On Fri, Jun 8, 2012 at 6:58 AM, Matthias Schroeder <
[log in to unmask]> wrote:

> On 06/08/2012 11:27 AM, Dennis Schridde wrote:
>
>> Hi!
>>
>> The version of the package currently available in SL6 is
>> vsftpd-2.2.2-6.el6_0.1.x86_64, while RHEL6 apparently ships
>> vsftpd-2.2.2-11.el6 [1]. Can you please update it, as it contains a bugfix
>> that is important for our systems.
>>
>> It looks like a one-line patch, published at "Comment 26" in the cited
[1] https://bugzilla.redhat.com/show_bug.cgi?id=708657 ("Fixed In Version")


Can you build your own RPM, make the "Release" number something like
6.1.el6_0.1, to avoid version conflicts when the update is published
upsteam, and switch to that? And in this day and age with password sniffing
going on over local networks by zombied machines and happening as a matter
of government policy worldwide in data centers, and the historic firewall
wackiness with FTP's 2 channel communications, *WHY* is your client using
FTP for anything that is password based? You can cross-hook it to normal
logins, true, but this is a really bad idea for basic security reasons and
should be avoided wherever feasible.

Or are they using FTPS?


signature.asc





> Kind regards,
>> Dennis Schridde
>>
>> [1] https://bugzilla.redhat.com/**show_bug.cgi?id=708657<https://bugzilla.redhat.com/show_bug.cgi?id=708657>("Fixed In Version")
>>
>
> Please cite properly: "should be fixed in"... and the comment was made
> this night at 03:21:47 EDT.
>
> What makes you believe that RH has released the fix already? What makes
> you think it has already passed QA?
>
> Matthias
>