vsftpd is a secure and fast FTP server for UNIX-like systems that is used on many large and critical Internet sites. Its rich feature set includes SSL encryption, IPv6, bandwidth throttling, PAM integration, virtual users, virtual IPs and per-user / per-IP configuration.
@markhobley: The issue described is not a "security flaw", despite various misinformation on the internet about the issue. Hi Chris. I know that this bug is by design, and we have a disagreement over security protocol here. However, I still need a fix. I cannot use PAM here, because the software is bombing out before the password is prompted for. All the PAM configuration in the world won't fix this. I need to reverse the polarity of the flag, so that users get asked for a password when username whitelisting is being used. (I would not car that the this would transfer the bug to users using blacklisting, because I am not using this facility). I would be happy to run a localized fork. I would fix this myself, if I had the technical capability. This would be a two minute fix for someone who understands the program. If you won't fix this, then I am still seeking a fix from a community programmer here. Hence I am asking for a fix on the blog.
Release Notes: This release corrects a DoS vulnerability where an attacker permitted to login to an FTP server would be able to cause the vsftpd child processes spawned for their sessions to consume excessive amounts of CPU time (CVE-2011-0762). If the attack is carried out on a sufficient number of FTP sessions (possibly from multiple source IP addresses to exceed a possible per-source limit), the FTP service would become unavailable and other services of the system would be greatly impacted. Some other bugs with no apparent security impact have been fixed at the same time.
Release Notes: The version number was fixed. Version 2.3.1 incorrectly reported itself as version 2.3.0.
Release Notes: A silly regression introduced in 2.3.0 was fixed - the log files are no longer overwritten from the start when vsftpd is restarted.
Release Notes: A couple of regressions were fixed: port_promiscuous now works again and SSL data transfers with ASCII transforms should work reliably again. It is now possible to overwrite files partially with REST + STOR. A minimal, experimental HTTP mode was added.
Release Notes: Most notably, a regression was fixed in the built-in listener. Under heavy load, new FTP sessions could sometimes get disconnected right way. This is now fixed. If you saw "OOPS: child died" just after connecting, it was likely this bug.