[Git][debian-proftpd-team/proftpd][master] 3 commits: New upstream version 1.3.6b

Hilmar Preuße gitlab at salsa.debian.org
Mon Nov 4 21:06:54 GMT 2019



Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd


Commits:
0b87a5b3 by Hilmar Preuße at 2019-11-04T21:03:16Z
New upstream version 1.3.6b
- - - - -
10490f8a by Hilmar Preuße at 2019-11-04T21:03:16Z
Update upstream source from tag 'upstream/1.3.6b'

Update to upstream version '1.3.6b'
with Debian dir fbddbe215ab9097208ae4c620e265b3ac22ae290
- - - - -
73f5d48f by Hilmar Preuße at 2019-11-04T21:06:30Z
Debian adaption for 1.3.6b.

- - - - -


12 changed files:

- NEWS
- RELEASE_NOTES
- contrib/dist/rpm/proftpd.spec
- contrib/mod_sql_mysql.c
- debian/changelog
- debian/control
- debian/patches/mod_sql_mysql.c
- debian/patches/series
- debian/proftpd-substvars
- include/version.h
- src/main.c
- src/netio.c


Changes:

=====================================
NEWS
=====================================
@@ -15,6 +15,10 @@
   where `N' is the issue number.
 -----------------------------------------------------------------------------
 
+1.3.6b - Released 19-Oct-2019
+--------------------------------
+- Issue 846 - Remote denial-of-service due to issue in network IO handling.
+
 1.3.6a - Released 12-Oct-2019
 --------------------------------
 - Bug 4304 - Configure script wrongly detects AIX lastlog functions.


=====================================
RELEASE_NOTES
=====================================
@@ -6,6 +6,11 @@ This file contains a description of the major changes to ProFTPD for the
 releases.  More information on these changes can be found in the NEWS and
 ChangeLog files.
 
+1.3.6b
+---------
+  + Fixed pre-authentication remote denial-of-service issue (Issue #846).
+  + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).
+
 1.3.6a
 ---------
   + Fixed symlink navigation (Bug#4332).


=====================================
contrib/dist/rpm/proftpd.spec
=====================================
@@ -60,7 +60,7 @@
 
 # release_version should be incremented for each maint release, and reset back
 # to 1 BEFORE starting new release cycle.
-%global release_version			2
+%global release_version			3
 
 %if %(echo %{proftpd_version} | grep rc >/dev/null 2>&1 && echo 1 || echo 0)
 %global rpm_version %(echo %{proftpd_version} | sed -e 's/rc.*//')


=====================================
contrib/mod_sql_mysql.c
=====================================
@@ -132,6 +132,7 @@
 #include "../contrib/mod_sql.h"
 
 #include <mysql.h>
+#include <stdbool.h>
 
 /* The my_make_scrambled_password{,_323} functions are not part of the public
  * MySQL API and are not declared in any of the MySQL header files. But the
@@ -496,7 +497,11 @@ MODRET cmd_open(cmd_rec *cmd) {
    *  http://dev.mysql.com/doc/refman/5.0/en/auto-reconnect.html
    */
   if (!(pr_sql_opts & SQL_OPT_NO_RECONNECT)) {
+#if MYSQL_VERSION_ID >= 80000
+    bool reconnect = true;
+#else
     my_bool reconnect = TRUE;
+#endif
     mysql_options(conn->mysql, MYSQL_OPT_RECONNECT, &reconnect);
   }
 #endif


=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.6b-1) UNRELEASED; urgency=medium
+
+  * New upstream release.
+    Obsoletes patch issue_846_CVE-2019-18217.diff.
+
+ -- Hilmar Preusse <hille42 at web.de>  Mon, 04 Nov 2019 21:51:09 +0100
+
 proftpd-dfsg (1.3.6a-2) unstable; urgency=high
 
   * Add patch for upstream bug #846 (CVE-2019-18217).


=====================================
debian/control
=====================================
@@ -42,7 +42,7 @@ Depends: adduser,
 Conflicts: ftp-server
 Breaks: proftpd (<< 1.3.2)
 Replaces: proftpd (<< 1.3.2)
-Provides: ftp-server, proftpd, proftpd-abi-1.3.6a
+Provides: ftp-server, proftpd, proftpd-abi-1.3.6b
 Suggests: openbsd-inetd | inet-superserver,
           openssl,
           proftpd-mod-ldap,


=====================================
debian/patches/mod_sql_mysql.c
=====================================
@@ -1,17 +1,11 @@
-Description: Use mysql/mysql.h instead of mysql.h
-Author: Francesco Paolo Lovergine <frankie at debian.org>
-Forwarded: not needed
-
-Index: proftpd-dfsg/contrib/mod_sql_mysql.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_sql_mysql.c	2018-01-14 23:18:00.000000000 +0100
-+++ proftpd-dfsg/contrib/mod_sql_mysql.c	2018-01-14 23:18:00.000000000 +0100
+--- proftpd-dfsg-1.3.6b.orig/contrib/mod_sql_mysql.c
++++ proftpd-dfsg-1.3.6b/contrib/mod_sql_mysql.c
 @@ -131,7 +131,7 @@
  #include "conf.h"
  #include "../contrib/mod_sql.h"
  
 -#include <mysql.h>
 +#include <mysql/mysql.h>
+ #include <stdbool.h>
  
  /* The my_make_scrambled_password{,_323} functions are not part of the public
-  * MySQL API and are not declared in any of the MySQL header files. But the


=====================================
debian/patches/series
=====================================
@@ -19,4 +19,4 @@ wrong-path-for-interpreter_perl.diff
 # github_pr_594
 # upstream_pull_567
 # upstream_4372_CVE-2019-12815.diff
-issue_846_CVE-2019-18217.diff
+# issue_846_CVE-2019-18217.diff


=====================================
debian/proftpd-substvars
=====================================
@@ -1 +1 @@
-proftpd:Depends=proftpd-abi-1.3.6a 
+proftpd:Depends=proftpd-abi-1.3.6b 


=====================================
include/version.h
=====================================
@@ -1,8 +1,8 @@
 #include "buildstamp.h"
 
 /* Application version (in various forms) */
-#define PROFTPD_VERSION_NUMBER		0x0001030606
-#define PROFTPD_VERSION_TEXT		"1.3.6a"
+#define PROFTPD_VERSION_NUMBER		0x0001030607
+#define PROFTPD_VERSION_TEXT		"1.3.6b"
 
 /* Module API version */
 #define PR_MODULE_API_VERSION		0x20


=====================================
src/main.c
=====================================
@@ -462,6 +462,7 @@ int pr_cmd_read(cmd_rec **res) {
   static long cmd_bufsz = -1;
   static char *cmd_buf = NULL;
   int cmd_buflen;
+  unsigned int too_large_count = 0;
   char *ptr;
 
   if (res == NULL) {
@@ -487,8 +488,15 @@ int pr_cmd_read(cmd_rec **res) {
     if (cmd_buflen < 0) {
       if (errno == E2BIG) {
         /* The client sent a too-long command which was ignored; give
-         * them another chance?
+         * them a few more chances, with minor delays?
          */
+        too_large_count++;
+        pr_timer_usleep(250 * 1000);
+
+        if (too_large_count > 3) {
+          return -1;
+        }
+
         continue;
       }
 


=====================================
src/netio.c
=====================================
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2019 The ProFTPD Project team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -1446,6 +1446,7 @@ int pr_netio_read(pr_netio_stream_t *nstrm, char *buf, size_t buflen,
       }
 
       nstrm->strm_errno = 0;
+      errno = EOF;
       break;
     }
 



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/compare/95c4b3afa71e15def5e0009218856c9b729037a7...73f5d48f9012093ded58b2befb0111f8539b8bbe

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/compare/95c4b3afa71e15def5e0009218856c9b729037a7...73f5d48f9012093ded58b2befb0111f8539b8bbe
You're receiving this email because of your account on salsa.debian.org.




More information about the Pkg-proftpd-maintainers mailing list