pyftpd_0.8.4.6+lenny1 upload to stable

To: debian-release@lists.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: pyftpd_0.8.4.6+lenny1 upload to stable
From: Radovan Garabik <garabik@kassiopeia.juls.savba.sk>
Date: Thu, 17 Jun 2010 16:21:38 +0200
Message-id: <[🔎] 20100617142138.GB16882@kassiopeia.juls.savba.sk>
In-reply-to: <[🔎] 20100617142002.GA16882@kassiopeia.juls.savba.sk>
References: <[🔎] 20100617142002.GA16882@kassiopeia.juls.savba.sk>

the patch...

-- 
 -----------------------------------------------------------
| Radovan Garabík http://kassiopeia.juls.savba.sk/~garabik/ |
| __..--^^^--..__    garabik @ kassiopeia.juls.savba.sk     |
 -----------------------------------------------------------
Antivirus alert: file .signature infected by signature virus.
Hi! I'm a signature virus! Copy me into your signature file to help me spread!

diff -Nru pyftpd-0.8.4.6/auth_db_config.py pyftpd-0.8.4.6+lenny1/auth_db_config.py
--- pyftpd-0.8.4.6/auth_db_config.py	2001-01-11 13:03:52.000000000 +0100
+++ pyftpd-0.8.4.6+lenny1/auth_db_config.py	2010-06-14 16:29:56.000000000 +0200
@@ -1,5 +1,8 @@
-passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
- ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
- ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]
+passwd = [
+# commented out by default - use /usr/share/pyftpd/conf_auth_db.py to change/add users
+#('test', 'test', 'CY9rzUYh03PK4k6DJie09g=='),
+# ('user', 'users', '7hHLsZBS6AsHqsDKBgwj7g=='),
+# ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')
+]
 
 
diff -Nru pyftpd-0.8.4.6/config.py pyftpd-0.8.4.6+lenny1/config.py
--- pyftpd-0.8.4.6/config.py	2006-11-07 22:29:24.000000000 +0100
+++ pyftpd-0.8.4.6+lenny1/config.py	2010-06-17 15:31:27.000000000 +0200
@@ -3,7 +3,8 @@
 do_debug = 0
 sbufsize = 16000 # size of send buffer
 rbufsize = 16000 # size of receive buffer
-modules = ['auth_anonymous_module',
+modules = [
+# 'auth_anonymous_module',
  'auth_db_module',
  'ban_module',
  'fs_chroot_module',
diff -Nru pyftpd-0.8.4.6/debian/changelog pyftpd-0.8.4.6+lenny1/debian/changelog
--- pyftpd-0.8.4.6/debian/changelog	2008-07-27 20:42:16.000000000 +0200
+++ pyftpd-0.8.4.6+lenny1/debian/changelog	2010-06-17 15:38:19.000000000 +0200
@@ -1,3 +1,13 @@
+pyftpd (0.8.4.6+lenny1) stable-security; urgency=high
+
+  * SECURITY: change default configuration - do not include any 
+    default users, disable anonymous access - CVE-2010-2073 
+    (closes: #585776)
+  * SECURITY: change default logging file to /dev/null - 
+    CVE-2010-2072 (closes: #585773)
+
+ -- Radovan Garabík <garabik@kassiopeia.juls.savba.sk>  Wed, 16 Jun 2010 19:42:14 +0200
+
 pyftpd (0.8.4.6) unstable; urgency=low
 
   * remove non-free rfc959.txt.gz (closes: #480376)
diff -Nru pyftpd-0.8.4.6/log_simple_config.py pyftpd-0.8.4.6+lenny1/log_simple_config.py
--- pyftpd-0.8.4.6/log_simple_config.py	2001-12-02 19:14:42.000000000 +0100
+++ pyftpd-0.8.4.6+lenny1/log_simple_config.py	2010-06-14 16:57:52.000000000 +0200
@@ -1 +1 @@
-logfile = "/tmp/pyftpd.log"
+logfile = "/dev/null"

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- pyftpd_0.8.4.6+lenny1 upload to stable
  - From: Radovan Garabik <garabik@kassiopeia.juls.savba.sk>

Prev by Date: NEW changes in proposedupdates
Next by Date: pyftpd_0.8.4.6+lenny1 upload to stable
Previous by thread: pyftpd_0.8.4.6+lenny1 upload to stable
Next by thread: Re: pyftpd_0.8.4.6+lenny1 upload to stable
Index(es):
- Date
- Thread