Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#25020 - Backdoor in vsftpd 2.3.4

Attached to Project: Arch Linux
Opened by Leonardo (sud_crow) - Tuesday, 05 July 2011, 07:00 GMT
Last edited by Ionut Biru (wonder) - Tuesday, 05 July 2011, 13:22 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Kieslich (tobias)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Backdoor in vsftpd 2.3.4

Additional info:
* package version(s): 2.3.4


It has been confirmed there was a backdoor in the vsftpd 2.3.4 package source in one of the master sites.
Here are the alerts and info:
http://www.h-online.com/open/news/item/Vsftpd-backdoor-discovered-in-source-code-1272310.html
http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
https://security.appspot.com/vsftpd.html


This task depends upon

Closed by  Ionut Biru (wonder)
Tuesday, 05 July 2011, 13:22 GMT
Reason for closing:  Not a bug
Additional comments about closing:  we are safe
Comment by Leonardo (sud_crow) - Tuesday, 05 July 2011, 07:03 GMT
Note: I don't know if the sources used to build the binary in the Arch repos have this issue, I'm just warning about the issue in the sources because it might affect the binaries.
Comment by Florian Pritz (bluewind) - Tuesday, 05 July 2011, 07:32 GMT
The only thing that needs fixing is the source URL because the old one doesn't work anymore. The tarball used for building our package was clean.
Comment by Gerardo Exequiel Pozzi (djgera) - Tuesday, 05 July 2011, 13:21 GMT
  • Field changed: Severity (Critical → Very Low)
2ea5d19978710527bb7444d93b67767a is the good ;)

Loading...