#991329 vsftpd: CVE-2021-3618

Package:
src:vsftpd
Source:
vsftpd
Submitter:
Moritz Mühlenhoff
Date:
2025-01-20 12:15:02 UTC
Severity:
important
Tags:
#991329#5
Date:
2021-07-20 20:20:58 UTC
From:
To:
Hi,

The following vulnerability was published for vsftpd.

https://alpaca-attack.com/ affects vsftpd. It was fixed in the 3.0.4
release, these should be the relevant parts of
https://security.appspot.com/vsftpd/Changelog.txt:

* Close the control connection after 10 unknown commands pre-login.
* Reject any TLS ALPN advertisement that's not 'ftp'.
* Add ssl_sni_hostname option to require a match on incoming SNI hostname.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3618

Please adjust the affected versions in the BTS as needed.

#991329#18
Date:
2025-01-15 11:30:45 UTC
From:
To:
Dear maintainer,

I've prepared an NMU for vsftpd (versioned as 3.0.5-0.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards.

#991329#23
Date:
2025-01-20 12:10:59 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Hofstaedtler <zeha@debian.org> (supplier of updated vsftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 15 Jan 2025 12:19:33 +0100
Source: vsftpd
Architecture: source
Version: 3.0.5-0.1
Distribution: unstable
Urgency: medium
Maintainer: Keng-Yu Lin <kengyu@debian.org>
Changed-By: Chris Hofstaedtler <zeha@debian.org>
Closes: 975585 991329
Changes:
 vsftpd (3.0.5-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release. (Closes: #991329)
     Fixes CVE-2021-3618
 .
   [ Svante Signelle ]
   * Fix init script for Hurd (Closes: #975585)
Checksums-Sha1:
 922115de7e6fdaa00760e254970d0abc29137062 1854 vsftpd_3.0.5-0.1.dsc
 0159531cc9f9fc6dd64cd734e2fd42601e44b5d9 197778 vsftpd_3.0.5.orig.tar.gz
 1282c153e143299efe2563d655c3962fa8361faf 35908 vsftpd_3.0.5-0.1.debian.tar.xz
 2fdf3e5ce965fe31e4c172f666b4b366ace03966 5856 vsftpd_3.0.5-0.1_arm64.buildinfo
Checksums-Sha256:
 0b2f9a239fd9fda712664669165298e86a2d0bc1e5bd264e2340af153d42dbf8 1854 vsftpd_3.0.5-0.1.dsc
 26b602ae454b0ba6d99ef44a09b6b9e0dfa7f67228106736df1f278c70bc91d3 197778 vsftpd_3.0.5.orig.tar.gz
 0734c9ad93b9084efb82d4f47d35ec41b5edd99ceaf6ae8ac7b4b0f34bfdd04d 35908 vsftpd_3.0.5-0.1.debian.tar.xz
 c114ce78575a3d01e30df99682d46143d41e1755e060157bbc53eb07111155a0 5856 vsftpd_3.0.5-0.1_arm64.buildinfo
Files:
 53b75b57446dcba7f1bcb002a42e74ab 1854 net optional vsftpd_3.0.5-0.1.dsc
 efbf362a65bec771bc15ad311f5a982e 197778 net optional vsftpd_3.0.5.orig.tar.gz
 2c774a7c7b064520ded193e850c4bb8d 35908 net optional vsftpd_3.0.5-0.1.debian.tar.xz
 0c404a45931467c5598073601ab66f65 5856 net optional vsftpd_3.0.5-0.1_arm64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAmeHnHQACgkQXBPW25MF
LgPLuw//SMbDbwesFYIssC6jeBTDQP9jvvp4XxNR8G3fMKS+/tH+TTwPuZYJRK3c
6t7gMnAohrv/k1duIjHUDMRLqnqr7iX2nWDgMD5xWnN3pmbhVqtM+o67d8EMTOqc
XvM+7boU/l6ACdTT2toP402Edm4SbGmFwby6piCuuCQt2k4rWTK2TG2e7bpxNRQs
NrYFMYvh/W10tMUpQTsaN9RUXrZA+pMomN+YUagHyfZqCkQrNdELSeRCsgtODiUN
41wq7FdB0JFZUq201FL6mGphKLqoWJ//ZKLJXtYAiOQgIw3nBB6FfzpISjAieo0D
arIDrANcoj8leH6piq0n+Qzz7UjdIfwfbgycovgS8FUvz1xl/vUQ+lWWu/SDJfrI
m3jv+geRxt9wZ6V9acQ/rLzas5N8oqPmaLeElJG96m7YxNEKO097MbwnLBRxPgYb
SJlflAoTihZjqIgyK7v53Zc3owMX3VKG1BD1y86MLhV5iG42hJn8waVBCGq8v3GT
N3L4NsprvUiTzPTxlt4x1Qy3SsyHmwTQExIHCYr9o4UN8Yr6jGo2Ms0cgOuMDLTg
a+5oaBZ/XMBXLnBtrFX0m/ilZ/uBMDIuxAgro5TNncdJgz3YhdXIM1Z42DuOIUhn
ztPuKDBr/y3OfYdHmpHJLlknLteAbMePRXnxzwn+w6W0kL44Yng=
=cLP1
-----END PGP SIGNATURE-----