From f407e7072b02f4d76e5d83d83d2f030d5c57fb45 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Nov 16 2009 20:05:30 +0000 Subject: Update F-10, F-11, EL-4, EL-5 to 1.3.2b (fixes improper SSL/TLS certificate subjectAltName verification - CVE-2009-3639) --- diff --git a/.cvsignore b/.cvsignore index fa5aabf..0ef3122 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,3 @@ -proftpd-1.3.2a.tar.bz2 +proftpd-1.3.2b.tar.bz2 proftpd-mod-vroot-0.8.5.tar.gz proftpd-mod-exec-0.9.6.tar.gz diff --git a/proftpd-1.3.2a-defines.patch b/proftpd-1.3.2a-defines.patch deleted file mode 100644 index a293e05..0000000 --- a/proftpd-1.3.2a-defines.patch +++ /dev/null @@ -1,22 +0,0 @@ -http://bugs.proftpd.org/show_bug.cgi?id=3221 - ---- proftpd-1.3.2a/src/dirtree.c 2009-04-28 23:33:57.000000000 +0100 -+++ proftpd-1.3.2a/src/dirtree.c 2009-07-06 12:06:51.000000000 +0100 -@@ -575,6 +575,17 @@ - } - } - -+ if (defines_perm_list) { -+ char **defines = defines_perm_list->elts; -+ register unsigned int i = 0; -+ -+ for (i = 0; i < defines_perm_list->nelts; i++) { -+ if (defines[i] && -+ strcmp(defines[i], definition) == 0) -+ return TRUE; -+ } -+ } -+ - errno = ENOENT; - return FALSE; - } diff --git a/proftpd.pam b/proftpd.pam index 16013d1..c0c05db 100644 --- a/proftpd.pam +++ b/proftpd.pam @@ -1,8 +1,8 @@ #%PAM-1.0 -session optional pam_keyinit.so force revoke -auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth required pam_shells.so -auth include system-auth -account include system-auth -session include system-auth +session optional pam_keyinit.so force revoke +auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth required pam_shells.so +auth include password-auth +account include password-auth session required pam_loginuid.so +session include password-auth diff --git a/proftpd.spec b/proftpd.spec index 849049c..1aa31b6 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -7,11 +7,11 @@ %endif #global prever rc3 -%global rpmrel 5 +%global rpmrel 1 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd -Version: 1.3.2a +Version: 1.3.2b Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist} License: GPLv2+ Group: System Environment/Daemons @@ -29,7 +29,6 @@ Source9: proftpd.sysconfig Source10: http://www.castaglia.org/proftpd/modules/proftpd-mod-vroot-0.8.5.tar.gz Source11: http://www.castaglia.org/proftpd/modules/proftpd-mod-exec-0.9.6.tar.gz Patch0: proftpd-1.3.2rc3-nostrip.patch -Patch1: proftpd-1.3.2a-defines.patch Patch2: proftpd-1.3.2-parallel-build.patch Patch3: proftpd-1.3.2a-mlsd.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -93,9 +92,6 @@ Module to add PostgreSQL support to the ProFTPD FTP server. # Don't strip binaries - needed for useful debuginfo %patch0 -p1 -b .nostrip -# Reinstate command-line defines (http://bugs.proftpd.org/3221) -%patch1 -p1 -b .defines - # Fix parallel build (http://bugs.proftpd.org/3189) %patch2 -p1 -b .parallel @@ -118,15 +114,20 @@ Module to add PostgreSQL support to the ProFTPD FTP server. %{__cp} -p %{SOURCE8} proftpd-quota.schema # PAM Configuration: +# Default PAM configuration file uses password-auth common config; +# revert to system-auth if password-auth is not available +%{__cp} -p %{SOURCE6} . +if [ ! -f /etc/pam.d/password-auth ]; then + %{__sed} -i -e s/password-auth/system-auth/ proftpd.pam +fi # The "include" syntax used in our PAM configuration file was introduced in # PAM 0.78 and is therefore supported in FC-5 and EL-5 onwards; older # distributions such as EL-4 (PAM 0.77) need to fall back to using the # now-deprecated pam_stack module. Since the pam-devel package doesn't -# include a pkgconfig file from whice we could check the version number, we +# include a pkgconfig file from which we could check the version number, we # instead check for the absence of the file /etc/pam.d/config-util, which is # present in all PAM packages from 0.80 onwards and acts as a useful # indicator of the need to fall back to pam_stack. -%{__cp} -p %{SOURCE6} . [ ! -f /etc/pam.d/config-util ] && %{__sed} -i -e \ 's/include[[:space:]]*system-auth/required'\ \ \ \ \ 'pam_stack.so service=system-auth/' \ proftpd.pam @@ -290,13 +291,29 @@ fi %changelog +* Wed Oct 21 2009 Paul Howarth 1.3.2b-1 +- Update to 1.3.2b + - Fixed regression causing command-line define options not to work (bug 3221) + - Fixed SSL/TLS cert subjectAltName verification (bug 3275, CVE-2009-3639) + - Use correct cached user values with "SQLNegativeCache on" (bug 3282) + - Fix slower transfers of multiple small files (bug 3284) + - Support MaxTransfersPerHost, MaxTransfersPerUser properly (bug 3287) + - Handle symlinks to directories with trailing slashes properly (bug 3297) +- Drop upstreamed defines patch (bug 3221) + +* Thu Sep 17 2009 Paul Howarth 1.3.2a-7 +- Restore backward SRPM compatibility broken by previous change + +* Wed Sep 16 2009 Tomas Mraz 1.3.2a-6 +- Use password-auth common PAM configuration instead of system-auth + * Mon Sep 7 2009 Paul Howarth 1.3.2a-5 - Add upstream patch for MLSD with dirnames containing glob chars (#521634) * Wed Sep 2 2009 Paul Howarth 1.3.2a-4 - New DSO module: mod_exec (#520214) -* Fri Aug 21 2009 Tomas Mraz - 1.3.2a-3.1 +* Fri Aug 21 2009 Tomas Mraz 1.3.2a-3.1 - Rebuilt with new openssl * Wed Aug 19 2009 Paul Howarth 1.3.2a-3 @@ -351,7 +368,7 @@ fi bundled one, and eliminate log messages like: kernel: warning: `proftpd' uses 32-bit capabilities (legacy support in use) -* Sun Jul 26 2009 Fedora Release Engineering - 1.3.2-3.1 +* Sun Jul 26 2009 Fedora Release Engineering 1.3.2-3.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Thu Apr 9 2009 Matthias Saou 1.3.2-2.1 diff --git a/sources b/sources index 4da0c37..1b98cee 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -ad3cbb5db30c5ae39e09b308892392b3 proftpd-1.3.2a.tar.bz2 +0d6777839f37115654ce384841f68131 proftpd-1.3.2b.tar.bz2 139fc328c43a9afbe290ec787713096b proftpd-mod-vroot-0.8.5.tar.gz dfcaf605f116c29d7b4771a9b02f509b proftpd-mod-exec-0.9.6.tar.gz