); -+ - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } -@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) - return 1; - } - -+#define UNUSED(x) ( (void)(x) ) -+ -+static DH * -+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) -+{ -+ // strict compiler bypassing -+ UNUSED(ssl); -+ UNUSED(is_export); -+ -+ return DH_get_dh(keylength); -+} -+ - void - ssl_add_entropy(struct vsf_session* p_sess) - { -diff --git a/tunables.c b/tunables.c -index c737465..1ea7227 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -140,6 +140,7 @@ const char* tunable_user_sub_token; - const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; -+const char* tunable_dh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -288,7 +289,9 @@ tunables_load_defaults() - install_str_setting("/usr/share/ssl/certs/vsftpd.pem", - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); -- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); -+ install_str_setting(0, &tunable_dh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 9553038..3995472 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_token; - extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; -+extern const char* tunable_dh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index fb6324e..ff94eca 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -893,6 +893,12 @@ to be in the same file as the certificate. - - Default: (none) - .TP -+.B dh_param_file -+This option specifies the location of the custom parameters used for -+ephemeral Diffie-Hellman key exchange in SSL. -+ -+Default: (none - use built in parameters appropriate for certificate key size) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.7.4 - diff --git a/source/n/vsftpd/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch b/source/n/vsftpd/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch deleted file mode 100644 index ab3f35c0..00000000 --- a/source/n/vsftpd/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com> -Date: Mon, 4 Sep 2017 11:32:03 +0200 -Subject: [PATCH 35/35] Modify DH enablement patch to build with OpenSSL 1.1 - ---- - ssl.c | 41 ++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/ssl.c b/ssl.c -index ba8a613..09ec96a 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -88,19 +88,54 @@ static struct mystr debug_str; - } - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+#endif -+ - #if !defined(DH_get_dh) - // Grab DH parameters - DH * - DH_get_dh(int size) - { -+ BIGNUM *g = NULL; -+ BIGNUM *p = NULL; - DH *dh = DH_new(); - if (!dh) { - return NULL; - } -- dh->p = DH_get_prime(match_dh_bits(size)); -- BN_dec2bn(&dh->g, "2"); -- if (!dh->p || !dh->g) -+ p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&g, "2"); -+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) - { -+ BN_free(g); -+ BN_free(p); - DH_free(dh); - return NULL; - } --- -2.9.5 - diff --git a/source/n/vsftpd/slack-desc b/source/n/vsftpd/slack-desc index f076e1a2..f33e7ade 100644 --- a/source/n/vsftpd/slack-desc +++ b/source/n/vsftpd/slack-desc @@ -12,8 +12,8 @@ vsftpd: vsftpd is an FTP server, or daemon. The 'vs' stands for Very Secure. vsftpd: Obviously this is not a guarantee, but a reflection that the entire vsftpd: codebase was written with security in mind, and carefully designed to vsftpd: be resilient to attack (as well as extremely fast and scalable). +vsftpd: The Very Secure FTP Daemon was written by Chris Evans. vsftpd: -vsftpd: The vsftpd homepage is https://security.appspot.com/vsftpd.html +vsftpd: Homepage: https://security.appspot.com/vsftpd.html vsftpd: -vsftpd: The Very Secure FTP Daemon was written by Chris Evans. vsftpd: diff --git a/source/n/vsftpd/vsftpd.SlackBuild b/source/n/vsftpd/vsftpd.SlackBuild index f29ed249..3403ae17 100755 --- a/source/n/vsftpd/vsftpd.SlackBuild +++ b/source/n/vsftpd/vsftpd.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=vsftpd VERSION=${VERSION:-$(echo ${PKGNAM}-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-9} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -72,13 +72,6 @@ find . \ zcat $CWD/vsftpd.builddefs.diff.gz | patch -p1 --verbose || exit 1 zcat $CWD/vsftpd.conf.diff.gz | patch -p1 --verbose || exit 1 zcat $CWD/vsftpd.crypt.diff.gz | patch -p1 --verbose || exit 1 -# patch from BLFS due to gcc >= 10.1.x -sed -e "s/kVSFSysStrOpenUnknown;/(enum EVSFSysUtilOpenMode)&/" -i sysstr.c - -# Support OpenSSL 1.1.x: -zcat $CWD/0021-Introduce-support-for-DHE-based-cipher-suites.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/vsftpd.link-with-openssl-1.1.diff.gz | patch -p1 --verbose || exit 1 make $NUMJOBS || make || exit 1 diff --git a/source/n/vsftpd/vsftpd.link-with-openssl-1.1.diff b/source/n/vsftpd/vsftpd.link-with-openssl-1.1.diff deleted file mode 100644 index 2ef819a5..00000000 --- a/source/n/vsftpd/vsftpd.link-with-openssl-1.1.diff +++ /dev/null @@ -1,16 +0,0 @@ ---- ./vsf_findlibs.sh.orig 2012-03-27 21:17:41.000000000 -0500 -+++ ./vsf_findlibs.sh 2018-05-07 16:10:58.744003755 -0500 -@@ -68,10 +68,10 @@ - # Solaris sendfile - locate_library /usr/lib/libsendfile.so && echo "-lsendfile"; - --# OpenSSL --if find_func SSL_library_init ssl.o; then -+# Always link with OpenSSL: -+#if find_func SSL_library_init ssl.o; then - echo "-lssl -lcrypto"; --fi -+#fi - - exit 0; - |