OpenSSL API Changes
rhargrave
roman at hargrave.info
Thu Oct 25 16:51:37 BST 2018
While working on a project for a client, I encountered an issue with mod_sftp that appears to have been fixed some five months ago upstream.
Upstream has not marked a new release yet; however, this bug is pretty serious and I was hoping that there was some possibility of getting it backported.
Specifically, the issue is that some portions of proftpd, mod_sftp in particular, call some functions with incorrect signatures. This effectively breaks DSA and ECDSA key handling as ECDSA_SIG_get0() and DSA_SIG_get0() are called improperly, rather quickly leads to the the calling thread segfaulting when it tries to pass values it expects to be non-null to BN_num_bytes().
This has an upstream issue, issue #674 (https://github.com/proftpd/proftpd/issues/674) and was fixed in upstream commit e2f77c0 (https://github.com/proftpd/proftpd/commit/e2f77c00e217eeb94459e104322b9a7d02c257e0).
More information about the Pkg-proftpd-maintainers
mailing list