the patch... -- ----------------------------------------------------------- | Radovan Garabík http://kassiopeia.juls.savba.sk/~garabik/ | | __..--^^^--..__ garabik @ kassiopeia.juls.savba.sk | ----------------------------------------------------------- Antivirus alert: file .signature infected by signature virus. Hi! I'm a signature virus! Copy me into your signature file to help me spread!
diff -Nru pyftpd-0.8.4.6/auth_db_config.py pyftpd-0.8.4.6+lenny1/auth_db_config.py --- pyftpd-0.8.4.6/auth_db_config.py 2001-01-11 13:03:52.000000000 +0100 +++ pyftpd-0.8.4.6+lenny1/auth_db_config.py 2010-06-14 16:29:56.000000000 +0200 @@ -1,5 +1,8 @@ -passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='), - ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='), - ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')] +passwd = [ +# commented out by default - use /usr/share/pyftpd/conf_auth_db.py to change/add users +#('test', 'test', 'CY9rzUYh03PK4k6DJie09g=='), +# ('user', 'users', '7hHLsZBS6AsHqsDKBgwj7g=='), +# ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==') +] diff -Nru pyftpd-0.8.4.6/config.py pyftpd-0.8.4.6+lenny1/config.py --- pyftpd-0.8.4.6/config.py 2006-11-07 22:29:24.000000000 +0100 +++ pyftpd-0.8.4.6+lenny1/config.py 2010-06-17 15:31:27.000000000 +0200 @@ -3,7 +3,8 @@ do_debug = 0 sbufsize = 16000 # size of send buffer rbufsize = 16000 # size of receive buffer -modules = ['auth_anonymous_module', +modules = [ +# 'auth_anonymous_module', 'auth_db_module', 'ban_module', 'fs_chroot_module', diff -Nru pyftpd-0.8.4.6/debian/changelog pyftpd-0.8.4.6+lenny1/debian/changelog --- pyftpd-0.8.4.6/debian/changelog 2008-07-27 20:42:16.000000000 +0200 +++ pyftpd-0.8.4.6+lenny1/debian/changelog 2010-06-17 15:38:19.000000000 +0200 @@ -1,3 +1,13 @@ +pyftpd (0.8.4.6+lenny1) stable-security; urgency=high + + * SECURITY: change default configuration - do not include any + default users, disable anonymous access - CVE-2010-2073 + (closes: #585776) + * SECURITY: change default logging file to /dev/null - + CVE-2010-2072 (closes: #585773) + + -- Radovan Garabík <garabik@kassiopeia.juls.savba.sk> Wed, 16 Jun 2010 19:42:14 +0200 + pyftpd (0.8.4.6) unstable; urgency=low * remove non-free rfc959.txt.gz (closes: #480376) diff -Nru pyftpd-0.8.4.6/log_simple_config.py pyftpd-0.8.4.6+lenny1/log_simple_config.py --- pyftpd-0.8.4.6/log_simple_config.py 2001-12-02 19:14:42.000000000 +0100 +++ pyftpd-0.8.4.6+lenny1/log_simple_config.py 2010-06-14 16:57:52.000000000 +0200 @@ -1 +1 @@ -logfile = "/tmp/pyftpd.log" +logfile = "/dev/null"
Attachment:
signature.asc
Description: Digital signature