Bug#911875: proftpd-basic (mod_sftp) is missing important upstream fixes for an OpenSSL API change

rhargrave roman at hargrave.info
Thu Oct 25 17:25:04 BST 2018




Package: proftpd-basic
Version: 1.3.6-2+b1

The distribution of proftpd mod_sftp presently in Buster/Sid is critically flawed. Clients that use DSA and ECDSA keys may have issues connecting.
This was caused by an OpenSSL API change (upstream states OpenSSL 1.1.x is affected).

Specifically, the position of the signature struct pointer passed DSA_SIG_get0() and ECDSA_SIG_get0() had been altered in OpenSSL (moved from position #2 to position #0), causing key exchanges and other signing-based processes to break in mod_sftp.

The fix should be as straightforward as cherry picking the upstream commit. I will be testing this patch with the debian source code shortly.



More information about the Pkg-proftpd-maintainers mailing list