psa-proftpd 1.3.2-1

[scott]

Published to the [atomic-testing] channel, this release candidate should resolve the following issues:

- Filezilla TLS mode (I found I had to use explicit TLS mode)
- Bug 3169 - Multiple RewriteRules for the same RewriteCondition not processed
properly.
- Bug 3171 - ExtendedLog should log full SITE command using %m.
- Bug 3173 - Encoding-dependent SQL injection vulnerability.
- Bug 2045 - SQLShowInfo should not be displayed when query returns no data.
- Bug 2915 - mod_rewrite does not work well for SITE commands.
- Bug 1636 - GroupRatio does not check user's supplemental group membership.
- Bug 3137 - ProFTPD does not log filename %f for uploaded files.
- Bug 3142 - "Invalid number of arguments MFMT" due to spaces in path argument.
- Bug 3144 - mod_dynmasq returns same IP address, even though actual IP
address has changed.
- Bug 3040 - Support for CreateHome parent directories owned by user.
- Added Russian translation.
- Bug 2020 - HideFiles sometimes fails.
- Bug 3146 - <Directory> paths using glob characters may not match as expected.
- Bug 3147 - Comma-delimited commands in <Limit> sections not handled properly.
- Bug 3149 - Bad handling of %p, %V, and %v variables in mod_sql.
- Bug 3150 - mod_facl erroneously assumes no permissions, rather than all
permissions, in some cases.
- Bug 3159 - mod_rewrite build fails due to missing mode argument in open(2)
call on some platforms.
- Bug 3114 - Bad handling of uid/gid parameters for CreateHome.
- Bug 3115 - Cross-site request forgery.
- Bug 3116 - SQLNegativeCache with no group info can cause segfault.
- Bug 3117 - Authentication improperly allowed (Bug#2922 regression).
- Bug 3119 - Search for libcap2 in addition to libcap for mod_cap support.
- Bug 3120 - WrapTables not allowed in <Anonymous> context.
- Bug 3122 - iconv() not detected properly on FreeBSD when --enable-nls is used.
- Bug 3124 - mod_sql improperly substitutes variables in user/group names.
- Bug 3089 - Memory pool double-free on session exit after aborted data
transfer.
- Bug 3092 - FSIO API needs mechanism for allowing registered FS handlers to
permit atomic renames.
- Bug 2767 - gcc 4.0/amd64 warnings.
- Bug 3126 - Segfault in mod_sql_sqlite when user belongs to multiple groups.
- Bug 3130 - HideFiles can cause segfault.
- Bug 3131 - Session process uses 100% CPU after aborted transfer.
- Bug 3132 - Handling of SIGABRT signal leads to endless loop.
- Bug 3073 - Command arguments not decoded properly in some places.
- Bug 3135 - Aborting a download can lead to segfault in some cases.
- Added Chinese translation
- Bug 3076 - RPM build failing on 64 bit OS due to incomplete .spec.
- Bug 3082 - Use "DEFAULT" keyword instead of "ALL" for Trace directive.
Hopefully the "DEFAULT" keyword will be more accurate, more descriptive
of the actual functionality triggered by the keyword.
- Bug 3083 - Multiple issues with handling of <Class> definitions.
- Bug 3077 - Transparently handle the X-variant commands when checking
<Limit> permissions.
- Bug 3036 - Quota information not persisted if session ends abruptly.
- Bug 3094 - Perform unidirectional SSL/TLS shutdown on data connections.
- Bug 3096 - libcap version errors on newer Linux kernel.
- Bug 3074 - Support configure option for pkgconfig .pc file install
location.
- Bug 3095 - TLSPassphraseProvider port number truncated.
- Bug 3099 - Add trace logging of filesystem permission errors. To see
this additional logging, use Trace logging, and configure it to log
the "fileperms" log channel.
- Bug 3100 - Support ftpmail options for sending emails only for specific
users. See doc/contrib/ftpmail.html for more details.
- Bug 3030 - GroupOwner should work for all groups. Previously, GroupOwner
(without using UserOwner) could fail, if the user did not belong to
the specified group. Now proftpd will automatically detect, when
handling GroupOwner, when root privileges need to be used for the
configured group.
- Bug 3101 - mod_wrap2 does not compile on FreeBSD with custom includes.
- Bug 3098 - Socket descriptor leak when using syslog logging, especially at
SyslogLevel 'notice' or higher.
- Bug 3055 - Support Display variable for specifying the timestamp format.
See doc/howto/DisplayFiles.html for more information.
- Bug 2537 - mod_sql does not support %{...}t variable. SQLNamedQuery
statements can now use "%{time:...}" variables for formatting time strings
using strftime(3).
- Bug 2564 - Improper logging of "max connections per host". The issue was
one of the timing of the logging of the "Login successful" message. Now
it happens as part of a LOG_CMD handler for the PASS command.
- Bug 3104 - Syslog logging does not work on Mac OS X.
- Bug 2991 - Need a `prxs' (ProFTPD Extensions) command-line tool for building
shared modules without proftpd source.
- Bug 3106 - Add support for Mac OSX 10.5 sendfile.
- Bug 3107 - TLSProtocol supports misleading "SSLv23" parameter.
- Bug 3108 - Support removing MLST from FEAT list. The mod_facts module
now supports a FactsAdvertise directive; see doc/modules/mod_facts.html
for details.
- Bug 3109 - Errors with file uploads logged but not reported to clients.
- Bug 3112 - Uploaded files are not removed if close() fails.
- Bug 2978 - Support more verbose OpenSSL diagnostic logging. There is now
support for an "EnableDiags" TLSOptions setting, which logs a lot of
SSL/TLS protocol information to the TLSLog.
- Bug 2969 - Allow APPE after REST.
- Bug 2983 - Use getgrouplist(3) for group lookup, if available. This may
potentially speed up the group membership lookup on some systems.
- Bug 2984 - mod_auth_file uid2name() does not cache results causing slow LIST
response.
- Bug 2925 - Add caching of IP address and DNS name lookups. This may help
speed up data transfers, especially rapid-fire data transfers as used by
"download accelerators".
- Bug 2979 - Ability to ban clients which connect too often. The mod_ban
module now supports a "ClientConnectRate" BanOnEvent rule.
- Bug 2987 - Verbose ban information (i.e. 'ftpdctl ban info -v') not working
on FreeBSD.
- Bug 2986 - Authoritative PAM is not honored.
- Bug 2988 - mod_wrap2_file ignores "ALL" keyword.
- Bug 2982 - Support limit on number of simultaneous file transfers from one
client. Two new configuration directives, MaxTransfersPerHost and
MaxTransfersPerUser, have been added.
- Bug 2386 - Controls should use kernel-enforced credentials where possible.
- Added mod_dynmasq contrib module. See doc/contrib/mod_dynmasq.html for
more information.
- Bug 2968 - Ability to allow protection on control channel, but reject
protection on data channel. See doc/contrib/mod_tls.html#TLSRequired
for details.
- Added mod_unique_id contrib module. See doc/contrib/mod_unique_id.html
for details.
- Bug #2990 - TLSCryptoDevice does not work.
- Bug #2989 - Unable to authenticate users if RadiusUserInfo is not configured.
- Bug #2937 - Should list modules (with versions) for modules loaded as DSOs.
The -vv command-line option now shows all modules (and versions), both
static and shared. See the RELEASE_NOTES for more details.
- Bug #2993 - Unable to compile 1.3.1 on Debian unstable/amd64. The configure
script was brokenly checking for the umode_t data type, which is not needed
by the proftpd source code.
- Bug #2992 - The %f LogFormat variable expanded improperly to "-" for
SITE CHMOD.
- Bug #2995 - The %f LogFormat variable expanded to same file for RNFR and
RNTO.
- Bug #2996 - Requirement for same OpenSSL header, library version in mod_tls
too restrictive. If differences are detected now, the difference is logged,
but the daemon will start up.
- Bug 3005 - OOB abort closes the control connection.
- Bug 3004 - 'ScanOnLogin' QuotaOption does not honor QuotaDirectoryTally
directive.
- Bug 3006 - 'ScanOnLogin' QuotaOption may try to update a nonexistent tally
record.
- Bug 3001 - Incomplete downloads not logged properly in TransferLog if
sendfile is used.
- Bug 3012 - SITE UTIME should support YYYYMMDDhhmmss format.
- Bug 3013 - "TLSOptions AllowPerUser" not working as expected.
- Bug 3019 - DisplayLogin in <Anonymous> section not displayed properly.
- Bug 3015 - Support for RFC3659. There is a new module, mod_facts, which
implements the RFC3659 commands of MLSD and MLST, as well as the MFF and
MFMT commands from an Internet Draft.
- Bug 2894 - The AnonymousGroup directive has been marked for deprecation,
and will be removed in a future release.
- Bug 3003 - Fallback to normal transmission in case of sendfile EOVERFLOW
error missing.
- Bug 2874 - Data transfer buffers should be allocated at startup, not at
compile time.
- Bug 3014 - Optionally set PAM_TTY item when using PAM. Use
"AuthPAMOptions NoTTY" to disable this.
- Bug 2741 - Apply TimeoutNoTransfer, TimeoutStalled, TimeoutIdle to
<Anonymous> section.
- Bug 2997 - Uploading files with "~" causes harmless but annoying log
message.
- Bug 2889 - Update SQLLog so that RNTO stores the path when using the
%F variable.
- Bug 2731 - Add ability to set process priority for file transfers. A new
TransferPriority directive has been added, which can be used to set the
scheduling priority of the session process during file transfers.
- Bug 3020 - Server replies to NLST with 450 at the wrong time.
- Bug 1771 - mod_ratio compile warnings.
- Bug 1973 - mod_ratio uses the too-small int datatype for tracking bytes.
The mod_ratio module has been updated to use off_t, instead of int, for
tracking bytes.
- Bug 1896 - Check AIX account status. The AIX-specific loginrestrictions()
and passwdexpired() functions, if present, are now used by the mod_auth_unix
module during login.
- Bug 2453 - Separate RFC1413 code into mod_ident module.
- Bug 3023 - Allow uploading to /dev/null. This allows testing of network
link speeds by uploading directly to /dev/null on the server.
- Bug 3022 - Timed SQL connections don't reconnect to database.
- Added mod_sql_sqlite contrib module, for authenticating using a SQLite
database. See doc/contrib/mod_sql_sqlite.html for more details.
- Added mod_sql_odbc contrib module, for connecting to a database via
ODBC drivers. See doc/contrib/mod_sql_odbc.html for more information.
- Bug 3025 - Using %b in a SQLNamedQuery does not properly log the file size
for DELE.
- Bug 3026 - RewriteCondition does not negate -d -f -s tests.
- Bug 3027 - Unmatched backreferences are not handled properly in RewriteRules.
Unmatched backreferences are now replaced with empty strings.
- Bug 2999 - Data transfer not aborted when control connection is closed.
- Bug 3031 - IPv4-mapped IPv6 connections not matched properly against IPv4
glob ACLs.
- Bug 3033 - Class rules not honoring '!' negation character.
- Bug 3034 - Rewritten command parameters need to be set in multiple places.
- Bug 2577 - IPv6 support should be enabled by default. IPv6 support is
now enabled by default in the proftpd build, but the shipping
proftpd.conf has:

UseIPv6 off

To disable IPv6 support completely at build time, use the --disable-ipv6
configure option.
- Bug 2000 - mod_cap should not use bundled libcap. Now if a system libcap
is present, that system library will be used instead of the bundled libcap.
If no system libcap is present, the bundled libcap will be used.
- Bug 3044 - Segfault if mod_delay fails to load DelayTable.
- Bug 3048 - mod_wrap2_file should support comma-delimited lists of clients.
- Bug 3045 - "QuotaOptions ScanOnLogin" does not work for 'class' or
'all' limits.
- Bug 3047 - BanOnEvent should support optional ban message. Now messages
for individual ban rules can be configured, in addition to the BanMessage
directive.
- Added contrib/ftpmail, a Perl script which reads a TransferLog FIFO and
sends automatic email notifications whenever uploads occur. See
doc/contrib/ftpmail.html for more details.
- Bug 3050 - Support use of OpenSSL in FIPS mode. See doc/howto/TLS.html for
details on how to use FIPS mode.
- Bug 3051 - mod_quotatab incorrectly reduces file count on rename.
- Bug 2840 - Online Certificate Status Protocol (OCSP) support.
- Bug 3058 - Handling of OPTS command results in badly set values in code.
- Bug 3059 - Wrong handling of UTF8 conversions.
- Bug 3061 - Segfault in mod_quotatab_sql if the SQL query returns NULL
bytes/files values.
- Bug 3056 - Support non-UTF8 encoding and character sets. See
doc/modules/mod_lang.html for more information on the UseEncoding directive.
- Bug 3064 - Better handling of 0xFF character for Cyrillic, non-UTF8 charsets.
These character sets use the same value as the Telnet IAC character in
the alphabet. RFC959 states that FTP control messages must support Telnet
characters; this requirement causes problems for the character sets.
This the RFC959 requirement is relaxed if --enable-nls is used, and if
one of the problematic character sets is configured.

To Install:
yum --enablerepo=atomic-tesitng upgrade psa-proftpd

[Sarge]

To Install:
yum --enablerepo=atomic-tesitng upgrade psa-proftpd

Shouldn't it be atomic-testing?

Please feel free to delete this post after the correction.

[scott]

Haha yup, and this package has graduated to [atomic]:


yum upgrade psa-proftpd

[Highland]

I can't find that file for centos 4 or 5. Did the base URL change from http://www.atomicorp.com/channels/atomic/centos ?

[Kalimari]

Same here, RHEL4 yes, centos 5 no.

[scott]

Might need to clear your cache, there arent really RHEL packages in atomic, those just symlink to the CentOS dirs.

[Kalimari]

yum clean dbcache did the trick

[banshee_z71]

Thank you ART! The ProFTPD 1.3.2 package did the trick for me. Of course I'm a noobie so it took me a while to get ftp to working on my CentOS Sever after the update. I made a very detailed tutorial for anyone having trouble with this.

http://codersresource.com/linux/web-server/51-upgrade-proftpd-on-centos-to-fix-filezilla-bug

[hostingguy]

You shouldnt need to reboot since ftp is spawned on demand. after changing the configs it should immediately work in the psa/xinetd mode, stand alone I dont know since Ive never used it.

[banshee_z71]

hostingguy is right about the psa/xinetd mode. It loads the proftpd.conf file each time a user connects. standalone however only loads the file once which is suppose to make it a bit quicker. But is kind of a pain when you have to change the config. Thanks for bringing that up. I'll add it to the tutorial.

[hostingguy]

for stand alone can you just do a "service proftpd reload" command or something like that to reload the configs?
seems extreme to have to reboot for a config file change

[scott]

Followup on this, for the moment you can get around it by turning quotas off under the anon_ftp settings.

[gaia]

i followed the instructions at

Code: Select all

http://codersresource.com/linux/web-server/51-upgrade-proftpd-on-centos-to-fix-filezilla-bug

at proftp works fine, including the TLS auth connection close issue with later versions of Filezilla.

the only problem is that before (1.3.1), i used to see the permissions/owner/group as in before.png. now i see them as after.png. do i have to live with this or is there a config I am missing? proftp.conf ios below

thanks!

Code: Select all

#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD"
#ServerType			standalone
ServerType			inetd
DefaultServer			on
<Global>
DefaultRoot	~		psacln
AllowOverwrite		on
PassivePorts 57000 58000
</Global>

DefaultTransferMode	binary
UseFtpUsers			on

TimesGMT			off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port				21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
	GroupOwner	psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

# Custom Security Additions
ServerIdent off
MaxLoginAttempts 4
AllowStoreRestart on

# To allow for FTPES (see http://nowheretobefound.com/documentation/securing-ftp)
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd.tls.log
# Server's certificate
TLSRSACertificateFile /etc/openssl/server.crt
TLSRSACertificateKeyFile /etc/openssl/server.key
# CA the server trusts
TLSCACertificateFile /etc/openssl/ca.crt
# Enable this option to force secure connections only
#TLSRequired on
</IfModule>

AuthGroupFile	/etc/group

Include /etc/proftpd.include

[scott]

That isnt anything we can change from the proftp side, thats entirely a client rendering thing.

[gaia]

i tried with smartftp and coreftp. both reported permissions in the before format, so that is surely a client rendering issue. all good here. BUT smartftp, which does allow seeing owners/groups, only showed numbers, like in the after screenshot. i can understand the client translating flcdmpe into rwx-rw-r etc, but doesnt the owner/group ID NEED to be attached to their respective names by the server somehow?

in short: would you please name the FTP client (or setting in an available client) that will show owners/groups as names, not IDs.

thanks!