From 9056ad8f7a81180530eeee98add7ada7e6d51a49 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Oct 13 2019 13:21:36 +0000 Subject: Update to 1.3.6a - New upstream release 1.3.6a - Configure script wrongly detected AIX lastlog functions (http://bugs.proftpd.org/show_bug.cgi?id=4304) - AllowChrootSymlinks off could cause login failures depending on filesystem permissions (http://bugs.proftpd.org/show_bug.cgi?id=4306) - mod_ctrls: error: unable to bind to local socket: Address already in use (https://github.com/proftpd/proftpd/issues/501) - Failed to handle multiple %{env:...} variables in single word in configuration (https://github.com/proftpd/proftpd/issues/507) - mod_sftp failed to check shadow password information when publickey authentication used (http://bugs.proftpd.org/show_bug.cgi?id=4308) - Use of "AllowEmptyPasswords off" broke SFTP/SCP logins (http://bugs.proftpd.org/show_bug.cgi?id=4309) - Use of mod_facl as static module caused ProFTPD to die on SIGHUP/restart (http://bugs.proftpd.org/show_bug.cgi?id=4310) - Use of curve25519-sha256@libssh.org SSH2 key exchange sometimes failed (https://github.com/proftpd/proftpd/issues/556) - Close extra file descriptors at startup (http://bugs.proftpd.org/show_bug.cgi?id=4312) - with AuthAliasOnly in effect did not work as expected (http://bugs.proftpd.org/show_bug.cgi?id=4314) - CreateHome NoRootPrivs only worked partially (https://github.com/proftpd/proftpd/issues/568) - SFTP OPEN response included attribute flags that are not actually provided (https://github.com/proftpd/proftpd/issues/578) - Truncation of file while being downloaded with sendfile enabled caused timeouts due to infinite loop (http://bugs.proftpd.org/show_bug.cgi?id=4318) - FTP uploads frequently broke due to "Interrupted system call" error (http://bugs.proftpd.org/show_bug.cgi?id=4319) - Site-to-site transfers over TLS failed (https://github.com/proftpd/proftpd/issues/618) - Can't see symlinks using any FTP client when using MLSD (http://bugs.proftpd.org/show_bug.cgi?id=4322) - mod_tls 1.3.6 failed to compile using OpenSSL 0.9.8e (http://bugs.proftpd.org/show_bug.cgi?id=4325) - Using MaxClientsPerHost 1 in section denied logins (http://bugs.proftpd.org/show_bug.cgi?id=4326) - SQLNamedConnectInfo with different backend database did not work properly (https://github.com/proftpd/proftpd/issues/642) - Segfault with mod_sftp+mod_sftp_pam after successful authentication using keyboard-interactive method (https://github.com/proftpd/proftpd/issues/656) - autoconf always failed to detect support for FIPS (https://github.com/proftpd/proftpd/issues/660) - SFTP connections failed when using "arcfour256" cipher (https://github.com/proftpd/proftpd/issues/663) - mod_auth_otp failed to build with OpenSSL 1.1.x (http://bugs.proftpd.org/show_bug.cgi?id=4335) - scp broken on FreeBSD 11 (http://bugs.proftpd.org/show_bug.cgi?id=4341) - Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases (https://github.com/proftpd/proftpd/issues/674) - Infinite loop possible in mod_sftp's set_sftphostkey() function (http://bugs.proftpd.org/show_bug.cgi?id=4356) - Some ASCII text files corrupted when downloading (http://bugs.proftpd.org/show_bug.cgi?id=4352) - Properly use the --includedir, --libdir configure variables in the generated proftpd.pc pkgconfig file (https://github.com/proftpd/proftpd/issues/797) - Reading invalid SSH key from database resulted in unexpected/unlogged disconnect failures (http://bugs.proftpd.org/show_bug.cgi?id=4350) - Symlink navigation broken after 1.3.6 update (http://bugs.proftpd.org/show_bug.cgi?id=4332) - Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3 (https://github.com/proftpd/proftpd/issues/795) - SITE CPFR/CPTO did not honor configurations (http://bugs.proftpd.org/show_bug.cgi?id=4372) - Using "TLSProtocol SSLv23" did not enable all protocol versions (https://github.com/proftpd/proftpd/issues/807) --- diff --git a/.gitignore b/.gitignore index f4004a0..a727cec 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,15 @@ -# master/f30/f29/epel8-playground -/proftpd-1.3.6.tar.gz +# master/f31/epel8-playground (split configuration) +/proftpd-1.3.6a.tar.gz /v0.9.5.tar.gz -# el7 +# f30/f29 (monolithic configuration) +/proftpd-1.3.6a.tar.gz +/v0.9.5.tar.gz +# el7 (monolithic configuration) /proftpd-1.3.5e.tar.gz /proftpd-mod-vroot-0.9.2.tar.gz /Test-Unit-0.14.tar.gz -# el6 +# el6 (monolithic configuration) /proftpd-1.3.3g.tar.bz2 /proftpd-mod-geoip-0.2.tar.gz /proftpd-mod-vroot-0.9.2.tar.gz +/proftpd-1.3.6a.tar.gz diff --git a/08ba2f63.patch b/08ba2f63.patch deleted file mode 100644 index cd1c1eb..0000000 --- a/08ba2f63.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 08ba2f630c8eebd023ae68d8e2abd1e7170468af Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Sun, 14 May 2017 14:09:23 -0700 -Subject: [PATCH] Issue #501: Avoid a spurious "Address already in use" error - on startup because we are listening on a local socket twice. - ---- - modules/mod_ctrls.c | 22 +++++++--------------- - 1 file changed, 7 insertions(+), 15 deletions(-) - -diff --git a/modules/mod_ctrls.c b/modules/mod_ctrls.c -index 25ea723..8efd8b4 100644 ---- a/modules/mod_ctrls.c -+++ b/modules/mod_ctrls.c -@@ -2,8 +2,7 @@ - * ProFTPD: mod_ctrls -- a module implementing the ftpdctl local socket - * server, as well as several utility functions for other Controls - * modules -- * -- * Copyright (c) 2000-2016 TJ Saunders -+ * Copyright (c) 2000-2017 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -81,8 +80,6 @@ static ctrls_acl_t ctrls_sock_acl; - - static unsigned char ctrls_engine = TRUE; - --#define CTRLS_LISTEN_FL_REMOVE_SOCKET 0x0001 -- - /* Necessary prototypes */ - static int ctrls_setblock(int sockfd); - static int ctrls_setnonblock(int sockfd); -@@ -437,7 +434,7 @@ static int ctrls_cls_write(void) { - } - - /* Create a listening local socket */ --static int ctrls_listen(const char *sock_file, int flags) { -+static int ctrls_listen(const char *sock_file) { - int sockfd = -1, len = 0; - struct sockaddr_un sock; - #if !defined(SO_PEERCRED) && !defined(HAVE_GETPEEREID) && \ -@@ -497,12 +494,10 @@ static int ctrls_listen(const char *sock_file, int flags) { - return -1; - } - -- if (flags & CTRLS_LISTEN_FL_REMOVE_SOCKET) { -- /* Make sure the path to which we want to bind this socket doesn't already -- * exist. -- */ -- (void) unlink(sock_file); -- } -+ /* Make sure the path to which we want to bind this socket doesn't already -+ * exist. -+ */ -+ (void) unlink(sock_file); - - /* Fill in the socket structure fields */ - memset(&sock, 0, sizeof(sock)); -@@ -1206,7 +1201,7 @@ static void ctrls_postparse_ev(const void *event_data, void *user_data) { - - /* Start listening on the ctrl socket */ - PRIVS_ROOT -- ctrls_sockfd = ctrls_listen(ctrls_sock_file, CTRLS_LISTEN_FL_REMOVE_SOCKET); -+ ctrls_sockfd = ctrls_listen(ctrls_sock_file); - PRIVS_RELINQUISH - - /* Start a timer for the checking/processing of the ctrl socket. */ -@@ -1298,9 +1293,6 @@ static int ctrls_init(void) { - memset(&ctrls_sock_acl, '\0', sizeof(ctrls_acl_t)); - ctrls_sock_acl.acl_usrs.allow = ctrls_sock_acl.acl_grps.allow = FALSE; - -- /* Start listening on the ctrl socket */ -- ctrls_sockfd = ctrls_listen(ctrls_sock_file, 0); -- - pr_event_register(&ctrls_module, "core.restart", ctrls_restart_ev, NULL); - pr_event_register(&ctrls_module, "core.shutdown", ctrls_shutdown_ev, NULL); - pr_event_register(&ctrls_module, "core.postparse", ctrls_postparse_ev, NULL); diff --git a/1825a2b8.patch b/1825a2b8.patch deleted file mode 100644 index c6cc9b7..0000000 --- a/1825a2b8.patch +++ /dev/null @@ -1,23 +0,0 @@ -From ee528a5c6513932c6dbe7cf69fdcda3fbf009621 Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Wed, 19 Apr 2017 15:23:30 +0100 -Subject: [PATCH] fsio: fix test in xattr-copying loop - -Fixes segfaults in fsio file copying tests (Issue #483) ---- - src/fsio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/fsio.c b/src/fsio.c -index a54c64d..91ad0d7 100644 ---- a/src/fsio.c -+++ b/src/fsio.c -@@ -2063,7 +2063,7 @@ int pr_fs_copy_file2(const char *src, const char *dst, int flags, - const char **names; - - names = xattrs->elts; -- for (i = 0; xattrs->nelts; i++) { -+ for (i = 0; i < xattrs->nelts; i++) { - ssize_t valsz; - - /* First, find out how much memory we need for this attribute's diff --git a/389cc579.patch b/389cc579.patch deleted file mode 100644 index 56c61f2..0000000 --- a/389cc579.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 389cc579bc8d5704f9dcc2fd01ffd6307aee6b2b Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Mon, 17 Apr 2017 20:01:47 -0700 -Subject: [PATCH] Address some nits in the unit tests, to help make more - repeatable builds on the variety of testing platforms; addresses Issue #483. - ---- - tests/api/data.c | 5 +++-- - tests/api/fsio.c | 28 ++++++++++++++++++++-------- - tests/api/inet.c | 19 ++++++++++--------- - tests/api/pool.c | 7 ++++++- - 4 files changed, 39 insertions(+), 20 deletions(-) - -diff --git a/tests/api/data.c b/tests/api/data.c -index e4442ab..223a3af 100644 ---- a/tests/api/data.c -+++ b/tests/api/data.c -@@ -313,8 +313,9 @@ START_TEST (data_sendfile_test) { - mark_point(); - res = pr_data_sendfile(fd, &offset, strlen(text)); - if (res < 0) { -- fail_unless(errno == ENOTSOCK, "Expected ENOTSOCK (%d), got %s (%d)", -- ENOTSOCK, strerror(errno), errno); -+ fail_unless(errno == ENOTSOCK || errno == EINVAL, -+ "Expected ENOTSOCK (%d) or EINVAL (%d), got %s (%d)", ENOTSOCK, EINVAL, -+ strerror(errno), errno); - } - - (void) close(fd); -diff --git a/tests/api/fsio.c b/tests/api/fsio.c -index 508ca46..4677d8f 100644 ---- a/tests/api/fsio.c -+++ b/tests/api/fsio.c -@@ -34,6 +34,8 @@ static const char *fsio_test2_path = "/tmp/prt-foo.bar.baz.quxx.quzz"; - static const char *fsio_unlink_path = "/tmp/prt-fsio-link.dat"; - static const char *fsio_link_path = "/tmp/prt-fsio-symlink.lnk"; - static const char *fsio_testdir_path = "/tmp/prt-fsio-test.d"; -+static const char *fsio_copy_src_path = "/tmp/prt-fs-src.dat"; -+static const char *fsio_copy_dst_path = "/tmp/prt-fs-dst.dat"; - - /* Fixtures */ - -@@ -1010,8 +1012,12 @@ START_TEST (fsio_sys_access_dir_test) { - strerror(errno)); - - if (getenv("TRAVIS") == NULL) { -- uid_t other_uid = 1000; -- gid_t other_gid = 1000; -+ uid_t other_uid; -+ gid_t other_gid; -+ -+ /* Deliberately use IDs other than the current ones. */ -+ other_uid = uid - 1; -+ other_gid = gid - 1; - - /* Next, check that others can access the directory. */ - pr_fs_clear_cache2(fsio_testdir_path); -@@ -3297,7 +3303,7 @@ END_TEST - - START_TEST (fs_copy_file_test) { - int res; -- char *src_path, *dst_path, *text; -+ char *src_path = NULL, *dst_path = NULL, *text; - pr_fh_t *fh; - - res = pr_fs_copy_file(NULL, NULL); -@@ -3305,15 +3311,15 @@ START_TEST (fs_copy_file_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- src_path = "/tmp/prt-fs-src.dat"; -+ src_path = fsio_copy_src_path; - res = pr_fs_copy_file(src_path, NULL); - fail_unless(res < 0, "Failed to handle null destination path"); - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- dst_path = "/tmp/prt-fs-dst.dat"; -+ dst_path = fsio_copy_dst_path; - res = pr_fs_copy_file(src_path, dst_path); -- fail_unless(res < 0, "Failed to handle null destination path"); -+ fail_unless(res < 0, "Failed to handle nonexistent source path"); - fail_unless(errno == ENOENT, "Expected ENOENT (%d), got %s (%d)", ENOENT, - strerror(errno), errno); - -@@ -3322,6 +3328,7 @@ START_TEST (fs_copy_file_test) { - fail_unless(errno == EISDIR, "Expected EISDIR (%d), got %s (%d)", EISDIR, - strerror(errno), errno); - -+ (void) unlink(src_path); - fh = pr_fsio_open(src_path, O_CREAT|O_EXCL|O_WRONLY); - fail_unless(fh != NULL, "Failed to open '%s': %s", src_path, strerror(errno)); - -@@ -3347,6 +3354,8 @@ START_TEST (fs_copy_file_test) { - res = pr_fs_copy_file(src_path, src_path); - fail_unless(res == 0, "Failed to copy file to itself: %s", strerror(errno)); - -+ (void) unlink(dst_path); -+ - mark_point(); - res = pr_fs_copy_file(src_path, dst_path); - fail_unless(res == 0, "Failed to copy file: %s", strerror(errno)); -@@ -3366,10 +3375,13 @@ START_TEST (fs_copy_file2_test) { - char *src_path, *dst_path, *text; - pr_fh_t *fh; - -- src_path = "/tmp/prt-fs-src.dat"; -- dst_path = "/tmp/prt-fs-dst.dat"; -+ src_path = fsio_copy_src_path; -+ dst_path = fsio_copy_dst_path; - flags = PR_FSIO_COPY_FILE_FL_NO_DELETE_ON_FAILURE; - -+ (void) unlink(src_path); -+ (void) unlink(dst_path); -+ - fh = pr_fsio_open(src_path, O_CREAT|O_EXCL|O_WRONLY); - fail_unless(fh != NULL, "Failed to open '%s': %s", src_path, strerror(errno)); - -diff --git a/tests/api/inet.c b/tests/api/inet.c -index b75c839..03c4781 100644 ---- a/tests/api/inet.c -+++ b/tests/api/inet.c -@@ -508,7 +508,7 @@ START_TEST (inet_connect_ipv4_test) { - conn = pr_inet_create_conn(p, sockfd, NULL, port, FALSE); - fail_unless(conn != NULL, "Failed to create conn: %s", strerror(errno)); - -- res = pr_inet_connect(p, conn, NULL, 80); -+ res = pr_inet_connect(p, conn, NULL, 180); - fail_unless(res < 0, "Failed to handle null address"); - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); -@@ -517,8 +517,8 @@ START_TEST (inet_connect_ipv4_test) { - fail_unless(addr != NULL, "Failed to resolve '127.0.0.1': %s", - strerror(errno)); - -- res = pr_inet_connect(p, conn, addr, 80); -- fail_unless(res < 0, "Connected to 127.0.0.1#80 unexpectedly"); -+ res = pr_inet_connect(p, conn, addr, 180); -+ fail_unless(res < 0, "Connected to 127.0.0.1#180 unexpectedly"); - fail_unless(errno == ECONNREFUSED, "Expected ECONNREFUSED (%d), got %s (%d)", - ECONNREFUSED, strerror(errno), errno); - -@@ -573,8 +573,8 @@ START_TEST (inet_connect_ipv6_test) { - fail_unless(addr != NULL, "Failed to resolve '::1': %s", - strerror(errno)); - -- res = pr_inet_connect(p, conn, addr, 80); -- fail_unless(res < 0, "Connected to ::1#80 unexpectedly"); -+ res = pr_inet_connect(p, conn, addr, 180); -+ fail_unless(res < 0, "Connected to ::1#180 unexpectedly"); - fail_unless(errno == ECONNREFUSED || errno == ENETUNREACH || errno == EADDRNOTAVAIL, - "Expected ECONNREFUSED (%d), ENETUNREACH (%d), or EADDRNOTAVAIL (%d), got %s (%d)", - ECONNREFUSED, ENETUNREACH, EADDRNOTAVAIL, strerror(errno), errno); -@@ -637,7 +637,7 @@ START_TEST (inet_connect_nowait_test) { - conn = pr_inet_create_conn(p, sockfd, NULL, port, FALSE); - fail_unless(conn != NULL, "Failed to create conn: %s", strerror(errno)); - -- res = pr_inet_connect_nowait(p, conn, NULL, 80); -+ res = pr_inet_connect_nowait(p, conn, NULL, 180); - fail_unless(res < 0, "Failed to handle null address"); - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); -@@ -646,8 +646,8 @@ START_TEST (inet_connect_nowait_test) { - fail_unless(addr != NULL, "Failed to resolve '127.0.0.1': %s", - strerror(errno)); - -- res = pr_inet_connect_nowait(p, conn, addr, 80); -- fail_unless(res != -1, "Connected to 127.0.0.1#80 unexpectedly"); -+ res = pr_inet_connect_nowait(p, conn, addr, 180); -+ fail_unless(res != -1, "Connected to 127.0.0.1#180 unexpectedly"); - - /* Try connecting to Google's DNS server. */ - -@@ -657,7 +657,8 @@ START_TEST (inet_connect_nowait_test) { - - res = pr_inet_connect_nowait(p, conn, addr, 53); - if (res < 0 && -- errno != ECONNREFUSED) { -+ errno != ECONNREFUSED && -+ errno != EBADF) { - fail_unless(res != -1, "Failed to connect to 8.8.8.8#53: %s", - strerror(errno)); - } -diff --git a/tests/api/pool.c b/tests/api/pool.c -index 8008f1c..d2f4c0d 100644 ---- a/tests/api/pool.c -+++ b/tests/api/pool.c -@@ -52,12 +52,17 @@ START_TEST (pool_destroy_pool_test) { - p = make_sub_pool(permanent_pool); - destroy_pool(p); - --#if !defined(PR_USE_DEVEL) - /* What happens if we destroy an already-destroyed pool? Answer: IFF - * --enable-devel was used, THEN destroying an already-destroyed pool - * will result in an exit(2) call from within pool.c, via the - * chk_on_blk_list() function. How impolite. -+ * -+ * And if --enable-devel was NOT used, on SOME systems, this test tickles -+ * other libc/malloc/free behaviors, which are unsettling. -+ * -+ * Sigh. So for now, I'll just leave this here, but commented out. - */ -+#if 0 - mark_point(); - destroy_pool(p); - #endif diff --git a/41ecb7dc.patch b/41ecb7dc.patch deleted file mode 100644 index efdbcea..0000000 --- a/41ecb7dc.patch +++ /dev/null @@ -1,326 +0,0 @@ -From 41ecb7dc3932dd57bac52980982c76bf036ccfd8 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Wed, 12 Jul 2017 23:14:59 -0700 -Subject: [PATCH] Bug#4309: Allow SFTP/SCP logins to succeed properly when - "AllowEmptyPasswords off" in effect. - -Also ensure that a truly empty SFTP/SCP password IS properly rejected in such -a configuration. ---- - contrib/mod_sftp/auth-password.c | 41 +++++++- - modules/mod_auth.c | 55 +++++++---- - tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm | 132 ++++++++++++++++++++++++++ - 3 files changed, 205 insertions(+), 23 deletions(-) - -diff --git a/contrib/mod_sftp/auth-password.c b/contrib/mod_sftp/auth-password.c -index 2605af7f6..8fb9804bd 100644 ---- a/contrib/mod_sftp/auth-password.c -+++ b/contrib/mod_sftp/auth-password.c -@@ -1,6 +1,6 @@ - /* - * ProFTPD - mod_sftp 'password' user authentication -- * Copyright (c) 2008-2015 TJ Saunders -+ * Copyright (c) 2008-2017 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -37,6 +37,7 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, - char *passwd; - int have_new_passwd, res; - struct passwd *pw; -+ size_t passwd_len; - - cipher_algo = sftp_cipher_get_read_algo(); - mac_algo = sftp_mac_get_read_algo(); -@@ -77,6 +78,7 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, - - passwd = sftp_msg_read_string(pkt->pool, buf, buflen); - passwd = sftp_utf8_decode_str(pkt->pool, passwd); -+ passwd_len = strlen(passwd); - - pass_cmd->arg = passwd; - -@@ -92,7 +94,7 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, - pr_cmd_dispatch_phase(pass_cmd, POST_CMD_ERR, 0); - pr_cmd_dispatch_phase(pass_cmd, LOG_CMD_ERR, 0); - -- pr_memscrub(passwd, strlen(passwd)); -+ pr_memscrub(passwd, passwd_len); - - *send_userauth_fail = TRUE; - errno = EPERM; -@@ -109,15 +111,46 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, - session.c->remote_name, pr_netaddr_get_ipstr(session.c->remote_addr), - pr_netaddr_get_ipstr(session.c->local_addr), session.c->local_port); - -- pr_memscrub(passwd, strlen(passwd)); -+ pr_memscrub(passwd, passwd_len); - - *send_userauth_fail = TRUE; - errno = ENOENT; - return 0; - } - -+ if (passwd_len == 0) { -+ config_rec *c; -+ int allow_empty_passwords = TRUE; -+ -+ c = find_config(main_server->conf, CONF_PARAM, "AllowEmptyPasswords", -+ FALSE); -+ if (c != NULL) { -+ allow_empty_passwords = *((int *) c->argv[0]); -+ } -+ -+ if (allow_empty_passwords == FALSE) { -+ pr_log_debug(DEBUG5, -+ "Refusing empty password from user '%s' (AllowEmptyPasswords false)", -+ user); -+ pr_log_auth(PR_LOG_NOTICE, -+ "Refusing empty password from user '%s'", user); -+ -+ pr_event_generate("mod_auth.empty-password", user); -+ pr_response_add_err(R_501, "Login incorrect."); -+ -+ pr_cmd_dispatch_phase(pass_cmd, POST_CMD_ERR, 0); -+ pr_cmd_dispatch_phase(pass_cmd, LOG_CMD_ERR, 0); -+ -+ pr_memscrub(passwd, passwd_len); -+ -+ *send_userauth_fail = TRUE; -+ errno = EPERM; -+ return 0; -+ } -+ } -+ - res = pr_auth_authenticate(pkt->pool, user, passwd); -- pr_memscrub(passwd, strlen(passwd)); -+ pr_memscrub(passwd, passwd_len); - - switch (res) { - case PR_AUTH_OK: -diff --git a/modules/mod_auth.c b/modules/mod_auth.c -index 2b76070f7..b60cea5a9 100644 ---- a/modules/mod_auth.c -+++ b/modules/mod_auth.c -@@ -2636,35 +2636,52 @@ MODRET auth_pre_pass(cmd_rec *cmd) { - - allow_empty_passwords = *((int *) c->argv[0]); - if (allow_empty_passwords == FALSE) { -+ const char *proto; -+ int reject_empty_passwd = FALSE, using_ssh2 = FALSE; - size_t passwd_len = 0; - -+ proto = pr_session_get_protocol(0); -+ if (strcmp(proto, "ssh2") == 0) { -+ using_ssh2 = TRUE; -+ } -+ - if (cmd->argc > 1) { - if (cmd->arg != NULL) { - passwd_len = strlen(cmd->arg); - } - } - -- /* Make sure to NOT enforce 'AllowEmptyPasswords off' if e.g. -- * the AllowDotLogin TLSOption is in effect. -- */ -- if (cmd->argc == 1 || -- passwd_len == 0) { -- -- if (session.auth_mech == NULL || -- strcmp(session.auth_mech, "mod_tls.c") != 0) { -- pr_log_debug(DEBUG5, -- "Refusing empty password from user '%s' (AllowEmptyPasswords " -- "false)", user); -- pr_log_auth(PR_LOG_NOTICE, -- "Refusing empty password from user '%s'", user); -- -- pr_event_generate("mod_auth.empty-password", user); -- pr_response_add_err(R_501, _("Login incorrect.")); -- return PR_ERROR(cmd); -+ if (passwd_len == 0) { -+ reject_empty_passwd = TRUE; -+ -+ /* Make sure to NOT enforce 'AllowEmptyPasswords off' if e.g. -+ * the AllowDotLogin TLSOption is in effect, or if the protocol is -+ * SSH2 (for mod_sftp uses "fake" PASS commands for the SSH login -+ * protocol). -+ */ -+ -+ if (session.auth_mech != NULL && -+ strcmp(session.auth_mech, "mod_tls.c") == 0) { -+ pr_log_debug(DEBUG9, "%s", "'AllowEmptyPasswords off' in effect, " -+ "BUT client authenticated via the AllowDotLogin TLSOption"); -+ reject_empty_passwd = FALSE; - } - -- pr_log_debug(DEBUG9, "%s", "'AllowEmptyPasswords off' in effect, " -- "BUT client authenticated via the AllowDotLogin TLSOption"); -+ if (using_ssh2 == TRUE) { -+ reject_empty_passwd = FALSE; -+ } -+ } -+ -+ if (reject_empty_passwd == TRUE) { -+ pr_log_debug(DEBUG5, -+ "Refusing empty password from user '%s' (AllowEmptyPasswords " -+ "false)", user); -+ pr_log_auth(PR_LOG_NOTICE, -+ "Refusing empty password from user '%s'", user); -+ -+ pr_event_generate("mod_auth.empty-password", user); -+ pr_response_add_err(R_501, _("Login incorrect.")); -+ return PR_ERROR(cmd); - } - } - } -diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm -index c919844ea..c608e76fc 100644 ---- a/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm -+++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm -@@ -1279,6 +1279,11 @@ my $TESTS = { - test_class => [qw(bug forking sftp ssh2)], - }, - -+ sftp_config_allow_empty_passwords_off_bug4309 => { -+ order => ++$order, -+ test_class => [qw(bug forking sftp ssh2)], -+ }, -+ - sftp_multi_channels => { - order => ++$order, - test_class => [qw(forking sftp ssh2)], -@@ -41885,6 +41890,133 @@ sub sftp_config_insecure_hostkey_perms_bug4098 { - test_cleanup($setup->{log_file}, $ex); - } - -+sub sftp_config_allow_empty_passwords_off_bug4309 { -+ my $self = shift; -+ my $tmpdir = $self->{tmpdir}; -+ my $setup = test_setup($tmpdir, 'sftp'); -+ -+ my $other_user = 'nopassword'; -+ my $other_passwd = ''; -+ my $other_uid = 1000; -+ my $other_gid = 1000; -+ -+ auth_user_write($setup->{auth_user_file}, $other_user, $other_passwd, -+ $other_uid, $other_gid, $setup->{home_dir}, '/bin/bash'); -+ auth_group_write($setup->{auth_group_file}, $setup->{group}, $setup->{gid}, -+ $other_user); -+ -+ my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); -+ my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); -+ -+ my $config = { -+ PidFile => $setup->{pid_file}, -+ ScoreboardFile => $setup->{scoreboard_file}, -+ SystemLog => $setup->{log_file}, -+ TraceLog => $setup->{log_file}, -+ Trace => 'DEFAULT:10 ssh2:20 sftp:20', -+ -+ AuthUserFile => $setup->{auth_user_file}, -+ AuthGroupFile => $setup->{auth_group_file}, -+ -+ IfModules => { -+ 'mod_delay.c' => { -+ DelayEngine => 'off', -+ }, -+ -+ 'mod_sftp.c' => [ -+ "SFTPEngine on", -+ "SFTPLog $setup->{log_file}", -+ "SFTPHostKey $rsa_host_key", -+ "SFTPHostKey $dsa_host_key", -+ "AllowEmptyPasswords off", -+ ], -+ }, -+ }; -+ -+ my ($port, $config_user, $config_group) = config_write($setup->{config_file}, -+ $config); -+ -+ # Open pipes, for use between the parent and child processes. Specifically, -+ # the child will indicate when it's done with its test by writing a message -+ # to the parent. -+ my ($rfh, $wfh); -+ unless (pipe($rfh, $wfh)) { -+ die("Can't open pipe: $!"); -+ } -+ -+ require Net::SSH2; -+ -+ my $ex; -+ -+ # Fork child -+ $self->handle_sigchld(); -+ defined(my $pid = fork()) or die("Can't fork: $!"); -+ if ($pid) { -+ eval { -+ my $ssh2 = Net::SSH2->new(); -+ -+ sleep(1); -+ -+ # First, we'll try to login with normal user/password; this should -+ # succeed. -+ unless ($ssh2->connect('127.0.0.1', $port)) { -+ my ($err_code, $err_name, $err_str) = $ssh2->error(); -+ die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str"); -+ } -+ -+ unless ($ssh2->auth_password($setup->{user}, $setup->{passwd})) { -+ my ($err_code, $err_name, $err_str) = $ssh2->error(); -+ die("Can't login to SSH2 server: [$err_name] ($err_code) $err_str"); -+ } -+ -+ my $sftp = $ssh2->sftp(); -+ unless ($sftp) { -+ my ($err_code, $err_name, $err_str) = $ssh2->error(); -+ die("Can't use SFTP on SSH2 server: [$err_name] ($err_code) $err_str"); -+ } -+ -+ $sftp = undef; -+ $ssh2->disconnect(); -+ $ssh2 = undef; -+ -+ # Then, we'll try to login with an empty password; this should fail. -+ -+ $ssh2 = Net::SSH2->new(); -+ unless ($ssh2->connect('127.0.0.1', $port)) { -+ my ($err_code, $err_name, $err_str) = $ssh2->error(); -+ die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str"); -+ } -+ -+ if ($ssh2->auth_password($other_user, $other_passwd)) { -+ die("Login with empty password succeeded unexpectedly"); -+ } -+ -+ $ssh2->disconnect(); -+ }; -+ if ($@) { -+ $ex = $@; -+ } -+ -+ $wfh->print("done\n"); -+ $wfh->flush(); -+ -+ } else { -+ eval { server_wait($setup->{config_file}, $rfh) }; -+ if ($@) { -+ warn($@); -+ exit 1; -+ } -+ -+ exit 0; -+ } -+ -+ # Stop server -+ server_stop($setup->{pid_file}); -+ $self->assert_child_ok($pid); -+ -+ test_cleanup($setup->{log_file}, $ex); -+} -+ - sub sftp_multi_channel_downloads { - my $self = shift; - my $tmpdir = $self->{tmpdir}; diff --git a/459693c7.patch b/459693c7.patch deleted file mode 100644 index 2dbb55f..0000000 --- a/459693c7.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 459693c70c83b7d173ec10bb8089d4ce4e59d301 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Tue, 2 May 2017 19:56:39 -0700 -Subject: [PATCH] Bug#4306: AllowChrootSymlinks off could cause login failures - depending on filesystem permissions. - -Use the IDs of the logging-in user to perform the directory walk, looking -for symlinks, to be more consistent with similar checks done during login. ---- - modules/mod_auth.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/modules/mod_auth.c b/modules/mod_auth.c -index d93c630..2b76070 100644 ---- a/modules/mod_auth.c -+++ b/modules/mod_auth.c -@@ -936,9 +936,13 @@ static int get_default_root(pool *p, int allow_symlinks, const char **root) { - path[pathlen-1] = '\0'; - } - -+ PRIVS_USER - res = is_symlink_path(p, path, pathlen); -+ xerrno = errno; -+ PRIVS_RELINQUISH -+ - if (res < 0) { -- if (errno == EPERM) { -+ if (xerrno == EPERM) { - pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink " - "(denied by AllowChrootSymlinks config)", path); - } diff --git a/6cc96b5f.patch b/6cc96b5f.patch deleted file mode 100644 index 9529c31..0000000 --- a/6cc96b5f.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 48012e5ab7969fc77d0724769b1e737343ed654d Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Wed, 10 May 2017 10:10:40 +0100 -Subject: [PATCH] Switch to Type = simple and add configuration test - -Upstream recommends Type = simple if possible rather than Type = forking: -http://0pointer.de/public/systemd-man/daemon.html#Integration%20with%20Systemd - -Also add configuration test prior to starting the daemon, to help diagnose -start-up problems. ---- - contrib/dist/rpm/proftpd.service | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service -index 07802ca..8a4df33 100644 ---- a/contrib/dist/rpm/proftpd.service -+++ b/contrib/dist/rpm/proftpd.service -@@ -3,14 +3,13 @@ Description = ProFTPD FTP Server - After = network.target nss-lookup.target local-fs.target remote-fs.target - - [Service] --Type = forking --PIDFile = /run/proftpd/proftpd.pid -+Type = simple - Environment = PROFTPD_OPTIONS= - EnvironmentFile = -/etc/sysconfig/proftpd --ExecStart = /usr/sbin/proftpd $PROFTPD_OPTIONS --ExecStartPost = /usr/bin/touch /var/lock/subsys/proftpd --ExecStopPost = /bin/rm -f /var/lock/subsys/proftpd -+ExecStartPre = /usr/sbin/proftpd --configtest -+ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS - ExecReload = /bin/kill -HUP $MAINPID -+PIDFile = /run/proftpd/proftpd.pid - - [Install] - WantedBy = multi-user.target diff --git a/73887e02.patch b/73887e02.patch deleted file mode 100644 index 9b29991..0000000 --- a/73887e02.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 73887e02dbcc9e6e94b26f30c3ef89acb8016f2d Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Sun, 21 May 2017 13:25:50 -0700 -Subject: [PATCH] Merge pull request #510 from pghmcfc/32-bit-fixes - -32 bit fixes ---- - src/trace.c | 16 ++++++++++++++++ - tests/api/misc.c | 2 +- - 2 files changed, 17 insertions(+), 1 deletion(-) - -diff --git a/src/trace.c b/src/trace.c -index 1c29cc6bf..dc22e9e89 100644 ---- a/src/trace.c -+++ b/src/trace.c -@@ -273,7 +273,13 @@ int pr_trace_parse_levels(char *str, int *min_level, int *max_level) { - ptr = strchr(str, '-'); - if (ptr == NULL) { - /* Just a single value. */ -+ errno = 0; - high = (int) strtol(str, &ptr, 10); -+ if (errno == ERANGE) { -+ errno = EINVAL; -+ return -1; -+ } -+ - if (ptr && *ptr) { - errno = EINVAL; - return -1; -@@ -302,6 +308,11 @@ int pr_trace_parse_levels(char *str, int *min_level, int *max_level) { - *ptr = '\0'; - - low = (int) strtol(str, &tmp, 10); -+ if (errno == ERANGE) { -+ errno = EINVAL; -+ return -1; -+ } -+ - if (tmp && *tmp) { - *ptr = '-'; - errno = EINVAL; -@@ -316,6 +327,11 @@ int pr_trace_parse_levels(char *str, int *min_level, int *max_level) { - - tmp = NULL; - high = (int) strtol(ptr + 1, &tmp, 10); -+ if (errno == ERANGE) { -+ errno = EINVAL; -+ return -1; -+ } -+ - if (tmp && *tmp) { - errno = EINVAL; - return -1; -diff --git a/tests/api/misc.c b/tests/api/misc.c -index 16d56cb71..926d9b3e3 100644 ---- a/tests/api/misc.c -+++ b/tests/api/misc.c -@@ -702,7 +702,7 @@ START_TEST (check_shutmsg_test) { - - (void) unlink(path); - res = write_shutmsg(path, -- "2340 1 1 0 0 0 0000 0000\nGoodbye, cruel world!\n"); -+ "2037 1 1 0 0 0 0000 0000\nGoodbye, cruel world!\n"); - fail_unless(res == 0, "Failed to write '%s': %s", path, strerror(errno)); - - mark_point(); diff --git a/757b9633.patch b/757b9633.patch deleted file mode 100644 index 22f57c4..0000000 --- a/757b9633.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 757b9633191eafa32a86ab8ec032e743d0227093 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Wed, 5 Jul 2017 23:33:16 -0700 -Subject: [PATCH] Bug#4308: When authorizing a user, check for any shadow - information for that user, and use such information as part of the - authorization check. - ---- - modules/mod_auth_unix.c | 67 +++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 54 insertions(+), 13 deletions(-) - -diff --git a/modules/mod_auth_unix.c b/modules/mod_auth_unix.c -index 788b4c549..7d7a994d7 100644 ---- a/modules/mod_auth_unix.c -+++ b/modules/mod_auth_unix.c -@@ -715,34 +715,40 @@ static char *get_pwd_info(pool *p, const char *u, time_t *lstchg, time_t *min, - MODRET pw_auth(cmd_rec *cmd) { - int res; - time_t now; -- char *cpw; -- time_t lstchg = -1, max = -1, inact = -1, disable = -1; -+ char *cleartxt_passwd; -+ time_t lstchg = -1, max = -1, inact = -1, expire = -1; - const char *name; -+ size_t cleartxt_passwdlen; - - name = cmd->argv[0]; -- time(&now); - -- cpw = get_pwd_info(cmd->tmp_pool, name, &lstchg, NULL, &max, NULL, &inact, -- &disable); -- if (cpw == NULL) { -+ cleartxt_passwd = get_pwd_info(cmd->tmp_pool, name, &lstchg, NULL, &max, -+ NULL, &inact, &expire); -+ if (cleartxt_passwd == NULL) { - return PR_DECLINED(cmd); - } - -- res = pr_auth_check(cmd->tmp_pool, cpw, cmd->argv[0], cmd->argv[1]); -+ res = pr_auth_check(cmd->tmp_pool, cleartxt_passwd, cmd->argv[0], -+ cmd->argv[1]); -+ cleartxt_passwdlen = strlen(cleartxt_passwd); -+ pr_memscrub(cleartxt_passwd, cleartxt_passwdlen); -+ - if (res < PR_AUTH_OK) { - return PR_ERROR_INT(cmd, res); - } - -+ time(&now); -+ - if (lstchg > (time_t) 0 && - max > (time_t) 0 && - inact > (time_t) 0) { -- if (now > lstchg + max + inact) { -+ if (now > (lstchg + max + inact)) { - return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD); - } - } - -- if (disable > (time_t) 0 && -- now > disable) { -+ if (expire > (time_t) 0 && -+ now > expire) { - return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD); - } - -@@ -751,14 +757,49 @@ MODRET pw_auth(cmd_rec *cmd) { - } - - MODRET pw_authz(cmd_rec *cmd) { -+ time_t now; -+ char *user, *cleartxt_passwd; -+ time_t lstchg = -1, max = -1, inact = -1, expire = -1; -+ size_t cleartxt_passwdlen; -+ -+ user = cmd->argv[0]; -+ -+ cleartxt_passwd = get_pwd_info(cmd->tmp_pool, user, &lstchg, NULL, &max, -+ NULL, &inact, &expire); -+ if (cleartxt_passwd == NULL) { -+ pr_log_auth(LOG_WARNING, "no password information found for user '%.100s'", -+ user); -+ return PR_ERROR_INT(cmd, PR_AUTH_NOPWD); -+ } -+ -+ cleartxt_passwdlen = strlen(cleartxt_passwd); -+ pr_memscrub(cleartxt_passwd, cleartxt_passwdlen); -+ -+ time(&now); -+ -+ if (lstchg > (time_t) 0 && -+ max > (time_t) 0 && -+ inact > (time_t) 0) { -+ if (now > (lstchg + max + inact)) { -+ pr_log_auth(LOG_WARNING, -+ "account for user '%.100s' disabled due to inactivity", user); -+ return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD); -+ } -+ } -+ -+ if (expire > (time_t) 0 && -+ now > expire) { -+ pr_log_auth(LOG_WARNING, -+ "account for user '%.100s' disabled due to password expiration", user); -+ return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD); -+ } -+ - /* XXX Any other implementations here? */ - - #ifdef HAVE_LOGINRESTRICTIONS - if (!(auth_unix_opts & AUTH_UNIX_OPT_AIX_NO_RLOGIN)) { - int res, xerrno, code = 0; -- char *user = NULL, *reason = NULL; -- -- user = cmd->argv[0]; -+ char *reason = NULL; - - /* Check for account login restrictions and such using AIX-specific - * functions. diff --git a/7907aa65.patch b/7907aa65.patch deleted file mode 100644 index 7ff1f2e..0000000 --- a/7907aa65.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 925ee5b8f636ab2fd5a3e02af79ba49f54a85b8d Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Fri, 5 May 2017 15:38:59 +0100 -Subject: [PATCH] Don't touch TLSCipherSuite when using system profiles - -Fedora and possibly other Linux distributions support system-wide -crypto policies to enable sane defaults to be specified in an ever -changing world of different cipher recommendations. In order to use -such a policy, OpenSSL users just set their cipher selection to -"PROFILE=SYSTEM", and the system-wide policy will be selected -(which can itself be set to various values, for best compatibility, -best strength, a compromise of the two, etc.). - -See: -https://fedoraproject.org/wiki/Packaging:CryptoPolicies -https://fedoraproject.org/wiki/Changes/CryptoPolicy - -The "PROFILE=SYSTEM" string cannot be used in conjunction with other -cipher selections, so prepending it with "!EXPORT:" results in: - -mod_tls/2.7[xxxxx]: unable to accept TLS connection: client does not support -any cipher from 'TLSCipherSuite !EXPORT:PROFILE=SYSTEM' (see `openssl ciphers -!EXPORT:PROFILE=SYSTEM` for full list) - -Hence, do not touch the supplied TLSCipherSuite if it starts with "PROFILE=". ---- - contrib/mod_tls.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c -index 3ff8ee2..c38ecac 100644 ---- a/contrib/mod_tls.c -+++ b/contrib/mod_tls.c -@@ -11985,7 +11985,12 @@ MODRET set_tlsciphersuite(cmd_rec *cmd) { - c = add_config_param(cmd->argv[0], 1, NULL); - - /* Make sure that EXPORT ciphers cannot be used, per Bug#4163. */ -- ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); -+ /* This breaks system profiles though, so don't change them. */ -+ if (strncmp(ciphersuite, "PROFILE=", 8) == 0) { -+ ciphersuite = pstrdup(c->pool, ciphersuite); -+ } else { -+ ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); -+ } - - /* Check that our construct ciphersuite is acceptable. */ - ctx = SSL_CTX_new(SSLv23_server_method()); diff --git a/8a186e2d.patch b/8a186e2d.patch deleted file mode 100644 index 28d9b29..0000000 --- a/8a186e2d.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 2f563aa12cf1ed199671821e2fba7088ab36b681 Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Thu, 18 May 2017 15:38:46 +0100 -Subject: [PATCH] Use /etc/hosts rather than /etc/resolv.conf in fsio unit - tests - -The fsio unit tests require a read-only system file to test that -files can be read, can't be written or deleted etc. The file -/etc/resolv.conf is currently used for this, but does not exist -in the minimum build environment used on Fedora's koji build -servers, resulting in test failures. Using /etc/hosts, which does -exist there and should be equally ubiquitous, fixes this issue. ---- - tests/api/fsio.c | 40 ++++++++++++++++++++-------------------- - 1 file changed, 20 insertions(+), 20 deletions(-) - -diff --git a/tests/api/fsio.c b/tests/api/fsio.c -index bacd306..3cb1741 100644 ---- a/tests/api/fsio.c -+++ b/tests/api/fsio.c -@@ -119,8 +119,8 @@ START_TEST (fsio_sys_open_test) { - - mark_point(); - flags = O_RDONLY; -- fh = pr_fsio_open("/etc/resolv.conf", flags); -- fail_unless(fh != NULL, "Failed to /etc/resolv.conf: %s", strerror(errno)); -+ fh = pr_fsio_open("/etc/hosts", flags); -+ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", strerror(errno)); - - (void) pr_fsio_close(fh); - } -@@ -144,8 +144,8 @@ START_TEST (fsio_sys_open_canon_test) { - strerror(errno), errno); - - flags = O_RDONLY; -- fh = pr_fsio_open_canon("/etc/resolv.conf", flags); -- fail_unless(fh != NULL, "Failed to /etc/resolv.conf: %s", strerror(errno)); -+ fh = pr_fsio_open_canon("/etc/hosts", flags); -+ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", strerror(errno)); - - (void) pr_fsio_close(fh); - } -@@ -159,7 +159,7 @@ START_TEST (fsio_sys_open_chroot_guard_test) { - res = pr_fsio_guard_chroot(TRUE); - fail_unless(res == FALSE, "Expected FALSE (%d), got %d", FALSE, res); - -- path = "/etc/resolv.conf"; -+ path = "/etc/hosts"; - flags = O_CREAT|O_RDONLY; - fh = pr_fsio_open(path, flags); - if (fh != NULL) { -@@ -203,7 +203,7 @@ START_TEST (fsio_sys_open_chroot_guard_test) { - - (void) pr_fsio_guard_chroot(FALSE); - -- path = "/etc/resolv.conf"; -+ path = "/etc/hosts"; - flags = O_RDONLY; - fh = pr_fsio_open(path, flags); - fail_unless(fh != NULL, "Failed to open '%s': %s", path, strerror(errno)); -@@ -220,8 +220,8 @@ START_TEST (fsio_sys_close_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s %d", EINVAL, - strerror(errno), errno); - -- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); -- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", -+ fh = pr_fsio_open("/etc/hosts", O_RDONLY); -+ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", - strerror(errno)); - - res = pr_fsio_close(fh); -@@ -265,8 +265,8 @@ START_TEST (fsio_sys_unlink_chroot_guard_test) { - res = pr_fsio_guard_chroot(TRUE); - fail_unless(res == FALSE, "Expected FALSE (%d), got %d", FALSE, res); - -- res = pr_fsio_unlink("/etc/resolv.conf"); -- fail_unless(res < 0, "Deleted /etc/resolv.conf unexpectedly"); -+ res = pr_fsio_unlink("/etc/hosts"); -+ fail_unless(res < 0, "Deleted /etc/hosts unexpectedly"); - fail_unless(errno == EACCES, "Expected EACCES (%d), got %s %d", EACCES, - strerror(errno), errno); - -@@ -352,12 +352,12 @@ START_TEST (fsio_sys_fstat_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); -- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", -+ fh = pr_fsio_open("/etc/hosts", O_RDONLY); -+ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", - strerror(errno)); - - res = pr_fsio_fstat(fh, &st); -- fail_unless(res == 0, "Failed to fstat /etc/resolv.conf: %s", -+ fail_unless(res == 0, "Failed to fstat /etc/hosts: %s", - strerror(errno)); - (void) pr_fsio_close(fh); - } -@@ -374,8 +374,8 @@ START_TEST (fsio_sys_read_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); -- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", -+ fh = pr_fsio_open("/etc/hosts", O_RDONLY); -+ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", - strerror(errno)); - - res = pr_fsio_read(fh, NULL, 0); -@@ -443,8 +443,8 @@ START_TEST (fsio_sys_lseek_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); -- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", -+ fh = pr_fsio_open("/etc/hosts", O_RDONLY); -+ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", - strerror(errno)); - - res = pr_fsio_lseek(fh, 0, 0); -@@ -2083,7 +2083,7 @@ START_TEST (fsio_sys_chdir_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- res = pr_fsio_chdir("/etc/resolv.conf", FALSE); -+ res = pr_fsio_chdir("/etc/hosts", FALSE); - fail_unless(res < 0, "Failed to handle file argument"); - fail_unless(errno == EINVAL || errno == ENOTDIR, - "Expected EINVAL (%d) or ENOTDIR (%d), got %s (%d)", EINVAL, ENOTDIR, -@@ -2145,7 +2145,7 @@ START_TEST (fsio_sys_opendir_test) { - strerror(errno), errno); - - mark_point(); -- path = "/etc/resolv.conf"; -+ path = "/etc/hosts"; - res = pr_fsio_opendir(path); - fail_unless(res == NULL, "Failed to handle file argument"); - fail_unless(errno == ENOTDIR, "Expected ENOTDIR (%d), got %s (%d)", ENOTDIR, -@@ -2175,7 +2175,7 @@ START_TEST (fsio_sys_readdir_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -- dent = pr_fsio_readdir("/etc/resolv.conf"); -+ dent = pr_fsio_readdir("/etc/hosts"); - fail_unless(dent == NULL, "Failed to handle file argument"); - fail_unless(errno == ENOTDIR, "Expected ENOTDIR (%d), got %s (%d)", ENOTDIR, - strerror(errno), errno); diff --git a/a2c02a6b.patch b/a2c02a6b.patch deleted file mode 100644 index 042fb43..0000000 --- a/a2c02a6b.patch +++ /dev/null @@ -1,58 +0,0 @@ -From a2c02a6baf555fea10ea0bccdcc4e632fb9d4711 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Sun, 27 May 2018 16:11:24 -0700 -Subject: [PATCH] Issue #674: Update mod_sftp to handle changed APIs in OpenSSL - 1.1.x releases. - ---- - contrib/mod_sftp/keys.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/contrib/mod_sftp/keys.c b/contrib/mod_sftp/keys.c -index 19bf8edf5..191dbabb9 100644 ---- a/contrib/mod_sftp/keys.c -+++ b/contrib/mod_sftp/keys.c -@@ -1,6 +1,6 @@ - /* - * ProFTPD - mod_sftp key mgmt (keys) -- * Copyright (c) 2008-2017 TJ Saunders -+ * Copyright (c) 2008-2018 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -2780,7 +2780,7 @@ static const unsigned char *dsa_sign_data(pool *p, const unsigned char *data, - - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(HAVE_LIBRESSL) -- DSA_SIG_get0(&sig_r, &sig_s, sig); -+ DSA_SIG_get0(sig, &sig_r, &sig_s); - #else - sig_r = sig->r; - sig_s = sig->s; -@@ -2960,7 +2960,7 @@ static const unsigned char *ecdsa_sign_data(pool *p, const unsigned char *data, - - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(HAVE_LIBRESSL) -- ECDSA_SIG_get0(&sig_r, &sig_s, sig); -+ ECDSA_SIG_get0(sig, &sig_r, &sig_s); - #else - sig_r = sig->r; - sig_s = sig->s; -@@ -3307,7 +3307,7 @@ int sftp_keys_verify_signed_data(pool *p, const char *pubkey_algo, - dsa_sig = DSA_SIG_new(); - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(HAVE_LIBRESSL) -- DSA_SIG_get0(&sig_r, &sig_s, dsa_sig); -+ DSA_SIG_get0(sig, &sig_r, &sig_s); - #else - sig_r = dsa_sig->r; - sig_s = dsa_sig->s; -@@ -3426,7 +3426,7 @@ int sftp_keys_verify_signed_data(pool *p, const char *pubkey_algo, - - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(HAVE_LIBRESSL) -- ECDSA_SIG_get0(&sig_r, &sig_s, ecdsa_sig); -+ ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s); - #else - sig_r = ecdsa_sig->r; - sig_s = ecdsa_sig->s; diff --git a/aa85f127.patch b/aa85f127.patch deleted file mode 100644 index 73db308..0000000 --- a/aa85f127.patch +++ /dev/null @@ -1,159 +0,0 @@ -From aa85f127d31346a28c619ee426090f1f23fd2249 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Fri, 5 May 2017 09:24:10 -0700 -Subject: [PATCH] Improve detection of badly configured ciphersuites (e.g. - unsupported/misspelled cipher suites) at startup time. - ---- - contrib/mod_tls.c | 21 +++++++++++- - doc/contrib/mod_tls.html | 21 +++++++++++- - tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm | 50 ++++++++++++++++++++++++++++ - 3 files changed, 90 insertions(+), 2 deletions(-) - -diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c -index 7a2a74f..3ff8ee2 100644 ---- a/contrib/mod_tls.c -+++ b/contrib/mod_tls.c -@@ -11976,6 +11976,7 @@ MODRET set_tlscertchain(cmd_rec *cmd) { - MODRET set_tlsciphersuite(cmd_rec *cmd) { - config_rec *c = NULL; - char *ciphersuite = NULL; -+ SSL_CTX *ctx; - - CHECK_ARGS(cmd, 1); - CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL); -@@ -11984,8 +11985,26 @@ MODRET set_tlsciphersuite(cmd_rec *cmd) { - c = add_config_param(cmd->argv[0], 1, NULL); - - /* Make sure that EXPORT ciphers cannot be used, per Bug#4163. */ -- c->argv[0] = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); -+ ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); -+ -+ /* Check that our construct ciphersuite is acceptable. */ -+ ctx = SSL_CTX_new(SSLv23_server_method()); -+ if (ctx != NULL) { -+ if (SSL_CTX_set_cipher_list(ctx, ciphersuite) != 1) { -+ /* Note: tls_get_errors() relies on session.pool, so temporarily set -+ * it to our temporary pool. -+ */ -+ session.pool = cmd->tmp_pool; -+ -+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, -+ "unable to use configured TLSCipherSuite '", ciphersuite, "': ", -+ tls_get_errors(), NULL)); -+ } -+ -+ SSL_CTX_free(ctx); -+ } - -+ c->argv[0] = ciphersuite; - return PR_HANDLED(cmd); - } - -diff --git a/doc/contrib/mod_tls.html b/doc/contrib/mod_tls.html -index c1d3f2d..cc88946 100644 ---- a/doc/contrib/mod_tls.html -+++ b/doc/contrib/mod_tls.html -@@ -295,7 +295,13 @@ - Compatibility: 1.2.7rc1 and later - -

--Default cipher list is "DEFAULT:!ADH:!EXPORT:!DES". -+Sets the list of SSL/TLS ciphersuites for use. Default cipher list is -+"DEFAULT:!ADH:!EXPORT:!DES". -+ -+

-+Note that mod_tls will automatically prepend the -+configured cipher-list with "!EXPORT", in order to prevent the -+use of the insecure "export grade" ciphers. - -

- How to put together a cipher list parameter: -@@ -2215,6 +2221,19 @@ - TLSDHParamFile /path/to/dh1024.pem - - -+

-+Question: I tried to configure a specific ciphersuite -+using TLSCipherSuite, but ProFTPD fails on startup with this error: -+

-+  fatal: TLSCipherSuite: unable to use configured TLSCipherSuite '!EXPORT:MYCIPHER':
-+  (1) error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match on line 16 of '/etc/proftpd/tls.conf'
-+
-+Answer: This error indicates that the version of OpenSSL -+does not recognize/support one of the ciphers that you configured in your -+TLSCipherSuite list. Unfortunately the OpenSSL error reporting -+does not pinpoint which is the offending ciphersuite; experimenting -+with your cipher list will reveal which ones are problematic. -+ -

-

-

Installation

-diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm -index f7cd171..226d47c 100644 ---- a/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm -+++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm -@@ -299,6 +299,11 @@ my $TESTS = { - test_class => [qw(bug forking)], - }, - -+ tls_config_tlsciphersuite_bad_cipher => { -+ order => ++$order, -+ test_class => [qw(forking)], -+ }, -+ - tls_session_cache_off_bug3869 => { - order => ++$order, - test_class => [qw(bug forking)], -@@ -8983,6 +8988,51 @@ sub tls_config_tlsdhparamfile_bug3868 { - unlink($log_file); - } - -+sub tls_config_tlsciphersuite_bad_cipher { -+ my $self = shift; -+ my $tmpdir = $self->{tmpdir}; -+ my $setup = test_setup($tmpdir, 'tls'); -+ -+ my $cert_file = File::Spec->rel2abs('t/etc/modules/mod_tls/server-cert.pem'); -+ my $ca_file = File::Spec->rel2abs('t/etc/modules/mod_tls/ca-cert.pem'); -+ -+ my $config = { -+ PidFile => $setup->{pid_file}, -+ ScoreboardFile => $setup->{scoreboard_file}, -+ SystemLog => $setup->{log_file}, -+ -+ IfModules => { -+ 'mod_delay.c' => { -+ DelayEngine => 'off', -+ }, -+ -+ 'mod_tls.c' => { -+ TLSEngine => 'on', -+ TLSLog => $setup->{log_file}, -+ TLSRSACertificateFile => $cert_file, -+ TLSCACertificateFile => $ca_file, -+ TLSCipherSuite => 'FOOBAR', -+ }, -+ }, -+ }; -+ -+ my ($port, $config_user, $config_group) = config_write($setup->{config_file}, -+ $config); -+ -+ my $ex; -+ -+ # This should silently fail. -+ server_start($setup->{config_file}); -+ -+ # This is where we detect the actual problem. -+ eval { server_stop($setup->{pid_file}) }; -+ unless ($@) { -+ $ex = "Server start with bad config unexpectedly"; -+ } -+ -+ test_cleanup($setup->{log_file}, $ex); -+} -+ - sub tls_session_cache_off_bug3869 { - my $self = shift; - my $tmpdir = $self->{tmpdir}; diff --git a/ad786eaa.patch b/ad786eaa.patch deleted file mode 100644 index 7e5dd2e..0000000 --- a/ad786eaa.patch +++ /dev/null @@ -1,23 +0,0 @@ -From ad786eaa8a232795470dbeab2380dc8d8ac803af Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Fri, 27 Oct 2017 09:28:19 -0700 -Subject: [PATCH] Merge pull request #617 from pghmcfc/systemd-network-online - -systemd: use network-online.target ---- - contrib/dist/rpm/proftpd.service | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service -index 8a4df33c9..6c81db398 100644 ---- a/contrib/dist/rpm/proftpd.service -+++ b/contrib/dist/rpm/proftpd.service -@@ -1,6 +1,7 @@ - [Unit] - Description = ProFTPD FTP Server --After = network.target nss-lookup.target local-fs.target remote-fs.target -+Wants=network-online.target -+After=network-online.target nss-lookup.target local-fs.target remote-fs.target - - [Service] - Type = simple diff --git a/adfdc01d.patch b/adfdc01d.patch deleted file mode 100644 index afb5851..0000000 --- a/adfdc01d.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 84549ece3a839161794deee1721fc0cf9bf9eb9c Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Mon, 8 May 2017 10:16:32 +0100 -Subject: [PATCH] Use absolute pathnames for executables in systemd unit files - -Otherwise, systemd complains about them and ignores the commands. ---- - contrib/dist/rpm/proftpd.service | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service -index c2fd401..07802ca 100644 ---- a/contrib/dist/rpm/proftpd.service -+++ b/contrib/dist/rpm/proftpd.service -@@ -8,8 +8,8 @@ PIDFile = /run/proftpd/proftpd.pid - Environment = PROFTPD_OPTIONS= - EnvironmentFile = -/etc/sysconfig/proftpd - ExecStart = /usr/sbin/proftpd $PROFTPD_OPTIONS --ExecStartPost = touch /var/lock/subsys/proftpd --ExecStopPost = rm -f /var/lock/subsys/proftpd -+ExecStartPost = /usr/bin/touch /var/lock/subsys/proftpd -+ExecStopPost = /bin/rm -f /var/lock/subsys/proftpd - ExecReload = /bin/kill -HUP $MAINPID - - [Install] diff --git a/c3e5d75f.patch b/c3e5d75f.patch deleted file mode 100644 index faf9ef6..0000000 --- a/c3e5d75f.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c3e5d75f9c8a60af42646319fcca832d5f1a55d4 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Sun, 21 May 2017 13:44:23 -0700 -Subject: [PATCH] Merge pull request #513 from pghmcfc/similars - -Fix pr_str_get_similars ---- - src/str.c | 4 ++-- - tests/api/str.c | 36 +++++++++++++++++++----------------- - 2 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/src/str.c b/src/str.c -index eeed096ef..0a59f2379 100644 ---- a/src/str.c -+++ b/src/str.c -@@ -725,11 +725,11 @@ static int distance_cmp(const void *a, const void *b) { - const char *s1, *s2; - int distance1, distance2; - -- cand1 = a; -+ cand1 = * (const struct candidate **) a; - s1 = cand1->s; - distance1 = cand1->distance; - -- cand2 = b; -+ cand2 = * (const struct candidate **) b; - s2 = cand2->s; - distance2 = cand2->distance; - -diff --git a/tests/api/str.c b/tests/api/str.c -index 7c6e11000..9dce95820 100644 ---- a/tests/api/str.c -+++ b/tests/api/str.c -@@ -1469,25 +1469,23 @@ START_TEST (similars_test) { - mark_point(); - similars = (const char **) res->elts; - -- /* Note: We see different results here due to (I think) different -- * qsort(3) implementations. -+ /* -+ * Note: expected distances are as follows: -+ * -+ * Candidate Case-Sensitive Case-Insensitive -+ * fools 0 0 -+ * odd 5 5 -+ * bar 5 5 -+ * FOO 5 0 - */ - -- expected = "FOO"; -- if (strcmp(similars[0], expected) != 0) { -- expected = "fools"; -- } -+ expected = "fools"; - - fail_unless(strcmp(similars[0], expected) == 0, - "Expected similar '%s', got '%s'", expected, similars[0]); - -- expected = "fools"; -- if (strcmp(similars[1], expected) != 0) { -- expected = "FOO"; -- } -- -- fail_unless(strcmp(similars[1], expected) == 0, -- "Expected similar '%s', got '%s'", expected, similars[1]); -+ fail_unless(strcmp(similars[1], expected) != 0, -+ "Unexpectedly got similar '%s'", similars[1]); - - mark_point(); - res = pr_str_get_similars(p, s, candidates, 0, PR_STR_FL_IGNORE_CASE); -@@ -1499,18 +1497,22 @@ START_TEST (similars_test) { - mark_point(); - similars = (const char **) res->elts; - -+ /* -+ * similars[0] and similars[1] should be "FOO" and "fools", but -+ * not necessarily in that order -+ */ - expected = "FOO"; - if (strcmp(similars[0], expected) != 0) { -- expected = "fools"; -+ expected = similars[0]; -+ similars[0] = similars[1]; -+ similars[1] = expected; -+ expected = "FOO"; - } - - fail_unless(strcmp(similars[0], expected) == 0, - "Expected similar '%s', got '%s'", expected, similars[0]); - - expected = "fools"; -- if (strcmp(similars[1], expected) != 0) { -- expected = "FOO"; -- } - - fail_unless(strcmp(similars[1], expected) == 0, - "Expected similar '%s', got '%s'", expected, similars[1]); diff --git a/fa378a8f.patch b/fa378a8f.patch deleted file mode 100644 index ddfb05e..0000000 --- a/fa378a8f.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fa378a8f2bc1b24ab93c157495960080aa788299 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Wed, 8 Aug 2018 11:15:21 -0700 -Subject: [PATCH] Bug#4356: Fix infinite loop by actually iterating properly - for the next configuration record. Oops. - ---- - contrib/mod_sftp/mod_sftp.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/contrib/mod_sftp/mod_sftp.c b/contrib/mod_sftp/mod_sftp.c -index b7fdfa541..655b12af1 100644 ---- a/contrib/mod_sftp/mod_sftp.c -+++ b/contrib/mod_sftp/mod_sftp.c -@@ -1,6 +1,6 @@ - /* - * ProFTPD - mod_sftp -- * Copyright (c) 2008-2017 TJ Saunders -+ * Copyright (c) 2008-2018 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -1211,6 +1211,8 @@ MODRET set_sftphostkey(cmd_rec *cmd) { - insecure_hostkey_perms = TRUE; - break; - } -+ -+ c = find_config_next(c, c->next, CONF_PARAM, "SFTPOptions", FALSE); - } - - if (insecure_hostkey_perms) { diff --git a/proftpd-1.3.4rc1-mod_vroot-test.patch b/proftpd-1.3.4rc1-mod_vroot-test.patch index e2314cc..1bea0e8 100644 --- a/proftpd-1.3.4rc1-mod_vroot-test.patch +++ b/proftpd-1.3.4rc1-mod_vroot-test.patch @@ -1,6 +1,6 @@ --- proftpd-1.3.4rc1/tests/tests.pl 2010-12-15 00:57:04.000000000 +0000 +++ proftpd-1.3.4rc1/tests/tests.pl 2011-01-11 09:22:57.746669659 +0000 -@@ -283,6 +283,11 @@ +@@ -478,6 +478,11 @@ test_class => [qw(mod_unique_id)], }, diff --git a/proftpd-1.3.6-CVE-2019-12815.patch b/proftpd-1.3.6-CVE-2019-12815.patch deleted file mode 100644 index c5d85e7..0000000 --- a/proftpd-1.3.6-CVE-2019-12815.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a73dbfe3b61459e7c2806d5162b12f0957990cb3 Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Wed, 17 Jul 2019 09:48:39 -0700 -Subject: [PATCH] Backport of fix for Bug#4372 to the 1.3.6 branch. - ---- - NEWS | 1 + - contrib/mod_copy.c | 36 +++++++++++++++++++++++++++++++++--- - 2 files changed, 34 insertions(+), 3 deletions(-) - -#diff --git a/NEWS b/NEWS -#index c6635bd1a..048ddb3c9 100644 -#--- a/NEWS -#+++ b/NEWS -#@@ -62,6 +62,7 @@ -# - Bug 4332 - Symlink navigation broken after 1.3.6 update. The changes for -# Bug#4219 have been rolled back. -# - Issue 795 - Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3. -#+- Bug 4372 - SITE CPFR/CPTO do not honor configurations. -# -# 1.3.6 - Released 09-Apr-2017 -# -------------------------------- -diff --git a/contrib/mod_copy.c b/contrib/mod_copy.c -index 26b72a91d..c8672c40d 100644 ---- a/contrib/mod_copy.c -+++ b/contrib/mod_copy.c -@@ -1,7 +1,7 @@ - /* - * ProFTPD: mod_copy -- a module supporting copying of files on the server - * without transferring the data to the client and back -- * Copyright (c) 2009-2016 TJ Saunders -+ * Copyright (c) 2009-2019 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -657,7 +657,7 @@ MODRET copy_copy(cmd_rec *cmd) { - MODRET copy_cpfr(cmd_rec *cmd) { - register unsigned int i; - int res; -- char *path = ""; -+ char *cmd_name, *path = ""; - unsigned char *authenticated = NULL; - - if (copy_engine == FALSE) { -@@ -705,6 +705,21 @@ MODRET copy_cpfr(cmd_rec *cmd) { - path = pstrcat(cmd->tmp_pool, path, *path ? " " : "", decoded_path, NULL); - } - -+ cmd_name = cmd->argv[0]; -+ pr_cmd_set_name(cmd, "SITE_CPFR"); -+ if (!dir_check(cmd->tmp_pool, cmd, G_READ, path, NULL)) { -+ int xerrno = EPERM; -+ -+ pr_cmd_set_name(cmd, cmd_name); -+ pr_response_add_err(R_550, "%s: %s", (char *) cmd->argv[3], -+ strerror(xerrno)); -+ -+ pr_cmd_set_errno(cmd, xerrno); -+ errno = xerrno; -+ return PR_ERROR(cmd); -+ } -+ pr_cmd_set_name(cmd, cmd_name); -+ - res = pr_filter_allow_path(CURRENT_CONF, path); - switch (res) { - case 0: -@@ -758,6 +773,7 @@ MODRET copy_cpfr(cmd_rec *cmd) { - MODRET copy_cpto(cmd_rec *cmd) { - register unsigned int i; - const char *from, *to = ""; -+ char *cmd_name; - unsigned char *authenticated = NULL; - - if (copy_engine == FALSE) { -@@ -816,6 +832,20 @@ MODRET copy_cpto(cmd_rec *cmd) { - - to = dir_canonical_vpath(cmd->tmp_pool, to); - -+ cmd_name = cmd->argv[0]; -+ pr_cmd_set_name(cmd, "SITE_CPTO"); -+ if (!dir_check(cmd->tmp_pool, cmd, G_WRITE, to, NULL)) { -+ int xerrno = EPERM; -+ -+ pr_cmd_set_name(cmd, cmd_name); -+ pr_response_add_err(R_550, "%s: %s", to, strerror(xerrno)); -+ -+ pr_cmd_set_errno(cmd, xerrno); -+ errno = xerrno; -+ return PR_ERROR(cmd); -+ } -+ pr_cmd_set_name(cmd, cmd_name); -+ - if (copy_paths(cmd->tmp_pool, from, to) < 0) { - int xerrno = errno; - const char *err_code = R_550; -@@ -940,7 +970,7 @@ static conftable copy_conftab[] = { - - static cmdtable copy_cmdtab[] = { - { CMD, C_SITE, G_WRITE, copy_copy, FALSE, FALSE, CL_MISC }, -- { CMD, C_SITE, G_DIRS, copy_cpfr, FALSE, FALSE, CL_MISC }, -+ { CMD, C_SITE, G_READ, copy_cpfr, FALSE, FALSE, CL_MISC }, - { CMD, C_SITE, G_WRITE, copy_cpto, FALSE, FALSE, CL_MISC }, - { POST_CMD, C_PASS, G_NONE, copy_post_pass, FALSE, FALSE }, - { LOG_CMD, C_SITE, G_NONE, copy_log_site, FALSE, FALSE }, diff --git a/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch b/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch deleted file mode 100644 index b98eb42..0000000 --- a/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 49ef73f7193242eac07de27c2e853d9e805162ec Mon Sep 17 00:00:00 2001 -From: Paul Howarth -Date: Wed, 3 May 2017 11:57:23 +0100 -Subject: [PATCH] Add --enable-tests=nonetwork option - -This disables API tests that involve resolving/connecting to external -network services such as Google, which may not be possible in some -build environments. - -Tested using systemd-nspawn --private-network ---- - config.h.in | 3 +++ - configure.in | 5 ++++- - tests/api/inet.c | 6 ++++++ - tests/api/netaddr.c | 6 ++++++ - 4 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/config.h.in b/config.h.in -index a38734a..229c9db 100644 ---- a/config.h.in -+++ b/config.h.in -@@ -1068,6 +1068,9 @@ - /* Define if ncursesw support, if available, should be used. */ - #undef PR_USE_NCURSESW - -+/* Define if non-local network tests are enabled. */ -+#undef PR_USE_NETWORK_TESTS -+ - /* Define if using nonblocking open of log files. */ - #undef PR_USE_NONBLOCKING_LOG_OPEN - -diff --git a/configure.in b/configure.in -index 1e39c37..dba39ba 100644 ---- a/configure.in -+++ b/configure.in -@@ -985,7 +985,7 @@ AC_ARG_ENABLE(tests, - [--enable-tests], - [enable unit tests (default=no)]) - ], -- [ if test x"$enableval" = x"yes" ; then -+ [ if test x"$enableval" = x"yes" || test x"$enableval" = x"nonetwork" ; then - AC_CHECK_HEADERS(check.h) - - AC_CHECK_LIB(check, tcase_create, -@@ -997,6 +997,9 @@ AC_ARG_ENABLE(tests, - AC_MSG_ERROR([libcheck support, required for tests, not present -- aborting]) - ] - ) -+ if test x"$enableval" != x"nonetwork" ; then -+ AC_DEFINE(PR_USE_NETWORK_TESTS, 1, [Define if non-local network tests are enabled.]) -+ fi - fi - ]) - -diff -up a/configure b/configure ---- a/configure -+++ b/configure -@@ -20423,7 +20423,7 @@ fi - ENABLE_TESTS="\"\"" - # Check whether --enable-tests was given. - if test "${enable_tests+set}" = set; then -- enableval=$enable_tests; if test x"$enableval" = x"yes" ; then -+ enableval=$enable_tests; if test x"$enableval" = x"yes" || test x"$enableval" = x"nonetwork" ; then - - for ac_header in check.h - do -@@ -20648,6 +20648,13 @@ echo "$as_me: error: libcheck support, r - - fi - -+ if test x"$enableval" != x"nonetwork" ; then -+ -+cat >>confdefs.h <<\_ACEOF -+#define PR_USE_NETWORK_TESTS 1 -+_ACEOF -+ -+ fi - fi - - fi -diff --git a/tests/api/inet.c b/tests/api/inet.c -index 03c4781..c111629 100644 ---- a/tests/api/inet.c -+++ b/tests/api/inet.c -@@ -522,6 +522,7 @@ START_TEST (inet_connect_ipv4_test) { - fail_unless(errno == ECONNREFUSED, "Expected ECONNREFUSED (%d), got %s (%d)", - ECONNREFUSED, strerror(errno), errno); - -+#if defined(PR_USE_NETWORK_TESTS) - /* Try connecting to Google's DNS server. */ - - addr = pr_netaddr_get_addr(p, "8.8.8.8", NULL); -@@ -551,6 +552,7 @@ START_TEST (inet_connect_ipv4_test) { - fail_unless(errno == EISCONN, "Expected EISCONN (%d), got %s (%d)", - EISCONN, strerror(errno), errno); - pr_inet_close(p, conn); -+#endif - } - END_TEST - -@@ -579,6 +581,7 @@ START_TEST (inet_connect_ipv6_test) { - "Expected ECONNREFUSED (%d), ENETUNREACH (%d), or EADDRNOTAVAIL (%d), got %s (%d)", - ECONNREFUSED, ENETUNREACH, EADDRNOTAVAIL, strerror(errno), errno); - -+#if defined(PR_USE_NETWORK_TESTS) - /* Try connecting to Google's DNS server. */ - - addr = pr_netaddr_get_addr(p, "2001:4860:4860::8888", NULL); -@@ -614,6 +617,7 @@ START_TEST (inet_connect_ipv6_test) { - fail_unless(errno == EISCONN || errno == EHOSTUNREACH || errno == ENETUNREACH || errno == EADDRNOTAVAIL, - "Expected EISCONN (%d) or EHOSTUNREACH (%d) or ENETUNREACH (%d) or EADDRNOTAVAIL (%d), got %s (%d)", EISCONN, EHOSTUNREACH, ENETUNREACH, EADDRNOTAVAIL, strerror(errno), errno); - pr_inet_close(p, conn); -+#endif - - pr_inet_set_default_family(p, AF_INET); - -@@ -649,6 +653,7 @@ START_TEST (inet_connect_nowait_test) { - res = pr_inet_connect_nowait(p, conn, addr, 180); - fail_unless(res != -1, "Connected to 127.0.0.1#180 unexpectedly"); - -+#if defined(PR_USE_NETWORK_TESTS) - /* Try connecting to Google's DNS server. */ - - addr = pr_netaddr_get_addr(p, "8.8.8.8", NULL); -@@ -664,6 +669,7 @@ START_TEST (inet_connect_nowait_test) { - } - - pr_inet_close(p, conn); -+#endif - - /* Restore the default family to AF_INET, for other tests. */ - pr_inet_set_default_family(p, AF_INET); -diff --git a/tests/api/netaddr.c b/tests/api/netaddr.c -index 80d3327..124dc39 100644 ---- a/tests/api/netaddr.c -+++ b/tests/api/netaddr.c -@@ -146,6 +146,7 @@ START_TEST (netaddr_get_addr_test) { - fail_unless(res->na_family == AF_INET, "Expected family %d, got %d", - AF_INET, res->na_family); - -+#if defined(PR_USE_NETWORK_TESTS) - /* Google: the Dial Tone of the Internet. */ - name = "www.google.com"; - -@@ -161,6 +162,7 @@ START_TEST (netaddr_get_addr_test) { - strerror(errno)); - fail_unless(res->na_family == AF_INET, "Expected family %d, got %d", - AF_INET, res->na_family); -+#endif - - name = "127.0.0.1"; - -@@ -903,6 +905,7 @@ START_TEST (netaddr_get_dnsstr_list_test) { - - pr_netaddr_clear_cache(); - -+#if defined(PR_USE_NETWORK_TESTS) - addr = pr_netaddr_get_addr(p, "www.google.com", &addrs); - fail_unless(addr != NULL, "Failed to resolve 'www.google.com': %s", - strerror(errno)); -@@ -921,6 +924,7 @@ START_TEST (netaddr_get_dnsstr_list_test) { - /* Ideally we would check that res->nelts > 0, BUT this turns out to - * a fragile test condition, dependent on DNS vagaries. - */ -+#endif - - pr_netaddr_set_reverse_dns(reverse_dns); - } -@@ -1082,6 +1086,7 @@ START_TEST (netaddr_is_loopback_test) { - fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, - strerror(errno), errno); - -+#if defined(PR_USE_NETWORK_TESTS) - name = "www.google.com"; - addr = pr_netaddr_get_addr(p, name, NULL); - fail_unless(addr != NULL, "Failed to resolve '%s': %s", name, -@@ -1089,6 +1094,7 @@ START_TEST (netaddr_is_loopback_test) { - - res = pr_netaddr_is_loopback(addr); - fail_unless(res == FALSE, "Expected FALSE, got %d", res); -+#endif - - name = "127.0.0.1"; - addr = pr_netaddr_get_addr(p, name, NULL); --- -2.9.3 - diff --git a/proftpd-1.3.6-no-mod-wrap.patch b/proftpd-1.3.6-no-mod-wrap.patch index 85597fd..8560e3b 100644 --- a/proftpd-1.3.6-no-mod-wrap.patch +++ b/proftpd-1.3.6-no-mod-wrap.patch @@ -1,6 +1,6 @@ --- modules.conf +++ modules.conf -@@ -125,11 +125,6 @@ LoadModule mod_ctrls_admin.c +@@ -135,11 +135,6 @@ LoadModule mod_ctrls_admin.c # LoadModule mod_tls_memcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny diff --git a/proftpd.rpmlintrc b/proftpd.rpmlintrc index a37f5f6..336bc45 100644 --- a/proftpd.rpmlintrc +++ b/proftpd.rpmlintrc @@ -7,7 +7,7 @@ addFilter("spelling-error %description -l en_US systemd -> ") addFilter("spelling-error %description -l en_US virtualhost -> ") addFilter("spelling-error %description -l en_US xinetd -> ") -# Proftpd allows specification of ciphers; should change proftpd.conf to use system default +# Proftpd allows specification of ciphers; mod_tls.conf specifies system default addFilter("crypto-policy-non-compliance-openssl /usr/sbin/proftpd SSL_CTX_set_cipher_list") # All FTP daemons provide this @@ -19,6 +19,11 @@ addFilter("only-non-binary-in-usr-lib") # These modes are intentional addFilter("non-readable /etc/proftpd.conf 640") +addFilter("non-readable /etc/proftpd/anonftp.conf 640") +addFilter("non-readable /etc/proftpd/mod_ban.conf 640") +addFilter("non-readable /etc/proftpd/mod_qos.conf 640") +addFilter("non-readable /etc/proftpd/mod_tls.conf 640") +addFilter("non-readable /etc/proftpd/modules.conf 640") addFilter("non-standard-dir-perm /var/ftp/uploads 331") addFilter("non-standard-dir-perm /var/log/proftpd 750") @@ -42,14 +47,9 @@ addFilter("no-manual-page-for-binary prxs") # https://github.com/proftpd/proftpd/pull/493 # https://github.com/proftpd/proftpd/commit/75ed08ffe309b75b78dfcdeb4164d88ced4b0888 +# These should be fixed in 1.3.7 addFilter("incorrect-fsf-address /usr/src/debug/proftpd-.*/modules/mod_geoip.c") addFilter("incorrect-fsf-address /usr/include/proftpd/ident.h") addFilter("incorrect-fsf-address /usr/include/proftpd/utf8.h") addFilter("incorrect-fsf-address /usr/include/proftpd/lastlog.h") -# https://github.com/Castaglia/proftpd-mod_vroot/pull/14 -# https://github.com/Castaglia/proftpd-mod_vroot/commit/10d341c130f32c9b23e0acb0e3337a9fef7826ea -addFilter("incorrect-fsf-address /usr/src/debug/proftpd-.*/contrib/mod_vroot/mod_vroot.c") -addFilter("incorrect-fsf-address /usr/src/debug/proftpd-.*/contrib/mod_vroot/fsio.c") -addFilter("incorrect-fsf-address /usr/src/debug/proftpd-.*/contrib/mod_vroot/path.c") -addFilter("incorrect-fsf-address /usr/src/debug/proftpd-.*/contrib/mod_vroot/alias.c") diff --git a/proftpd.spec b/proftpd.spec index 12f93cd..843889e 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -66,12 +66,12 @@ %undefine _strict_symbol_defs_build #global prever rc3 -%global rpmrel 23 +%global rpmrel 1 %global mod_vroot_version 0.9.5 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd -Version: 1.3.6 +Version: 1.3.6a Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist} License: GPLv2+ URL: http://www.proftpd.org/ @@ -93,25 +93,7 @@ Patch3: proftpd-1.3.4rc1-mod_vroot-test.patch Patch4: proftpd-1.3.6-no-mod-wrap.patch Patch5: proftpd-1.3.6-no-mod-geoip.patch -Patch100: https://github.com/proftpd/proftpd/commit/459693c7.patch -Patch101: https://github.com/proftpd/proftpd/commit/389cc579.patch -Patch102: https://github.com/proftpd/proftpd/commit/1825a2b8.patch -Patch103: https://github.com/proftpd/proftpd/commit/73887e02.patch -Patch104: https://github.com/proftpd/proftpd/commit/8a186e2d.patch -Patch105: https://github.com/proftpd/proftpd/commit/c3e5d75f.patch -Patch106: proftpd-1.3.6-add-enable-tests-nonetwork-option.patch -Patch107: https://github.com/proftpd/proftpd/commit/adfdc01d.patch -Patch108: https://github.com/proftpd/proftpd/commit/6cc96b5f.patch -Patch109: https://github.com/proftpd/proftpd/commit/aa85f127.patch -Patch110: https://github.com/proftpd/proftpd/commit/7907aa65.patch -Patch111: https://github.com/proftpd/proftpd/commit/08ba2f63.patch -Patch112: https://github.com/proftpd/proftpd/commit/757b9633.patch -Patch113: https://github.com/proftpd/proftpd/commit/41ecb7dc.patch -Patch114: https://github.com/proftpd/proftpd/commit/ad786eaa.patch -Patch115: https://github.com/proftpd/proftpd/commit/a2c02a6b.patch Patch116: proftpd-1.3.6-ENOATTR.patch -Patch117: https://github.com/proftpd/proftpd/commit/fa378a8f.patch -Patch118: proftpd-1.3.6-CVE-2019-12815.patch BuildRequires: coreutils BuildRequires: gcc @@ -316,85 +298,14 @@ mv contrib/README contrib/README.contrib %patch5 -b .nogeoip %endif -# Check for symlinks in home directory path as logging-in user -# http://bugs.proftpd.org/show_bug.cgi?id=4306 -# https://bugzilla.redhat.com/show_bug.cgi?id=1443507 -# https://github.com/proftpd/proftpd/pull/496 -%patch100 -p1 - -# Fix API tests to work in Fedora/RHEL environments -# https://github.com/proftpd/proftpd/issues/483 -# https://github.com/proftpd/proftpd/pull/510 -# https://github.com/proftpd/proftpd/pull/514 -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 - -# Fix similars functionality and unit test -# https://github.com/proftpd/proftpd/pull/513 -%patch105 -p1 - -# Add functionality to disable external network tests -# https://github.com/proftpd/proftpd/pull/497 -%patch106 -p1 - -# Systemd requires that executeable pathnames are absolute -# https://github.com/proftpd/proftpd/pull/502 -%patch107 -p1 - -# Systemd upstream recommends Type = simple for services if possible -# https://github.com/proftpd/proftpd/pull/506 -%patch108 -p1 - -# Don't mess with system profiles in TLSCipherSuite -# https://github.com/proftpd/proftpd/pull/499 -%patch109 -p1 -%patch110 -p1 - -# Remove redundant bind() to controls socket -# https://github.com/proftpd/proftpd/issues/501 -%patch111 -p1 - -# mod_sftp failed to check shadow password information when publickey -# authentication used -# http://bugs.proftpd.org/show_bug.cgi?id=4308 -%patch112 -p1 - -# Use of "AllowEmptyPasswords off" broke SFTP/SCP logins -# http://bugs.proftpd.org/show_bug.cgi?id=4309 -%patch113 -p1 - -# With systemd, wait for network-online.target before starting -# https://bugzilla.redhat.com/show_bug.cgi?id=1506805 -# https://github.com/proftpd/proftpd/pull/617 -%patch114 -p1 - -# Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases -# https://github.com/proftpd/proftpd/issues/674 -# https://github.com/proftpd/proftpd/pull/710 -%patch115 -p1 - # Don't assume ENOATTR is defined in test suite +# TODO: upstream this patch, ENOATTR is no longer defined on Linux (was alias for ENODATA) %patch116 -p1 -# Fix infinite loop possible in mod_sftp's set_sftphostkey() function, by -# actually iterating properly for the next configuration record -# http://bugs.proftpd.org/show_bug.cgi?id=4356 -# https://github.com/proftpd/proftpd/pull/736 -%patch117 -p1 - -# An arbitrary file copy vulnerability in mod_copy in ProFTPD allows for -# remote code execution and information disclosure without authentication -# (CVE-2019-12815) -# http://bugs.proftpd.org/show_bug.cgi?id=4372 -# https://github.com/proftpd/proftpd/pull/816 -%patch118 -p1 - # OpenSSL Cipher Profiles introduced in Fedora 21 # Elsewhere, we use the default of DEFAULT:!ADH:!EXPORT:!DES %if (0%{?rhel} && 0%{?rhel} <= 7) || (0%{?fedora} && 0%{?fedora} <= 20) -sed -i -e '/^[[:space:]]*TLSCipherSuite[[:space:]]*PROFILE=SYSTEM$/d' proftpd.conf +sed -i -e '/^[[:space:]]*TLSCipherSuite[[:space:]]*PROFILE=SYSTEM$/d' mod_tls.conf %endif # Tweak logrotate script for systemd compatibility (#802178) @@ -677,6 +588,75 @@ fi %{_mandir}/man1/ftpwho.1* %changelog +* Sun Oct 13 2019 Paul Howarth - 1.3.6a-1 +- Update to 1.3.6a + - Configure script wrongly detected AIX lastlog functions + (http://bugs.proftpd.org/show_bug.cgi?id=4304) + - AllowChrootSymlinks off could cause login failures depending on filesystem + permissions (http://bugs.proftpd.org/show_bug.cgi?id=4306) + - mod_ctrls: error: unable to bind to local socket: Address already in use + (https://github.com/proftpd/proftpd/issues/501) + - Failed to handle multiple %%{env:...} variables in single word in + configuration (https://github.com/proftpd/proftpd/issues/507) + - mod_sftp failed to check shadow password information when publickey + authentication used (http://bugs.proftpd.org/show_bug.cgi?id=4308) + - Use of "AllowEmptyPasswords off" broke SFTP/SCP logins + (http://bugs.proftpd.org/show_bug.cgi?id=4309) + - Use of mod_facl as static module caused ProFTPD to die on SIGHUP/restart + (http://bugs.proftpd.org/show_bug.cgi?id=4310) + - Use of curve25519-sha256@libssh.org SSH2 key exchange sometimes failed + (https://github.com/proftpd/proftpd/issues/556) + - Close extra file descriptors at startup + (http://bugs.proftpd.org/show_bug.cgi?id=4312) + - with AuthAliasOnly in effect did not work as expected + (http://bugs.proftpd.org/show_bug.cgi?id=4314) + - CreateHome NoRootPrivs only worked partially + (https://github.com/proftpd/proftpd/issues/568) + - SFTP OPEN response included attribute flags that are not actually provided + (https://github.com/proftpd/proftpd/issues/578) + - Truncation of file while being downloaded with sendfile enabled caused + timeouts due to infinite loop (http://bugs.proftpd.org/show_bug.cgi?id=4318) + - FTP uploads frequently broke due to "Interrupted system call" error + (http://bugs.proftpd.org/show_bug.cgi?id=4319) + - Site-to-site transfers over TLS failed + (https://github.com/proftpd/proftpd/issues/618) + - Can't see symlinks using any FTP client when using MLSD + (http://bugs.proftpd.org/show_bug.cgi?id=4322) + - mod_tls 1.3.6 failed to compile using OpenSSL 0.9.8e + (http://bugs.proftpd.org/show_bug.cgi?id=4325) + - Using MaxClientsPerHost 1 in section denied logins + (http://bugs.proftpd.org/show_bug.cgi?id=4326) + - SQLNamedConnectInfo with different backend database did not work properly + (https://github.com/proftpd/proftpd/issues/642) + - Segfault with mod_sftp+mod_sftp_pam after successful authentication using + keyboard-interactive method (https://github.com/proftpd/proftpd/issues/656) + - autoconf always failed to detect support for FIPS + (https://github.com/proftpd/proftpd/issues/660) + - SFTP connections failed when using "arcfour256" cipher + (https://github.com/proftpd/proftpd/issues/663) + - mod_auth_otp failed to build with OpenSSL 1.1.x + (http://bugs.proftpd.org/show_bug.cgi?id=4335) + - scp broken on FreeBSD 11 (http://bugs.proftpd.org/show_bug.cgi?id=4341) + - Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases + (https://github.com/proftpd/proftpd/issues/674) + - Infinite loop possible in mod_sftp's set_sftphostkey() function + (http://bugs.proftpd.org/show_bug.cgi?id=4356) + - Some ASCII text files corrupted when downloading + (http://bugs.proftpd.org/show_bug.cgi?id=4352) + - Properly use the --includedir, --libdir configure variables in the + generated proftpd.pc pkgconfig file + (https://github.com/proftpd/proftpd/issues/797) + - Reading invalid SSH key from database resulted in unexpected/unlogged + disconnect failures (http://bugs.proftpd.org/show_bug.cgi?id=4350) + - Symlink navigation broken after 1.3.6 update + (http://bugs.proftpd.org/show_bug.cgi?id=4332) + - Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3 + (https://github.com/proftpd/proftpd/issues/795) + - SITE CPFR/CPTO did not honor configurations + (http://bugs.proftpd.org/show_bug.cgi?id=4372) + - Using "TLSProtocol SSLv23" did not enable all protocol versions + (https://github.com/proftpd/proftpd/issues/807) + * Sun Sep 15 2019 Paul Howarth - 1.3.6-23 - Refactor configuration to support /etc/proftpd/conf.d configuration and use config snippets (#1589441) diff --git a/sources b/sources index be88fa8..579319a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (proftpd-1.3.6.tar.gz) = 2a3ca76a0c35ba31e9d79f7f652f4f35768262f5039c5dc04ef83ac9218f624645ac6cee445af4ec6a8c59a9bdad1e7b48e0e90cd13934cbe7c3e77a2f6013c0 +SHA512 (proftpd-1.3.6a.tar.gz) = 0db9cfbe635bbb1915c81a0c50ed158fae89b11cfd09b29119a08af4827d21b57b51c20a0959af09f0cc90ef0334667134ce737e42739c722c1bf80d7cb2f814 SHA512 (v0.9.5.tar.gz) = 10e4de29d84c2f2f5e88502fcd62768e2b0797b05a95fc22b59605e3c7377bfe3609c99e2f6fc2a17f9c3a267ff815c651ae39be8b6cb133565a4590f767353d