[Git][debian-proftpd-team/proftpd][master] 3 commits: New upstream version 1.3.6b
Hilmar Preuße
gitlab at salsa.debian.org
Mon Nov 4 21:06:54 GMT 2019
Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd
Commits:
0b87a5b3 by Hilmar Preuße at 2019-11-04T21:03:16Z
New upstream version 1.3.6b
- - - - -
10490f8a by Hilmar Preuße at 2019-11-04T21:03:16Z
Update upstream source from tag 'upstream/1.3.6b'
Update to upstream version '1.3.6b'
with Debian dir fbddbe215ab9097208ae4c620e265b3ac22ae290
- - - - -
73f5d48f by Hilmar Preuße at 2019-11-04T21:06:30Z
Debian adaption for 1.3.6b.
- - - - -
12 changed files:
- NEWS
- RELEASE_NOTES
- contrib/dist/rpm/proftpd.spec
- contrib/mod_sql_mysql.c
- debian/changelog
- debian/control
- debian/patches/mod_sql_mysql.c
- debian/patches/series
- debian/proftpd-substvars
- include/version.h
- src/main.c
- src/netio.c
Changes:
=====================================
NEWS
=====================================
@@ -15,6 +15,10 @@
where `N' is the issue number.
-----------------------------------------------------------------------------
+1.3.6b - Released 19-Oct-2019
+--------------------------------
+- Issue 846 - Remote denial-of-service due to issue in network IO handling.
+
1.3.6a - Released 12-Oct-2019
--------------------------------
- Bug 4304 - Configure script wrongly detects AIX lastlog functions.
=====================================
RELEASE_NOTES
=====================================
@@ -6,6 +6,11 @@ This file contains a description of the major changes to ProFTPD for the
releases. More information on these changes can be found in the NEWS and
ChangeLog files.
+1.3.6b
+---------
+ + Fixed pre-authentication remote denial-of-service issue (Issue #846).
+ + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).
+
1.3.6a
---------
+ Fixed symlink navigation (Bug#4332).
=====================================
contrib/dist/rpm/proftpd.spec
=====================================
@@ -60,7 +60,7 @@
# release_version should be incremented for each maint release, and reset back
# to 1 BEFORE starting new release cycle.
-%global release_version 2
+%global release_version 3
%if %(echo %{proftpd_version} | grep rc >/dev/null 2>&1 && echo 1 || echo 0)
%global rpm_version %(echo %{proftpd_version} | sed -e 's/rc.*//')
=====================================
contrib/mod_sql_mysql.c
=====================================
@@ -132,6 +132,7 @@
#include "../contrib/mod_sql.h"
#include <mysql.h>
+#include <stdbool.h>
/* The my_make_scrambled_password{,_323} functions are not part of the public
* MySQL API and are not declared in any of the MySQL header files. But the
@@ -496,7 +497,11 @@ MODRET cmd_open(cmd_rec *cmd) {
* http://dev.mysql.com/doc/refman/5.0/en/auto-reconnect.html
*/
if (!(pr_sql_opts & SQL_OPT_NO_RECONNECT)) {
+#if MYSQL_VERSION_ID >= 80000
+ bool reconnect = true;
+#else
my_bool reconnect = TRUE;
+#endif
mysql_options(conn->mysql, MYSQL_OPT_RECONNECT, &reconnect);
}
#endif
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.6b-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+ Obsoletes patch issue_846_CVE-2019-18217.diff.
+
+ -- Hilmar Preusse <hille42 at web.de> Mon, 04 Nov 2019 21:51:09 +0100
+
proftpd-dfsg (1.3.6a-2) unstable; urgency=high
* Add patch for upstream bug #846 (CVE-2019-18217).
=====================================
debian/control
=====================================
@@ -42,7 +42,7 @@ Depends: adduser,
Conflicts: ftp-server
Breaks: proftpd (<< 1.3.2)
Replaces: proftpd (<< 1.3.2)
-Provides: ftp-server, proftpd, proftpd-abi-1.3.6a
+Provides: ftp-server, proftpd, proftpd-abi-1.3.6b
Suggests: openbsd-inetd | inet-superserver,
openssl,
proftpd-mod-ldap,
=====================================
debian/patches/mod_sql_mysql.c
=====================================
@@ -1,17 +1,11 @@
-Description: Use mysql/mysql.h instead of mysql.h
-Author: Francesco Paolo Lovergine <frankie at debian.org>
-Forwarded: not needed
-
-Index: proftpd-dfsg/contrib/mod_sql_mysql.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_sql_mysql.c 2018-01-14 23:18:00.000000000 +0100
-+++ proftpd-dfsg/contrib/mod_sql_mysql.c 2018-01-14 23:18:00.000000000 +0100
+--- proftpd-dfsg-1.3.6b.orig/contrib/mod_sql_mysql.c
++++ proftpd-dfsg-1.3.6b/contrib/mod_sql_mysql.c
@@ -131,7 +131,7 @@
#include "conf.h"
#include "../contrib/mod_sql.h"
-#include <mysql.h>
+#include <mysql/mysql.h>
+ #include <stdbool.h>
/* The my_make_scrambled_password{,_323} functions are not part of the public
- * MySQL API and are not declared in any of the MySQL header files. But the
=====================================
debian/patches/series
=====================================
@@ -19,4 +19,4 @@ wrong-path-for-interpreter_perl.diff
# github_pr_594
# upstream_pull_567
# upstream_4372_CVE-2019-12815.diff
-issue_846_CVE-2019-18217.diff
+# issue_846_CVE-2019-18217.diff
=====================================
debian/proftpd-substvars
=====================================
@@ -1 +1 @@
-proftpd:Depends=proftpd-abi-1.3.6a
+proftpd:Depends=proftpd-abi-1.3.6b
=====================================
include/version.h
=====================================
@@ -1,8 +1,8 @@
#include "buildstamp.h"
/* Application version (in various forms) */
-#define PROFTPD_VERSION_NUMBER 0x0001030606
-#define PROFTPD_VERSION_TEXT "1.3.6a"
+#define PROFTPD_VERSION_NUMBER 0x0001030607
+#define PROFTPD_VERSION_TEXT "1.3.6b"
/* Module API version */
#define PR_MODULE_API_VERSION 0x20
=====================================
src/main.c
=====================================
@@ -462,6 +462,7 @@ int pr_cmd_read(cmd_rec **res) {
static long cmd_bufsz = -1;
static char *cmd_buf = NULL;
int cmd_buflen;
+ unsigned int too_large_count = 0;
char *ptr;
if (res == NULL) {
@@ -487,8 +488,15 @@ int pr_cmd_read(cmd_rec **res) {
if (cmd_buflen < 0) {
if (errno == E2BIG) {
/* The client sent a too-long command which was ignored; give
- * them another chance?
+ * them a few more chances, with minor delays?
*/
+ too_large_count++;
+ pr_timer_usleep(250 * 1000);
+
+ if (too_large_count > 3) {
+ return -1;
+ }
+
continue;
}
=====================================
src/netio.c
=====================================
@@ -1,6 +1,6 @@
/*
* ProFTPD - FTP server daemon
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2019 The ProFTPD Project team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -1446,6 +1446,7 @@ int pr_netio_read(pr_netio_stream_t *nstrm, char *buf, size_t buflen,
}
nstrm->strm_errno = 0;
+ errno = EOF;
break;
}
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/compare/95c4b3afa71e15def5e0009218856c9b729037a7...73f5d48f9012093ded58b2befb0111f8539b8bbe
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/compare/95c4b3afa71e15def5e0009218856c9b729037a7...73f5d48f9012093ded58b2befb0111f8539b8bbe
You're receiving this email because of your account on salsa.debian.org.
More information about the Pkg-proftpd-maintainers
mailing list