Security update for vsftpd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3320-1 Final 1 1 2022-09-20T12:47:13Z current 2022-09-20T12:47:13Z 2022-09-20T12:47:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for vsftpd This update for vsftpd fixes the following issues: - CVE-2021-3618: Enforced security checks against ALPACA attack (bsc#1187678, bsc#1187686, PM-3322). Bugfixes: - Fixed a seccomp failure in FIPS mode when SSL was enabled (bsc#1052900). - Allowed wait4() to be called so that the broker can wait for its child processes (bsc#1021387). - Allowed sendto() syscall when /dev/log support is enabled (bsc#786024). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3320,SUSE-SLE-Module-Server-Applications-15-SP4-2022-3320,openSUSE-SLE-15.4-2022-3320 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223320-1/ Link for SUSE-SU-2022:3320-1 https://lists.suse.com/pipermail/sle-security-updates/2022-September/012296.html E-Mail link for SUSE-SU-2022:3320-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1021387 SUSE Bug 1021387 https://bugzilla.suse.com/1052900 SUSE Bug 1052900 https://bugzilla.suse.com/1187678 SUSE Bug 1187678 https://bugzilla.suse.com/1187686 SUSE Bug 1187686 https://bugzilla.suse.com/786024 SUSE Bug 786024 https://www.suse.com/security/cve/CVE-2021-3618/ SUSE CVE CVE-2021-3618 page SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.4 vsftpd-3.0.5-150400.3.3.1 vsftpd-3.0.5-150400.3.3.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 vsftpd-3.0.5-150400.3.3.1 as a component of openSUSE Leap 15.4 ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. CVE-2021-3618 SUSE Linux Enterprise Module for Server Applications 15 SP4:vsftpd-3.0.5-150400.3.3.1 openSUSE Leap 15.4:vsftpd-3.0.5-150400.3.3.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223320-1/ https://www.suse.com/security/cve/CVE-2021-3618.html CVE-2021-3618 https://bugzilla.suse.com/1187678 SUSE Bug 1187678