Pastebin
API
tools
faq
paste
Login
Sign up
Please fix the following errors:
New Paste
Syntax Highlighting
----------------------- testreport log ------------------------------- SUMMARY:FAILED comment: Regression has been found, since the new option CipherSuite produces an error and prevents the establishment of TLS1 connection with the remote host using ftp protocol. The other two bug-reports were fixed in the previous version. $Author: pgeorgiadis $ Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64), SLES4VMWARE 11-SP3 (i386, x86_64), SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64), SLE-DESKTOP 11-SP3 (i386, x86_64) Category: security SAT Patch No: 9944 MD5 sum: ac2aba5516857ac48ef10e9ae01e12a2 SUBSWAMPID: 59609 Packager: tchvatal@suse.com Bugs: 902229, 828469, 856424 Repository: http://hilbert.nue.suse.com/abuildstat/patchinfo/ac2aba5516857ac48ef10e9ae01e12a2/ Packages: pure-ftpd >= 1.0.22-3.23.1 SRCRPMs: pure-ftpd Test Plan Reviewers: Johannes Segitz <jsegitz@suse.com> Testplatform: base=sles(major=11,minor=sp3);arch=[i386,s390x,x86_64] Testplatform: base=sled(major=11,minor=sp3);arch=[i386,x86_64] ############################# Test results by product-arch: ############################# sled11sp3-i386 (reference host: bashir.qam.suse.de) -------------- before: pure-ftpd-1.0.22-3.21.1 after: pure-ftpd-1.0.22-3.23.1 scripts: all_updated : SUCCEEDED dependencies : SUCCEEDED from_same_srcrpm : SUCCEEDED initrd_state : SUCCEEDED multiple-owners : SUCCEEDED new_dependencies : SUCCEEDED new_licenses : SUCCEEDED vendor_and_disturl : SUCCEEDED => PASSED comment: (none) sled11sp3-x86_64 (reference host: jadzia.qam.suse.de) ---------------- before: pure-ftpd-1.0.22-3.21.1 after: pure-ftpd-1.0.22-3.23.1 scripts: all_updated : SUCCEEDED dependencies : SUCCEEDED from_same_srcrpm : SUCCEEDED initrd_state : SUCCEEDED multiple-owners : SUCCEEDED new_dependencies : SUCCEEDED new_licenses : SUCCEEDED vendor_and_disturl : SUCCEEDED => PASSED comment: (none) sles11sp3-i386 (reference host: dukat.qam.suse.de) -------------- before: pure-ftpd-1.0.22-3.21.1 after: pure-ftpd-1.0.22-3.23.1 scripts: all_updated : SUCCEEDED dependencies : SUCCEEDED from_same_srcrpm : SUCCEEDED initrd_state : SUCCEEDED multiple-owners : SUCCEEDED new_dependencies : SUCCEEDED new_licenses : SUCCEEDED vendor_and_disturl : SUCCEEDED => PASSED comment: (none) sles11sp3-s390x (reference host: s390vsw068.suse.de) --------------- before: pure-ftpd-1.0.22-3.21.1 after: pure-ftpd-1.0.22-3.23.1 scripts: all_updated : SUCCEEDED dependencies : SUCCEEDED from_same_srcrpm : SUCCEEDED initrd_state : SUCCEEDED multiple-owners : SUCCEEDED new_dependencies : SUCCEEDED new_licenses : SUCCEEDED vendor_and_disturl : SUCCEEDED => PASSED comment: (none) sles11sp3-x86_64 (reference host: sisko.qam.suse.de) ---------------- before: pure-ftpd-1.0.22-3.21.1 after: pure-ftpd-1.0.22-3.23.1 scripts: all_updated : SUCCEEDED dependencies : SUCCEEDED from_same_srcrpm : SUCCEEDED initrd_state : SUCCEEDED multiple-owners : SUCCEEDED new_dependencies : SUCCEEDED new_licenses : SUCCEEDED vendor_and_disturl : SUCCEEDED => PASSED comment: (none) ######################## notes for/by the tester: ######################## Bug #902229 ("VUL-0: CVE-2014-3566: pure-ftpd: FTP sus..."): ------------------------------------------------------------ https://bugzilla.suse.com/show_bug.cgi?id=902229 REPRODUCER_PRESENT: YES REPRODUCER_COVERAGE: YES REPRODUCER_APPLICABLE: YES REPRODUCER_WORKING: YES REPRODUCER_AUTOMATABLE: YES ... setup - configuration you need: # Make sure you are using the vulnerable version of pure-ftpd (pure-ftp : 1.0.22-3.21.1) zypper se -s pure-ftpd S | Name | Type | Version | Arch | Repository --+-------------------+------------+---------------+--------+----------------------- i | pure-ftpd | package | 1.0.22-3.21.1 | x86_64 | SLE11SP3-SERVER-UPDATE <-- version check confirmed v | pure-ftpd | package | 1.0.22-3.19.1 | x86_64 | SLE11SP3-SERVER | pure-ftpd | srcpackage | 1.0.22-3.21.1 | noarch | SLE11SP3-SERVER-UPDATE | slessp3-pure-ftpd | patch | 9849 | noarch | SLE11SP3-SERVER-UPDATE # Create the OpenSSL cert mkdir -p /etc/ssl/private/ openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem chmod 600 /etc/ssl/private/pure-ftpd.pem # Stop and restart (loading the configuration) the pure-ftpd daemon service pure-ftpd stop /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf # starts the service using the configuration from the /etc/pure-ftpd/pure-ftpd.conf # Configure syslog-ng to exlude FTP logs into a separate file vim /etc/syslog-ng/syslog-ng.conf # and add destination d_ftp { file("/var/log/pure-ftpd.log"); }; filter f_ftp { facility(ftp); }; log { source(src); filter(f_ftp); destination(d_ftp); }; # restart the syslog-ng killall -HUP syslogd # Monitor the /var/log/pure-ftpd.log tail -f /var/log/pure-ftpd.log # Test commands for SSL3:openssl s_client -starttls ftp -ssl3 -connect sisko.qam.suse.de:21 for SSL2:openssl s_client -starttls ftp -ssl2 -connect sisko.qam.suse.de:21 for TLS1:openssl s_client -starttls ftp -tls1 -connect sisko.qam.suse.de:21 # Start testing -> Please check the following table (overview) State Config | SSL3 | SSL2 | TLS1 || Command-Line ========================================================================================================================================================================================== before Default | -- | - | -- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ before TLS 1 Verbose | works | works | works ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 ========================================================================================================================================================================================== after Default | -- | - | -- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ after TLS 1 Verbose | works | works | works ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 || ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ after TLS 1 Verbose | --- | --- | --- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3 CipherSuite [*] | | | || ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ^ | | / \ Regression found (last line saying: after, TLS1, Verbose CipherSuite) Explanation: 'before' means: The vulnerable version pure-ftpd-1.0.22-3.21.1 'after' means: The new patched version pure-ftpd-1.0.22-3.23.1 'default' means: No changes in the /etc/pure-ftpd/pure-ftpd.conf 'TLS 1 Verbose' means: # configure pure-ftpd to accept TLS Authetication. --> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: '# TLS 1' ==> 'TLS 1' # configure pure-ftpd to log itself as ftp in syslog-ng --> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: 'VerboseLog no' ==> 'VerboseLog yes' 'CipherSuite' means: # configure pure-ftpd to use the new CipherSuite option that fixes the problem --> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: '#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' ==> 'TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' '-' means: CONNECTED(00000003) (I have to press CTRL+C - (it hangs there)) '--' means: CONNECTED(00000003) 56309:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:281: '---' means: socket: Connection refused connect:errno=111 '[*]' means: Nov 18 14:57:29 s390vsw068 pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' -> it seems that this new option is not valid 'works' means: Nov 18 14:55:45 s390vsw068 pure-ftpd: (?@10.161.157.68) [DEBUG] Command [auth] [TLS] Nov 18 14:55:45 s390vsw068 pure-ftpd: (?@10.161.157.68) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher (I am pressing CTRL+C) Nov 18 14:55:47 s390vsw068 pure-ftpd: (?@10.161.157.68) [INFO] Logout. Comments: [1] after applying the update the new options 'TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' is not used by default. It's commented [2] if enabled, then TLS1 fails (which is not the case) along with SSL3 and SSL2 [3] if enabled, and if you monitor the syslog-ng, you will catch an error: pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' According to the bug-report, it should be: BEFORE | AFTER ------------------------- SSL3: YES | NO SSL2: YES | NO TLS1: YES | YES but, what I've get is: BEFORE | AFTER ------------------------- SSL3: YES | NO SSL2: YES | NO TLS1: YES | NO <- TLS1 is no working but it was supposed to After some searching I found out that in the online documentation that is on github they have added a new README (https://github.com/jedisct1/pure-ftpd/blob/master/README) with the description "Disabling SSLv3 was already supported" and they say that: - '-J <ciphers>': Sets the list of ciphers that will be accepted for SSL/TLS connections. For example: -J -S:HIGH:MEDIUM Prefixing the list with -S: totally disables SSLv3, which is highly recommended if you don't have to support old clients. SSLv2 is always disabled. The part of using '-S' flag is missing from our documentation (manpage). Also, the code for this command doesn't seem to be backported. I did a diff between the github's ftpd.c and our package ftpd.c and searched for the "case 'J'" which is used for the CipherSuite wget http://qam.suse.de/testreports/ac2aba5516857ac48ef10e9ae01e12a2/diff panos@g82:~> cat diff | grep -A 10 -- "case 'J'" +case 'J': { +if (strncmp(optarg, "-S:", sizeof "-S:" - (size_t) 1U) == 0) { +optarg += sizeof "-S:" - (size_t) 1U; +ssl_disabled = 1; +} +if ((tlsciphersuite = strdup(optarg)) == NULL) { +die_mem(); +} +break; +} +#endif as you can see the implementation of '-S' that prevents SSLv3 is missing from our source code. In addition, the only option that doesn't produce an error in the configuration file is --> TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 Testing this one, SSLv2 is blocked while SSLv3 and TLS1 are allowed. Mind also that TLSv1 ciphers are flagged as SLLv3 (I don't know if this is relevant) openssl ciphers -v 'TLSv1' | sort ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 <span style="color:rgb(0,0,0);font-family:'Lucida Console',Courier,'Courier New';font-size:12px;background-color:r
Optional Paste Settings
Category:
None
Cryptocurrency
Cybersecurity
Fixit
Food
Gaming
Haiku
Help
History
Housing
Jokes
Legal
Money
Movies
Music
Pets
Photo
Science
Software
Source Code
Spirit
Sports
Travel
TV
Writing
Tags:
Syntax Highlighting:
None
Bash
C
C#
C++
CSS
HTML
JSON
Java
JavaScript
Lua
Markdown (PRO members only)
Objective C
PHP
Perl
Python
Ruby
Swift
4CS
6502 ACME Cross Assembler
6502 Kick Assembler
6502 TASM/64TASS
ABAP
AIMMS
ALGOL 68
APT Sources
ARM
ASM (NASM)
ASP
ActionScript
ActionScript 3
Ada
Apache Log
AppleScript
Arduino
Asymptote
AutoIt
Autohotkey
Avisynth
Awk
BASCOM AVR
BNF
BOO
Bash
Basic4GL
Batch
BibTeX
Blitz Basic
Blitz3D
BlitzMax
BrainFuck
C
C (WinAPI)
C Intermediate Language
C for Macs
C#
C++
C++ (WinAPI)
C++ (with Qt extensions)
C: Loadrunner
CAD DCL
CAD Lisp
CFDG
CMake
COBOL
CSS
Ceylon
ChaiScript
Chapel
Clojure
Clone C
Clone C++
CoffeeScript
ColdFusion
Cuesheet
D
DCL
DCPU-16
DCS
DIV
DOT
Dart
Delphi
Delphi Prism (Oxygene)
Diff
E
ECMAScript
EPC
Easytrieve
Eiffel
Email
Erlang
Euphoria
F#
FO Language
Falcon
Filemaker
Formula One
Fortran
FreeBasic
FreeSWITCH
GAMBAS
GDB
GDScript
Game Maker
Genero
Genie
GetText
Go
Godot GLSL
Groovy
GwBasic
HQ9 Plus
HTML
HTML 5
Haskell
Haxe
HicEst
IDL
INI file
INTERCAL
IO
ISPF Panel Definition
Icon
Inno Script
J
JCL
JSON
Java
Java 5
JavaScript
Julia
KSP (Kontakt Script)
KiXtart
Kotlin
LDIF
LLVM
LOL Code
LScript
Latex
Liberty BASIC
Linden Scripting
Lisp
Loco Basic
Logtalk
Lotus Formulas
Lotus Script
Lua
M68000 Assembler
MIX Assembler
MK-61/52
MPASM
MXML
MagikSF
Make
MapBasic
Markdown (PRO members only)
MatLab
Mercury
MetaPost
Modula 2
Modula 3
Motorola 68000 HiSoft Dev
MySQL
Nagios
NetRexx
Nginx
Nim
NullSoft Installer
OCaml
OCaml Brief
Oberon 2
Objeck Programming Langua
Objective C
Octave
Open Object Rexx
OpenBSD PACKET FILTER
OpenGL Shading
Openoffice BASIC
Oracle 11
Oracle 8
Oz
PARI/GP
PCRE
PHP
PHP Brief
PL/I
PL/SQL
POV-Ray
ParaSail
Pascal
Pawn
Per
Perl
Perl 6
Phix
Pic 16
Pike
Pixel Bender
PostScript
PostgreSQL
PowerBuilder
PowerShell
ProFTPd
Progress
Prolog
Properties
ProvideX
Puppet
PureBasic
PyCon
Python
Python for S60
QBasic
QML
R
RBScript
REBOL
REG
RPM Spec
Racket
Rails
Rexx
Robots
Roff Manpage
Ruby
Ruby Gnuplot
Rust
SAS
SCL
SPARK
SPARQL
SQF
SQL
SSH Config
Scala
Scheme
Scilab
SdlBasic
Smalltalk
Smarty
StandardML
StoneScript
SuperCollider
Swift
SystemVerilog
T-SQL
TCL
TeXgraph
Tera Term
TypeScript
TypoScript
UPC
Unicon
UnrealScript
Urbi
VB.NET
VBScript
VHDL
VIM
Vala
Vedit
VeriLog
Visual Pro Log
VisualBasic
VisualFoxPro
WHOIS
WhiteSpace
Winbatch
XBasic
XML
XPP
Xojo
Xorg Config
YAML
YARA
Z80 Assembler
ZXBasic
autoconf
jQuery
mIRC
newLISP
q/kdb+
thinBasic
Paste Expiration:
Never
Burn after read
10 Minutes
1 Hour
1 Day
1 Week
2 Weeks
1 Month
6 Months
1 Year
Paste Exposure:
Public
Unlisted
Private
Folder:
(members only)
Password
NEW
Enabled
Disabled
Burn after read
NEW
Paste Name / Title:
Create New Paste
Hello
Guest
Sign Up
or
Login
Sign in with Facebook
Sign in with Twitter
Sign in with Google
You are currently not logged in, this means you can not edit or delete anything you paste.
Sign Up
or
Login
Public Pastes
Untitled
5 min ago | 0.06 KB
Untitled
1 hour ago | 7.75 KB
Untitled
3 hours ago | 16.07 KB
Untitled
7 hours ago | 9.93 KB
Inoreader custom CSS
CSS | 8 hours ago | 0.20 KB
Untitled
9 hours ago | 8.11 KB
Untitled
11 hours ago | 9.50 KB
Untitled
13 hours ago | 7.48 KB
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the
Cookies Policy
.
OK, I Understand
Not a member of Pastebin yet?
Sign Up
, it unlocks many cool features!
