vsftpd vulnerable to heartbleed (according to testssl)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vsftpd (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
According to testssl (from https:/
testssl@will:~$ ./testssl.sh -t ftp lll.lu:21
...
Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok)
Or is this a shortcoming of the testssl script, which reports a vulnerability where there is none? If this is the case, could anybody explain how the error happens, so that we can get testssl fixed?
1) root@lll:~# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
2) root@lll:~# apt-cache policy vsftpd
vsftpd:
Installed: 3.0.2-1ubuntu2.
Candidate: 3.0.2-1ubuntu2.
Version table:
*** 3.0.2-1ubuntu2.
500 http://
100 /var/lib/
3.0.2-1ubuntu2 0
500 http://
3) What I expected to happen
Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out)
4) What did happen
Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok)
information type: | Public → Public Security |
There appears to be a bug report around a false positive with testssl.sh [1] and fix [2] specific to vsftpd. This was reported after this bug report, so I am wondering if you could retest. For now I am marking this as 'incomplete', if you get newer results please mark this as 'new'.
I would also be curious to see your vsftpd.conf file to know how you are configuring it.
[1] https:/ /github. com/drwetter/ testssl. sh/issues/ 426 /github. com/drwetter/ testssl. sh/commit/ d1cc7b3755478f3 02a5f957e2bbcaf 17899951fc
[2] https:/