Product SiteDocumentation Site

1.237.  vsftpd

1.237.1.  RHBA-2009:1068: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1068
An updated vsftpd package that fixes a bug is now available.
The vsftpd package includes a Very Secure FTP (File Transfer Protocol) daemon.
This updated vsftpd package fixes the following bug:
  • previously, the length of vsftpd usernames was limited to 32 characters in length. With this updated package, the maximum length of vsftpd usernames has been increased to 128 characters. (BZ#496846)
All users of vsftpd are advised to upgrade to this updated package, which resolves this issue.

1.237.2.  RHBA-2009:1282: bug fix update

A vsftpd update that increases the maximum username length and fixes several bugs is now available.
The vsftpd package deploys the Very Secure File Transfer Protocol daemon. This daemon enables secure and fast FTP service on Unix-like systems, providing SSL encryption, IPv6, bandwidth throttling, PAM integration, virtual users, virtual IPs and per-user/per-IP configuration.
This update applies the following bug fixes:
  • in Red Hat Enterprise Linux 5, the default value for the 'background' option was changed to 'NO'. This revealed a race condition in the way vsftpd processed signals whenever child processes were forked. As a result of this race condition, attempts to run vsftpd could fail without returning an error code if another FTP service was also running. In this situation, a user would not be notified that vsftpd failed to run. This update implements extra routines for signal handling that fixes the race condition, ensuring that vsftpd returns a proper error code whenever it fails to start. (BZ#236707)
  • the init script for this update is now POSIX-compliant. This corrects a bug that could cause vsftpd to incorrectly return a zero exit code when it failed to start. (BZ#431451)
  • a bug in the dependencies between vsftpd parent and child processes allowed those child processes to run even though their parent process was already terminated. As such, terminating the vsftpd service did not reliably stop all FTP connections initiated by vsftpd, which could pose a security risk. This update fixes the child-parent process dependency bug by adding several functions that terminate all vsftpd child processes whenever their parent process is stopped. (BZ#441485)
  • a bug caused the vsftpd daemon to not properly shut down SSL (Secure Socket Layer) data connections, which led to interoperability problems between the vsftpd daemon and client programs such as FileZilla. This has been fixed in this update so that vsftpd no longer causes problems with client applications. (BZ#459607)
  • in previous versions of vsftpd, /etc/vsftpd/vsftpd.conf specified /var/log/vsftpd.log as its default log file. However, this was different from the specified default log file (i.e. /var/log/xferlog) in /etc/logrotate.d/vsftpd.log. This prevented the logrotate script from finding -- and consequently, rotating -- the vsftpd log file, resulting in an unnecessarily large vsftpd log. This update corrects this issue by specifying /var/log/xferlog as its default log file in /etc/vsftpd/vsftpd.conf, which enables log rotation on vsftpd log files. (BZ#460067)
  • this update also fixes several typographical errors in the documentation of some parameters in the vsftpd man page. (BZ#478526)
  • vsftpd cannot locate usernames specified by the chown_username parameter if the username is trailed by whitespace. This update contains a workaround that trims trailing whitespaces from username values of chown_username. (BZ#486259)
  • the maximum username length is now 128 characters. In previous versions, the maximum username was only 32 characters. (BZ#486524)
  • the DNS reverse lookup feature was implemented without any way to disable it. This update contains the parameter 'reverse_lookup_enable', which allows users to enable or disable the DNS reverse lookup functionality. (BZ#498548)
Users of vsftpd are advised to upgrade to this update.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.