On Fri, Jun 8, 2012 at 6:58 AM, Matthias Schroeder <[log in to unmask]> wrote:
On 06/08/2012 11:27 AM, Dennis Schridde wrote:
Hi!

The version of the package currently available in SL6 is
vsftpd-2.2.2-6.el6_0.1.x86_64, while RHEL6 apparently ships
vsftpd-2.2.2-11.el6 [1]. Can you please update it, as it contains a bugfix
that is important for our systems.

It looks like a one-line patch, published at "Comment 26" in the cited
[1] https://bugzilla.redhat.com/show_bug.cgi?id=708657 ("Fixed In Version")
 
 
Can you build your own RPM, make the "Release" number something like 6.1.el6_0.1, to avoid version conflicts when the update is published upsteam, and switch to that? And in this day and age with password sniffing going on over local networks by zombied machines and happening as a matter of government policy worldwide in data centers, and the historic firewall wackiness with FTP's 2 channel communications, *WHY* is your client using FTP for anything that is password based? You can cross-hook it to normal logins, true, but this is a really bad idea for basic security reasons and should be avoided wherever feasible.
 
Or are they using FTPS?
 
 
signature.asc
 
 
 
 
Kind regards,
Dennis Schridde

[1] https://bugzilla.redhat.com/show_bug.cgi?id=708657 ("Fixed In Version")

Please cite properly: "should be fixed in"... and the comment was made this night at 03:21:47 EDT.

What makes you believe that RH has released the fix already? What makes you think it has already passed QA?

Matthias