From 65fdc2480407a24704ce5954e6d2f0d27a5ace5e Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Nov 03 2010 10:16:20 +0000 Subject: Merge branch 'master' into el4 Conflicts: .gitignore proftpd.conf proftpd.spec sources This is a version update but it does fix a number of security issues and I consider the minor upheaval of the version update to be a lesser evil than the possibililty of getting backported security fixes wrong. --- diff --git a/.gitignore b/.gitignore index 0d8f788..19f281d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -proftpd-1.3.2d.tar.bz2 -proftpd-mod-vroot-0.8.5.tar.gz -proftpd-mod-exec-0.9.6.tar.gz +/proftpd-1.3.3c.tar.bz2 +/proftpd-mod-geoip-0.2.tar.gz +/proftpd-mod-vroot-0.8.5.tar.gz diff --git a/proftpd-1.3.2-parallel-build.patch b/proftpd-1.3.2-parallel-build.patch deleted file mode 100644 index cea1c40..0000000 --- a/proftpd-1.3.2-parallel-build.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -ru proftpd-1.3.2-orig/Makefile.in proftpd-1.3.2/Makefile.in ---- proftpd-1.3.2-orig/Makefile.in 2008-11-19 04:51:38.000000000 +0100 -+++ proftpd-1.3.2/Makefile.in 2009-02-16 14:28:43.000000000 +0100 -@@ -54,13 +54,13 @@ - proftpd$(EXEEXT): lib src modules dirs locale - $(LIBTOOL) --mode=link --tag=CC $(CC) $(LDFLAGS) $(MAIN_LDFLAGS) -o $@ $(BUILD_PROFTPD_OBJS) $(BUILD_PROFTPD_ARCHIVES) $(LIBS) $(MAIN_LIBS) - --ftpcount$(EXEEXT): utils -+ftpcount$(EXEEXT): lib utils - $(CC) $(LDFLAGS) -o $@ $(BUILD_FTPCOUNT_OBJS) $(UTILS_LIBS) - --ftpdctl$(EXEEXT): src -+ftpdctl$(EXEEXT): lib src - $(CC) $(LDFLAGS) -o $@ $(BUILD_FTPDCTL_OBJS) $(LIBS) - --ftpshut$(EXEEXT): utils -+ftpshut$(EXEEXT): lib utils - $(CC) $(LDFLAGS) -o $@ $(BUILD_FTPSHUT_OBJS) $(UTILS_LIBS) - - ftptop$(EXEEXT): lib utils diff --git a/proftpd-1.3.2a-mlsd.patch b/proftpd-1.3.2a-mlsd.patch deleted file mode 100644 index a8148bc..0000000 --- a/proftpd-1.3.2a-mlsd.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- proftpd-1.3.2a/modules/mod_facts.c.mlsd 2009-04-28 22:17:45.000000000 +0100 -+++ proftpd-1.3.2a/modules/mod_facts.c 2009-09-07 14:17:39.000000000 +0100 -@@ -841,12 +841,13 @@ - return PR_ERROR(cmd); - } - -- /* RFC3659 explicitly does NOT support glob characters. */ -+ /* RFC3659 explicitly does NOT support glob characters. So warn about -+ * this, but let the command continue as is. We don't actually call -+ * glob(3) here, so no expansion will occur. -+ */ - if (strpbrk(decoded_path, "{[*?") != NULL) { -- pr_log_debug(DEBUG2, MOD_FACTS_VERSION ": unable to handle MLSD command: " -- "target '%s' contains glob characters", decoded_path); -- pr_response_add_err(R_550, _("Unable to handle command")); -- return PR_ERROR(cmd); -+ pr_log_debug(DEBUG9, MOD_FACTS_VERSION ": glob characters in MLSD ('%s') " -+ "ignored", decoded_path); - } - - /* Make sure that the given path is actually a directory. */ diff --git a/proftpd.conf b/proftpd.conf index ae04adb..f391cfb 100644 --- a/proftpd.conf +++ b/proftpd.conf @@ -52,6 +52,10 @@ LogFormat auth "%v [%P] %h %t \"%r\" %s" # General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql.c # +# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables +# (contrib/mod_sql_passwd.html) +# LoadModule mod_sql_passwd.c +# # Mysql support (requires proftpd-mysql package) # (http://www.proftpd.org/docs/contrib/mod_sql.html) # LoadModule mod_sql_mysql.c @@ -100,6 +104,11 @@ LogFormat auth "%v [%P] %h %t \"%r\" %s" # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # +# Support for using the GeoIP library to look up geographical information on +# the connecting client and using that to set access controls for the server +# (http://www.castaglia.org/proftpd/modules/mod_geoip.html) +# LoadModule mod_geoip.c +# # Configure server availability based on system load # (http://www.proftpd.org/docs/contrib/mod_load.html) # LoadModule mod_load.c @@ -112,10 +121,31 @@ LogFormat auth "%v [%P] %h %t \"%r\" %s" # (http://www.proftpd.org/docs/contrib/mod_rewrite.html) # LoadModule mod_rewrite.c # +# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over +# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) +# LoadModule mod_sftp.c +# +# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for +# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) +# LoadModule mod_sftp_pam.c +# +# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user +# and host based authentication +# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) +# LoadModule mod_sftp_sql.c +# +# Provide data transfer rate "shaping" across the entire server +# (http://www.castaglia.org/proftpd/modules/mod_shaper.html) +# LoadModule mod_shaper.c +# # Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, # and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) # LoadModule mod_site_misc.c # +# Provide an external SSL session cache using shared memory +# (contrib/mod_tls_shmcache.html) +# LoadModule mod_tls_shmcache.c +# # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap.html) @@ -152,6 +182,9 @@ LogFormat auth "%v [%P] %h %t \"%r\" %s" TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log + + TLSSessionCache shm:/file=/var/run/proftpd/sesscache + # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) @@ -179,9 +212,6 @@ LogFormat auth "%v [%P] %h %t \"%r\" %s" # from being group and world writable Umask 022 - # Don't do ident queries (hangs when the port is filtered) - IdentLookups off - # Allow users to overwrite files and change permissions AllowOverwrite yes diff --git a/proftpd.init b/proftpd.init index 11bb674..f00f790 100755 --- a/proftpd.init +++ b/proftpd.init @@ -12,7 +12,7 @@ # anonymous FTP, and permission-based directory visibility. # processname: proftpd # config: /etc/proftp.conf -# pidfile: /var/run/proftpd.pid +# pidfile: /var/run/proftpd/proftpd.pid ### BEGIN INIT INFO # Provides: proftpd ftpserver diff --git a/proftpd.spec b/proftpd.spec index 32d8dc9..73aa1e3 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -1,4 +1,4 @@ -# Use certs in %{_sysconfdir}/pki/tls/certs if available (FC4, RHEL5 onwards) +# Use certs in %%{_sysconfdir}/pki/tls/certs if available (FC4, RHEL5 onwards) %global use_pki %(if [ -d %{_sysconfdir}/pki/tls/certs ]; then echo 1; else echo 0; fi) %if %{use_pki} %global pkidir %{_sysconfdir}/pki/tls @@ -6,12 +6,12 @@ %global pkidir %{_datadir}/ssl %endif -#global prever rc3 +#global prever rc4 %global rpmrel 1 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd -Version: 1.3.2d +Version: 1.3.3c Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist} License: GPLv2+ Group: System Environment/Daemons @@ -27,17 +27,15 @@ Source7: proftpd-mod_quotatab_ldap.ldif Source8: proftpd-mod_quotatab_ldap.schema Source9: proftpd.sysconfig Source10: http://www.castaglia.org/proftpd/modules/proftpd-mod-vroot-0.8.5.tar.gz -Source11: http://www.castaglia.org/proftpd/modules/proftpd-mod-exec-0.9.6.tar.gz +Source11: http://www.castaglia.org/proftpd/modules/proftpd-mod-geoip-0.2.tar.gz Patch0: proftpd-1.3.2rc3-nostrip.patch -Patch2: proftpd-1.3.2-parallel-build.patch -Patch3: proftpd-1.3.2a-mlsd.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires(post): /sbin/chkconfig Requires(preun): /sbin/service, /sbin/chkconfig, coreutils, findutils Requires(postun): /sbin/service BuildRequires: pam-devel, ncurses-devel, pkgconfig, gettext, zlib-devel BuildRequires: openssl-devel, libacl-devel, libcap-devel, /usr/include/tcpd.h -BuildRequires: openldap-devel, mysql-devel, postgresql-devel +BuildRequires: openldap-devel, mysql-devel, postgresql-devel, GeoIP-devel Provides: ftpserver %description @@ -47,10 +45,9 @@ syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. -This package defaults to the standalone behaviour of ProFTPD, but all the +This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. - %package ldap Summary: Module to add LDAP support to the ProFTPD FTP server Group: System Environment/Daemons @@ -59,7 +56,6 @@ Requires: %{name} = %{version}-%{release} %description ldap Module to add LDAP support to the ProFTPD FTP server. - %package mysql Summary: Module to add MySQL support to the ProFTPD FTP server Group: System Environment/Daemons @@ -68,7 +64,6 @@ Requires: %{name} = %{version}-%{release} %description mysql Module to add MySQL support to the ProFTPD FTP server. - %package postgresql Summary: Module to add PostgreSQL support to the ProFTPD FTP server Group: System Environment/Daemons @@ -77,7 +72,6 @@ Requires: %{name} = %{version}-%{release} %description postgresql Module to add PostgreSQL support to the ProFTPD FTP server. - %prep %setup -q -n %{name}-%{version}%{?prever} -a 10 -a 11 @@ -85,20 +79,13 @@ Module to add PostgreSQL support to the ProFTPD FTP server. %{__cp} -p mod_vroot/mod_vroot.c contrib/ %{__cp} -p mod_vroot/mod_vroot.html doc/contrib/ -# Copy mod_exec source and documentation into place -%{__cp} -p mod_exec/mod_exec.c contrib/ -%{__cp} -p mod_exec/mod_exec.html doc/contrib/ +# Copy mod_geoip source and documentation into place +%{__cp} -p mod_geoip/mod_geoip.c contrib/ +%{__cp} -p mod_geoip/mod_geoip.html doc/contrib/ # Don't strip binaries - needed for useful debuginfo %patch0 -p1 -b .nostrip -# Fix parallel build (http://bugs.proftpd.org/3189) -%patch2 -p1 -b .parallel - -# Fix MLSD for directories containing shell metacharacters (#521634) -# (upstream patch) -%patch3 -p1 -b .mlsd - # Avoid documentation name conflicts %{__mv} contrib/README contrib/README.contrib @@ -141,15 +128,16 @@ done %build # Modules to be built as DSO's (excluding mod_ifsession, always specified last) -SMOD1=mod_sql:mod_sql_mysql:mod_sql_postgres +SMOD1=mod_sql:mod_sql_passwd:mod_sql_mysql:mod_sql_postgres SMOD2=mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_quotatab_sql SMOD3=mod_ldap:mod_ban:mod_wrap:mod_ctrls_admin:mod_facl:mod_load -SMOD4=mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec +SMOD4=mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper:mod_geoip SMOD5=mod_wrap2:mod_wrap2_file:mod_wrap2_sql +SMOD6=mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache %configure \ --libexecdir="%{_libexecdir}/proftpd" \ - --localstatedir="%{_localstatedir}/run" \ + --localstatedir="%{_localstatedir}/run/proftpd" \ --enable-ctrls \ --enable-dso \ --enable-facl \ @@ -160,7 +148,7 @@ SMOD5=mod_wrap2:mod_wrap2_file:mod_wrap2_sql --with-libraries="%{_libdir}/mysql" \ --with-includes="%{_includedir}/mysql" \ --with-modules=mod_readme:mod_auth_pam:mod_tls:mod_vroot \ - --with-shared=${SMOD1}:${SMOD2}:${SMOD3}:${SMOD4}:${SMOD5}:mod_ifsession + --with-shared=${SMOD1}:${SMOD2}:${SMOD3}:${SMOD4}:${SMOD5}:${SMOD6}:mod_ifsession %{__make} %{?_smp_mflags} @@ -222,6 +210,8 @@ fi %dir %{_localstatedir}/ftp/pub/ %dir %{_localstatedir}/run/proftpd/ %config(noreplace) %{_localstatedir}/ftp/welcome.msg +%config(noreplace) %{_sysconfdir}/blacklist.dat +%config(noreplace) %{_sysconfdir}/dhparams.pem %config(noreplace) %{_sysconfdir}/ftpusers %config(noreplace) %{_sysconfdir}/logrotate.d/proftpd %config(noreplace) %{_sysconfdir}/pam.d/proftpd @@ -234,6 +224,7 @@ fi %{_bindir}/ftptop %{_bindir}/ftpwho %exclude %{_bindir}/prxs +%{_sbindir}/ftpscrub %{_sbindir}/ftpshut %{_sbindir}/in.proftpd %{_sbindir}/proftpd @@ -242,6 +233,7 @@ fi %{_mandir}/man1/ftpwho.1* %{_mandir}/man5/xferlog.5* %{_mandir}/man8/ftpdctl.8* +%{_mandir}/man8/ftpscrub.8* %{_mandir}/man8/ftpshut.8* %{_mandir}/man8/proftpd.8* %exclude %{_includedir}/proftpd/ @@ -251,6 +243,7 @@ fi %{_libexecdir}/proftpd/mod_ctrls_admin.so %{_libexecdir}/proftpd/mod_exec.so %{_libexecdir}/proftpd/mod_facl.so +%{_libexecdir}/proftpd/mod_geoip.so %{_libexecdir}/proftpd/mod_ifsession.so %{_libexecdir}/proftpd/mod_load.so %{_libexecdir}/proftpd/mod_quotatab.so @@ -260,8 +253,14 @@ fi %{_libexecdir}/proftpd/mod_radius.so %{_libexecdir}/proftpd/mod_ratio.so %{_libexecdir}/proftpd/mod_rewrite.so +%{_libexecdir}/proftpd/mod_sftp.so +%{_libexecdir}/proftpd/mod_sftp_pam.so +%{_libexecdir}/proftpd/mod_sftp_sql.so +%{_libexecdir}/proftpd/mod_shaper.so %{_libexecdir}/proftpd/mod_site_misc.so %{_libexecdir}/proftpd/mod_sql.so +%{_libexecdir}/proftpd/mod_sql_passwd.so +%{_libexecdir}/proftpd/mod_tls_shmcache.so %{_libexecdir}/proftpd/mod_wrap.so %{_libexecdir}/proftpd/mod_wrap2.so %{_libexecdir}/proftpd/mod_wrap2_file.so @@ -286,6 +285,45 @@ fi %{_libexecdir}/proftpd/mod_sql_postgres.so %changelog +* Mon Nov 1 2010 Paul Howarth 1.3.3c-1 +- Update to 1.3.3c (#647965) + - Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) + - Fixed directory traversal bug in mod_site_misc (CVE-2010-3867) + - Fixed SQLite authentications using "SQLAuthType Backend" +- New DSO module: mod_geoip + +* Fri Sep 10 2010 Paul Howarth 1.3.3b-1 +- Update to 1.3.3b + - Fixed SFTP directory listing bug + - Avoid corrupting utmpx databases on FreeBSD + - Avoid null pointer dereferences during data transfers + - Fixed "AuthAliasOnly on" anonymous login + +* Fri Jul 2 2010 Paul Howarth 1.3.3a-1 +- Update to 1.3.3a + - Added Japanese translation + - Many mod_sftp bugfixes + - Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + - Fixed handling of utmp/utmpx format changes on FreeBSD + +* Thu Feb 25 2010 Paul Howarth 1.3.3-1 +- Update to 1.3.3 (see NEWS for list of fixed bugs) +- Update PID file location in initscript +- Drop upstreamed patches +- Upstream distribution now includes mod_exec, so drop unbundled source +- New DSO modules: + - mod_sftp + - mod_sftp_pam + - mod_sftp_sql + - mod_shaper + - mod_sql_passwd + - mod_tls_shmcache +- Configure script no longer appends "/proftpd" to --localstatedir option +- New utility ftpscrub for scrubbing the scoreboard file +- Include public key blacklist and Diffie-Hellman parameter files for mod_sftp + in %%{_sysconfdir} +- Remove IdentLookups from config file - disabled by default now + * Mon Feb 15 2010 Paul Howarth 1.3.2d-1 - Update to 1.3.2d, addressing the following issues: - mod_tls doesn't compile with pre-0.9.7 openssl (bug 3358) diff --git a/sources b/sources index c00dcf5..ffbc64c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -0941935e30199a3f22f7225fe76bc489 proftpd-1.3.2d.tar.bz2 +8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2 +6242218c0c98efbab8076ec3bc9fd4d5 proftpd-mod-geoip-0.2.tar.gz 139fc328c43a9afbe290ec787713096b proftpd-mod-vroot-0.8.5.tar.gz -dfcaf605f116c29d7b4771a9b02f509b proftpd-mod-exec-0.9.6.tar.gz