Описание
Security update for vsftpd
This update for vsftpd fixes the following issues:
- CVE-2021-3618: Enforced security checks against ALPACA attack (bsc#1187678, bsc#1187686, PM-3322).
Bugfixes:
- Fixed a seccomp failure in FIPS mode when SSL was enabled (bsc#1052900).
- Allowed wait4() to be called so that the broker can wait for its child processes (bsc#1021387).
- Allowed sendto() syscall when /dev/log support is enabled (bsc#786024).
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP4
vsftpd-3.0.5-150400.3.3.1
openSUSE Leap 15.4
vsftpd-3.0.5-150400.3.3.1
Ссылки
- Link for SUSE-SU-2022:3320-1
- E-Mail link for SUSE-SU-2022:3320-1
- SUSE Security Ratings
- SUSE Bug 1021387
- SUSE Bug 1052900
- SUSE Bug 1187678
- SUSE Bug 1187686
- SUSE Bug 786024
- SUSE CVE CVE-2021-3618 page
Описание
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP4:vsftpd-3.0.5-150400.3.3.1
openSUSE Leap 15.4:vsftpd-3.0.5-150400.3.3.1
Ссылки
- CVE-2021-3618
- SUSE Bug 1187678