[Git][debian-proftpd-team/proftpd][upstream] New upstream version 1.3.6b

Hilmar Preuße gitlab at salsa.debian.org
Mon Nov 4 21:06:56 GMT 2019 


Hilmar Preuße pushed to branch upstream at Debian ProFTPD Team / proftpd


Commits:
0b87a5b3 by Hilmar Preuße at 2019-11-04T21:03:16Z
New upstream version 1.3.6b
- - - - -


7 changed files:

- NEWS
- RELEASE_NOTES
- contrib/dist/rpm/proftpd.spec
- contrib/mod_sql_mysql.c
- include/version.h
- src/main.c
- src/netio.c


Changes:

=====================================
NEWS
=====================================
@@ -15,6 +15,10 @@
   where `N' is the issue number.
 -----------------------------------------------------------------------------
 
+1.3.6b - Released 19-Oct-2019
+--------------------------------
+- Issue 846 - Remote denial-of-service due to issue in network IO handling.
+
 1.3.6a - Released 12-Oct-2019
 --------------------------------
 - Bug 4304 - Configure script wrongly detects AIX lastlog functions.


=====================================
RELEASE_NOTES
=====================================
@@ -6,6 +6,11 @@ This file contains a description of the major changes to ProFTPD for the
 releases.  More information on these changes can be found in the NEWS and
 ChangeLog files.
 
+1.3.6b
+---------
+  + Fixed pre-authentication remote denial-of-service issue (Issue #846).
+  + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).
+
 1.3.6a
 ---------
   + Fixed symlink navigation (Bug#4332).


=====================================
contrib/dist/rpm/proftpd.spec
=====================================
@@ -60,7 +60,7 @@
 
 # release_version should be incremented for each maint release, and reset back
 # to 1 BEFORE starting new release cycle.
-%global release_version			2
+%global release_version			3
 
 %if %(echo %{proftpd_version} | grep rc >/dev/null 2>&1 && echo 1 || echo 0)
 %global rpm_version %(echo %{proftpd_version} | sed -e 's/rc.*//')


=====================================
contrib/mod_sql_mysql.c
=====================================
@@ -132,6 +132,7 @@
 #include "../contrib/mod_sql.h"
 
 #include <mysql.h>
+#include <stdbool.h>
 
 /* The my_make_scrambled_password{,_323} functions are not part of the public
  * MySQL API and are not declared in any of the MySQL header files. But the
@@ -496,7 +497,11 @@ MODRET cmd_open(cmd_rec *cmd) {
    *  http://dev.mysql.com/doc/refman/5.0/en/auto-reconnect.html
    */
   if (!(pr_sql_opts & SQL_OPT_NO_RECONNECT)) {
+#if MYSQL_VERSION_ID >= 80000
+    bool reconnect = true;
+#else
     my_bool reconnect = TRUE;
+#endif
     mysql_options(conn->mysql, MYSQL_OPT_RECONNECT, &reconnect);
   }
 #endif


=====================================
include/version.h
=====================================
@@ -1,8 +1,8 @@
 #include "buildstamp.h"
 
 /* Application version (in various forms) */
-#define PROFTPD_VERSION_NUMBER		0x0001030606
-#define PROFTPD_VERSION_TEXT		"1.3.6a"
+#define PROFTPD_VERSION_NUMBER		0x0001030607
+#define PROFTPD_VERSION_TEXT		"1.3.6b"
 
 /* Module API version */
 #define PR_MODULE_API_VERSION		0x20


=====================================
src/main.c
=====================================
@@ -462,6 +462,7 @@ int pr_cmd_read(cmd_rec **res) {
   static long cmd_bufsz = -1;
   static char *cmd_buf = NULL;
   int cmd_buflen;
+  unsigned int too_large_count = 0;
   char *ptr;
 
   if (res == NULL) {
@@ -487,8 +488,15 @@ int pr_cmd_read(cmd_rec **res) {
     if (cmd_buflen < 0) {
       if (errno == E2BIG) {
         /* The client sent a too-long command which was ignored; give
-         * them another chance?
+         * them a few more chances, with minor delays?
          */
+        too_large_count++;
+        pr_timer_usleep(250 * 1000);
+
+        if (too_large_count > 3) {
+          return -1;
+        }
+
         continue;
       }
 


=====================================
src/netio.c
=====================================
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2019 The ProFTPD Project team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -1446,6 +1446,7 @@ int pr_netio_read(pr_netio_stream_t *nstrm, char *buf, size_t buflen,
       }
 
       nstrm->strm_errno = 0;
+      errno = EOF;
       break;
     }
 



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/0b87a5b374cdf493209aaac2b4c35fbfb7992e23

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/0b87a5b374cdf493209aaac2b4c35fbfb7992e23
You're receiving this email because of your account on salsa.debian.org.

More information about the Pkg-proftpd-maintainers mailing list