[Git][debian-proftpd-team/proftpd][master] Finalize changelog for upload.

Hilmar Preuße gitlab at salsa.debian.org
Thu Jul 23 06:58:18 BST 2020



Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd


Commits:
cb38485e by Hilmar Preusse at 2020-07-23T07:57:24+02:00
Finalize changelog for upload.

- - - - -


15 changed files:

- debian/changelog
- − debian/patches/github_pr_594
- − debian/patches/github_pr_710
- − debian/patches/issue_846_CVE-2019-18217.diff
- − debian/patches/quotatab_modules
- debian/patches/series
- − debian/patches/upstream_4312
- − debian/patches/upstream_4312_fix_version
- − debian/patches/upstream_4335
- − debian/patches/upstream_4336
- − debian/patches/upstream_4356
- − debian/patches/upstream_4372_CVE-2019-12815.diff
- − debian/patches/upstream_4385
- − debian/patches/upstream_pull_567
- − debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269


Changes:

=====================================
debian/changelog
=====================================
@@ -1,20 +1,21 @@
-proftpd-dfsg (1.3.7a-1) UNRELEASED; urgency=medium
+proftpd-dfsg (1.3.7a-1) unstable; urgency=medium
 
   New upstream release 1.3.7a:
-  * Patches obsoleted, applied upstream: reproducible_build, spelling_errors
-  * Patches obsoleted, not bundled libcap: mod_cap
-  * Remove intermediate patches for security issues.
+  * Patches obsoleted
+    - applied upstream: reproducible_build, spelling_errors
+    - bundled libcap removed: mod_cap
+  * Disable/Remove intermediate patches for security issues.
 
   Debian adaptions:
   * d/clean reduced, clean handed over to upstream.
-  * Enable all modules available (and compilable) in 1.3.7a.
-    (Closes: #965051)
+  * Enable all modules available (and compilable) in 1.3.7a
+    (Closes: #965051).
+  * Compile and link with libsodium for better crypto support.
 
-  * Add support for libsodium.
   * Install xferstats.holger-preiss the Debian way; using dh-exec.
   * Raise debhelper compat Level to 10.
 
- -- Hilmar Preusse <hille42 at web.de>  Tue, 14 Jul 2020 21:32:06 +0000
+ -- Hilmar Preusse <hille42 at web.de>  Thu, 23 Jul 2020 07:53:17 +0200
 
 proftpd-dfsg (1.3.6c-3) unstable; urgency=medium
 


=====================================
debian/patches/github_pr_594 deleted
=====================================
@@ -1,97 +0,0 @@
-From ceed3cb3dea993e05d8651646213a94a6d1b5271 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Mon, 25 Sep 2017 12:57:37 -0700
-Subject: [PATCH] Issue #593: If the IgnoreExtendedAttributes FSOption is used,
- then do not include the EXTENDED attribute flag in the SFTP ATTRS responses.
-
----
- contrib/mod_sftp/fxp.c | 36 +++++++++++++++++++++++++++++++++---
- 1 file changed, 33 insertions(+), 3 deletions(-)
-
---- proftpd-dfsg.orig/contrib/mod_sftp/fxp.c
-+++ proftpd-dfsg/contrib/mod_sftp/fxp.c
-@@ -297,6 +297,8 @@
- static pool *fxp_pool = NULL;
- static int fxp_use_gmt = TRUE;
- 
-+/* FSOptions */
-+static unsigned long fxp_fsio_opts = 0UL;
- static unsigned int fxp_min_client_version = 1;
- static unsigned int fxp_max_client_version = 6;
- static unsigned int fxp_utf8_protocol_version = 4;
-@@ -7453,6 +7455,11 @@
-     pr_trace_msg(trace_channel, 7, "received request: FSTAT %s", name);
-     attr_flags = SSH2_FX_ATTR_SIZE|SSH2_FX_ATTR_UIDGID|SSH2_FX_ATTR_PERMISSIONS|
-       SSH2_FX_ATTR_ACMODTIME;
-+#ifdef PR_USE_XATTR
-+    if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+      attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    }
-+#endif /* PR_USE_XATTR */
-   }
- 
-   fxb = pcalloc(fxp->pool, sizeof(struct fxp_buffer));
-@@ -7603,6 +7610,7 @@
-   uint32_t buflen, bufsz;
-   struct fxp_packet *resp;
-   cmd_rec *cmd;
-+  config_rec *c;
- 
-   fxp_session->client_version = sftp_msg_read_int(fxp->pool, &fxp->payload,
-     &fxp->payload_sz);
-@@ -7692,6 +7700,22 @@
- 
-   fxp_version_add_openssh_exts(fxp->pool, &buf, &buflen);
- 
-+  /* Look up the FSOptions here, for use later (Issue #593).  We do not need
-+   * set these for the FSIO API; that is already done by mod_core.  Instead,
-+   * we look them up for ourselves, for our own consumption/use.
-+   */
-+  c = find_config(main_server->conf, CONF_PARAM, "FSOptions", FALSE);
-+  while (c != NULL) {
-+    unsigned long opts = 0;
-+
-+    pr_signals_handle();
-+
-+    opts = *((unsigned long *) c->argv[0]);
-+    fxp_fsio_opts |= opts;
-+
-+    c = find_config_next(c, c->next, CONF_PARAM, "FSOptions", FALSE);
-+  }
-+
-   pr_event_generate("mod_sftp.sftp.protocol-version",
-     &(fxp_session->client_version));
- 
-@@ -8142,7 +8166,9 @@
-     attr_flags = SSH2_FX_ATTR_SIZE|SSH2_FX_ATTR_UIDGID|SSH2_FX_ATTR_PERMISSIONS|
-       SSH2_FX_ATTR_ACMODTIME;
- #ifdef PR_USE_XATTR
--    attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+      attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    }
- #endif /* PR_USE_XATTR */
-   }
- 
-@@ -10352,7 +10378,9 @@
-      * to protocol version 6 clients.
-      */
- #ifdef PR_USE_XATTR
--    attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+      attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    }
- #endif /* PR_USE_XATTR */
-   }
- 
-@@ -12208,7 +12236,9 @@
-     attr_flags = SSH2_FX_ATTR_SIZE|SSH2_FX_ATTR_UIDGID|SSH2_FX_ATTR_PERMISSIONS|
-       SSH2_FX_ATTR_ACMODTIME;
- #ifdef PR_USE_XATTR
--    attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+      attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+    }
- #endif /* PR_USE_XATTR */
-   }
- 


=====================================
debian/patches/github_pr_710 deleted
=====================================
@@ -1,58 +0,0 @@
-From e2f77c00e217eeb94459e104322b9a7d02c257e0 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 27 May 2018 16:11:24 -0700
-Subject: [PATCH] Issue #674: Update mod_sftp to handle changed APIs in OpenSSL
- 1.1.x releases.
-
----
- contrib/mod_sftp/keys.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/contrib/mod_sftp/keys.c b/contrib/mod_sftp/keys.c
-index 4a3c460db..efd1ff981 100644
---- a/contrib/mod_sftp/keys.c
-+++ b/contrib/mod_sftp/keys.c
-@@ -1,6 +1,6 @@
- /*
-  * ProFTPD - mod_sftp key mgmt (keys)
-- * Copyright (c) 2008-2017 TJ Saunders
-+ * Copyright (c) 2008-2018 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -2780,7 +2780,7 @@ static const unsigned char *dsa_sign_data(pool *p, const unsigned char *data,
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
--  DSA_SIG_get0(&sig_r, &sig_s, sig);
-+  DSA_SIG_get0(sig, &sig_r, &sig_s);
- #else
-   sig_r = sig->r;
-   sig_s = sig->s;
-@@ -2960,7 +2960,7 @@ static const unsigned char *ecdsa_sign_data(pool *p, const unsigned char *data,
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
--  ECDSA_SIG_get0(&sig_r, &sig_s, sig);
-+  ECDSA_SIG_get0(sig, &sig_r, &sig_s);
- #else
-   sig_r = sig->r;
-   sig_s = sig->s;
-@@ -3307,7 +3307,7 @@ int sftp_keys_verify_signed_data(pool *p, const char *pubkey_algo,
-       dsa_sig = DSA_SIG_new();
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
--      DSA_SIG_get0(&sig_r, &sig_s, dsa_sig);
-+      DSA_SIG_get0(sig, &sig_r, &sig_s);
- #else
-       sig_r = dsa_sig->r;
-       sig_s = dsa_sig->s;
-@@ -3426,7 +3426,7 @@ int sftp_keys_verify_signed_data(pool *p, const char *pubkey_algo,
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
--      ECDSA_SIG_get0(&sig_r, &sig_s, ecdsa_sig);
-+      ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s);
- #else
-       sig_r = ecdsa_sig->r;
-       sig_s = ecdsa_sig->s;


=====================================
debian/patches/issue_846_CVE-2019-18217.diff deleted
=====================================
@@ -1,56 +0,0 @@
-From 13fe9462787b9a551152162f46f1641d65fe4df4 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sat, 19 Oct 2019 12:37:56 -0700
-Subject: [PATCH] Issue #846: Handle the case where a client tries to send
- too-large commands in an effort to DoS the server.
-
----
- src/main.c  | 10 +++++++++-
- src/netio.c |  3 ++-
- 2 files changed, 11 insertions(+), 2 deletions(-)
-
---- proftpd-dfsg.orig/src/main.c
-+++ proftpd-dfsg/src/main.c
-@@ -462,6 +462,7 @@
-   static long cmd_bufsz = -1;
-   static char *cmd_buf = NULL;
-   int cmd_buflen;
-+  unsigned int too_large_count = 0;
-   char *ptr;
- 
-   if (res == NULL) {
-@@ -487,8 +488,15 @@
-     if (cmd_buflen < 0) {
-       if (errno == E2BIG) {
-         /* The client sent a too-long command which was ignored; give
--         * them another chance?
-+         * them a few more chances, with minor delays?
-          */
-+        too_large_count++;
-+        pr_timer_usleep(250 * 1000);
-+
-+        if (too_large_count > 3) {
-+          return -1;
-+        }
-+
-         continue;
-       }
- 
---- proftpd-dfsg.orig/src/netio.c
-+++ proftpd-dfsg/src/netio.c
-@@ -1,6 +1,6 @@
- /*
-  * ProFTPD - FTP server daemon
-- * Copyright (c) 2001-2016 The ProFTPD Project team
-+ * Copyright (c) 2001-2019 The ProFTPD Project team
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -1446,6 +1446,7 @@
-       }
- 
-       nstrm->strm_errno = 0;
-+      errno = EOF;
-       break;
-     }
- 


=====================================
debian/patches/quotatab_modules deleted
=====================================
@@ -1,708 +0,0 @@
-Description: Add mod_quotatab module
-Author: Francesco Paolo Lovergine <frankie at debian.org>
-Forwarded: not needed
-
-Index: proftpd-dfsg/README.mod_quotatab
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ proftpd-dfsg/README.mod_quotatab	2011-02-08 13:33:10.000000000 +0100
-@@ -0,0 +1,354 @@
-+  ------------------------------------------------------------------------
-+
-+                         ProFTPD module mod_quotatab
-+
-+  ------------------------------------------------------------------------
-+
-+This module is contained in the mod_quotatab.c, mod_quotatab.h, and in its
-+submodule source files, for ProFTPD 1.2, found here, and is not compiled by
-+default. Installation instructions can be found here.
-+
-+This module is designed to impose quotas, both byte- and file-based, on FTP
-+accounts, based on user, group, class, or for all accounts. It is based on
-+the ideas contained in Eric Estabrook's mod_quota; however, this module has
-+been written from scratch to implement quotas in a very different manner. A
-+more detailed explanation of the usage of this module follows the directive
-+explanations.
-+
-+The most current version of mod_quotatab's submodules supports storage of
-+quota table information in various formats:
-+
-+   * mod_quotatab_file for file-based quota tables
-+   * mod_quotatab_sql for SQL-based quota tables
-+
-+The most current version of mod_quotatab can be found at:
-+
-+  http://www.castaglia.org/proftpd/
-+
-+The eventual goal of this module is to make use of the Confstream API, an
-+experimental API described here. This API would make support for tables in
-+other formats (e.g. LDAP, CDB, DBM) much easier to implement.
-+
-+Author
-+
-+Please contact TJ Saunders <tj at castaglia.org> with any questions,
-+concerns, or suggestions regarding this module.
-+
-+Thanks
-+
-+2002-01-12: Thanks to SupaFly <ntlfy at ntlworld.com> for helping debug an
-+issue with a missing tally table.
-+
-+2002-03-30: Thanks to Kai Langheim <kl at q-nic.de> for pointing out several
-+small bugs affecting users with no quota entries.
-+
-+Directives
-+
-+   * QuotaDirectoryTally
-+   * QuotaDisplayUnits
-+   * QuotaEngine
-+   * QuotaLimitTable
-+   * QuotaLog
-+   * QuotaShowQuotas
-+   * QuotaTallyTable
-+
-+SITE Commands
-+
-+   * SITE QUOTA
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaDirectoryTally
-+
-+Syntax: QuotaDirectoryTally on|off
-+Default: QuotaDirectoryTally off
-+Context: server config, <VirtualHost>, <Global>
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaDirectoryTally directive configures mod_quotatab to take directory
-+operations (e.g. creating a directory, removing a directory) into account
-+when tallying.
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaDisplayUnits
-+
-+Syntax: QuotaDisplayUnits "b"|"Kb"|"Mb"|"Gb"
-+Default: None
-+Context: server config, <VirtualHost>, <Global>
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+This directive configures how the user's current byte quota values will be
-+reported to them. Note that this directive does not affect how the quota
-+values are stored in the quota table, only their presentation to the user.
-+
-+"b" causes quotas to be displayed in bytes; "Kb", kilobytes; "Mb",
-+megabytes; and "Gb", gigabytes.
-+
-+Example:
-+
-+  # display quota information in megabytes
-+  QuotaDisplayUnits Mb
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaEngine
-+
-+Syntax: QuotaEngine on|off
-+Default: None
-+Context: server config, <VirtualHost>, <Global>
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaEngine directive enables or disables the module's runtime quota
-+engine. If it is set to off this module does no runtime processing at all.
-+Use this directive to disable the module instead of commenting out all
-+mod_quotatab directives.
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaLimitTable
-+
-+Syntax: QuotaLimitTable source-type:source-info
-+Default: None
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+This directive configures the information necessary for the module to locate
-+and use the table containing the quota limit, the maximum number of bytes
-+and/or files defined for use by specific users, groups, classes, etc, and is
-+required for mod_quotatab to function.
-+
-+Please consult the relevant submodule documentation for details on that
-+module's syntax for this configuration directive.
-+
-+See also: QuotaTallyTable
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaLog
-+
-+Syntax: QuotaLog file|"none"
-+Default: None
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaLog directive is used to a specify a log file for mod_quotatab
-+reporting, and can be done a per-server basis. The file parameter must be
-+the full path to the file to use for logging. Note that this path must not
-+be to a world-writeable directory and, unless AllowLogSymlinks is explicitly
-+set to on (generally a bad idea), the path must not be a symbolic link.
-+
-+If file is "none", no logging will be done at all; this setting can be used
-+to override a QuotaLog setting inherited from a <Global> context.
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaShowQuotas
-+
-+Syntax: QuotaShowQuotas on|off
-+Default: on
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaShowQuotas directive can be used to enable/disable mod_quotatab's
-+response to a SITE QUOTA request. For some sites, revealing the current
-+quota information may be considered an unnecessary, perhaps even
-+detrimental, information leak; other sites may consider this a definite
-+feature.
-+
-+  ------------------------------------------------------------------------
-+
-+QuotaTallyTable
-+
-+Syntax: QuotaTallyTable source-type:source-info
-+Default: None
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+This directive configures the information necessary for the module to locate
-+and use the table containing the quota tally, or the current byte/file
-+counts for users, groups, classes, etc, and is required for mod_quotatab to
-+function.
-+
-+Please consult the relevant submodule documentation for details on that
-+module's syntax for this configuration directive.
-+
-+See also: QuotaLimitTable
-+
-+  ------------------------------------------------------------------------
-+
-+SITE QUOTA
-+
-+The SITE QUOTA command will display the quota, both the limit and the
-+current tally, to the client. This SITE command accepts no parameters, and
-+can only be used once the client has successfully logged in.
-+
-+Example:
-+
-+ftp> quote SITE QUOTA
-+200-The current quota for this session are [current/limit]:
-+ Name: tj
-+ Quota Type: User
-+ Per Session: True
-+ Limit Type: Hard
-+   Uploaded Kb:         unlimited
-+   Downloaded Kb:       unlimited
-+   Transferred Kb:      unlimited
-+   Uploaded files:      1/1
-+   Downloaded files:    unlimited
-+   Transferred files:   unlimited
-+200 Please contact root at familiar.castaglia.org if these entries are inaccurate
-+ftp>
-+
-+Use of this SITE command can be controlled via <Limit>, e.g.:
-+
-+  <Limit SITE_QUOTA>
-+    AllowUser tj
-+    DenyAll
-+  </Limit>
-+
-+Like many SITE commands, the FTP client will probably not recognize or
-+support SITE QUOTA. Hopefully the client does have the ability to send
-+arbitrary commands to the server, as the common ftp(1) client does via
-+quote.
-+
-+The email address displayed in the SITE QUOTA output can be configured via
-+the ServerAdmin directive.
-+
-+  ------------------------------------------------------------------------
-+
-+Usage
-+
-+To use mod_quotatab's functionality, you must first define the tables that
-+together contain the quota information.
-+
-+There are two such quota tables: one table for providing quota information
-+about the absolute byte/file limits for users, groups, and classes, and a
-+separate table for maintaining the current tally, or number of bytes/files
-+used, for those same users, groups, and classes. This separation of
-+information allows for a configuration such as using LDAP to efficiently
-+distribute the limit information, and local SQL databases for efficiently
-+storing the tally. The limit table is considered a read-only table, and is
-+only accessed at the start of session in order to determine what the session
-+limits should be. The tally table is accessed in read-write mode, and is
-+updated after the relevant FTP commands have been processed.
-+
-+This module was not explicitly designed for easy interaction with other
-+applications, but rather for other criteria:
-+
-+   * efficient lookups and updates
-+   * no need for ~/.quota files
-+   * no need of requirement for root privileges to access quotas
-+   * easy support for an abstraction layer for storing quota information in
-+     other formats
-+   * support for a SITE command that allows users to view their current
-+     quotas
-+
-+This module maintains its quotas based solely on FTP commands - it does not
-+enforce quotas based on files that may have been added, deleted, or moved
-+via shell access or any mechanism other than through the proftpd server..
-+
-+When a client logs in, assuming QuotaEngine is on, mod_quotatab will check
-+the limit table for the record most appropriate for that client. This check
-+first examines the table for records of type user that match the client's
-+login name. If no such matching records are found, it checks for records of
-+type group that match any of the user's groups (both primary and
-+supplemental). Failing that, it will check for records of type class that
-+belong to the class (if enabled) from which the client is connecting. If
-+still no matching records are found, the table will be searched for a record
-+of type all; if absent, the module will assume that no quotas apply to the
-+client.
-+
-+Once the limits for the current session have been established, mod_quotatab
-+examines the tally table to see what the current numbers in the matching
-+tally record are. Should the client have an applicable limit record but no
-+matching tally record, the module will initialize a new record in the tally
-+table.
-+
-+For the purposes of tracking the number of uploaded bytes/files, the tally
-+will be adjusted accordingly upon use of the following FTP commands: APPE
-+(bytes only), DELE, STOR, and STOU. The number of bytes used for the
-+calculation will be determined from the difference in file size of the file
-+in question.
-+
-+For the purposes of tracking the number of downloaded bytes/files, the tally
-+will be adjusted accordingly upon use of the following FTP commands: RETR.
-+The number of bytes used for the calculation will be determined from the
-+number of bytes sent to the client.
-+
-+For the purposes of tracking the number of transferred bytes/files, the
-+tally will be adjusted accordingly upon use of the following FTP commands:
-+APPE (bytes only), DELE, RETR, STOR, and STOU. The number of bytes used for
-+the calculation will be determined from the number of bytes sent to the
-+client. This type of limit allows for byte/file limits to be set that
-+encompass both uploads and downloads.
-+
-+Note that if all three types of quotas are set (upload, download, and
-+transfer), any quota reached will cause denial of FTP commands. This means
-+that a high upload quota will never be reached if a low transfer quota is in
-+effect. This holds true for bytes and files quota. For example, if a user
-+has a limited number of both bytes and files to be uploaded in their limit
-+record, the first limit reached (bytes or files) is the effective limit..
-+Caveat emptor.
-+
-+For any quota limit that is set as "unlimited", mod_quotatab will not keep
-+the tally. Many site administrators might want this ability, for accounting
-+purposes. However, that ability is outside of the intended design of this
-+module; other logging modules are much better suited for accounting purposes
-+(e.g. mod_sql's SQLLog directive).
-+
-+If any developers wish to make use of mod_quotatab's quota information, or
-+to develop a new submodule, there is developer documentation available here.
-+
-+  ------------------------------------------------------------------------
-+
-+Installation
-+
-+To install mod_quotatab, follow these instructions. After unpacking the
-+tarball, copy the mod_quotatab.c, mod_quotatab.h, mod_quotatab_file.c, and
-+mod_quotatab_sql.c files into:
-+
-+  proftpd-dir/contrib/
-+
-+after unpacking the latest proftpd-1.2 source code. Follow the usual steps
-+for using third-party modules in proftpd:
-+
-+  ./configure --with-modules=quotatab-modules
-+  make
-+  make install
-+
-+where quotatab-modules will depend on the types of quota tables you wish to
-+support.
-+
-+For file-based quota tables, include the mod_quotatab_file submodule, e.g.:
-+
-+  mod_quotatab:mod_quotatab_file
-+
-+For SQL-based quota tables, include the mod_quotatab_sql submodule, e.g.:
-+
-+  mod_quotatab:mod_quotatab_sql
-+
-+And, if you wish to support file- and SQL-based quota tables:
-+
-+  mod_quotatab:mod_quotatab_file:mod_quotatab_sql
-+
-+Note that SQL tables require that a correct installation of mod_sql (and any
-+of its backend modules) also be used. Consult the mod_sql documentation for
-+installation instructions for that module.
-+
-+  ------------------------------------------------------------------------
-+
-+Author: $Author: frankie $
-+Last Updated: $Date: 2003/11/17 15:30:12 $
-+
-+  ------------------------------------------------------------------------
-+© Copyright 2000-2002 TJ Saunders
-+All Rights Reserved
-+  ------------------------------------------------------------------------
-Index: proftpd-dfsg/diskuse
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ proftpd-dfsg/diskuse	2011-02-08 13:33:10.000000000 +0100
-@@ -0,0 +1,232 @@
-+#!/usr/bin/perl
-+# -------------------------------------------------------------------------
-+# Copyright (C) 2002 TJ Saunders <tj at castaglia.org>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; either version 2 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
-+#
-+#  $Id: 14.quotatab_modules.diff,v 1.4 2003/11/17 15:30:12 frankie Exp $
-+#
-+# -------------------------------------------------------------------------
-+
-+use strict;
-+
-+use Fcntl;
-+use File::Basename qw(basename);
-+use Getopt::Long;
-+
-+my $program = basename($0);
-+my %opts = {};
-+
-+GetOptions(\%opts, 'G', 'K', 'M', 'dir-tally', 'group=s', 'help',
-+  'user=s', 'verbose');
-+
-+my $verbose = 0;
-+my $user_id = -1;
-+my $group_id = -1;
-+
-+usage() if defined($opts{'help'});
-+
-+if (length(@ARGV) < 1) {
-+  print STDOUT "$program: wrong number of parameters\n";
-+  exit 0;
-+}
-+
-+unless (defined($opts{'user'}) || defined($opts{'group'})) {
-+  print STDOUT "$program: missing required --group or --user option\n";
-+  exit 0;
-+}
-+
-+if (defined($opts{'user'})) {
-+  $user_id = getpwnam($opts{'user'}) or
-+    die "$program: no such user: $opts{'user'}\n";
-+}
-+
-+if (defined($opts{'group'})) {
-+  $group_id = getgrnam($opts{'group'}) or
-+    die "$program: no such group: $opts{'group'}\n";
-+}
-+
-+$verbose = 1 if (defined($opts{'verbose'}));
-+
-+my ($total_bytes, $total_files);
-+
-+foreach my $dir (@ARGV) {
-+  my ($bytes, $files) = get_dir_disk_use($dir);
-+
-+  $total_bytes += $bytes;
-+  $total_files += $files;
-+}
-+
-+my $byte_units = "bytes";
-+
-+if (defined($opts{'K'})) {
-+  $total_bytes /= 1024;
-+  $byte_units = "KB";
-+
-+} elsif (defined($opts{'M'})) {
-+  $total_bytes /= (1024 * 1024);
-+  $byte_units = "MB";
-+
-+} elsif (defined($opts{'G'})) {
-+  $total_bytes /= (1024 * 1024 * 1024);
-+  $byte_units = "GB";
-+}
-+
-+my $file_units = "files";
-+$file_units = "file" if ($total_files == 1);
-+
-+print STDOUT "$program: $total_bytes $byte_units in $total_files $file_units\n";
-+
-+# done
-+exit 0;
-+
-+# --------------------------------------------------------------------------
-+sub get_dir_disk_use {
-+  my ($dir) = @_;
-+
-+  print STDOUT "$program: examining directory '$dir'\n" if $verbose;
-+
-+  my @subdirs = ();
-+  my $nbytes = 0;
-+  my $nfiles = 0;
-+
-+  unless (opendir(DIR, $dir)) {
-+    print STDERR "$program: unable to open directory '$dir': $!\n";
-+    return (0, 0);
-+  }
-+
-+  my @files = readdir(DIR);
-+  close(DIR);
-+
-+  foreach my $file (@files) {
-+    my ($mode, $uid, $gid, $size) = (lstat("$dir/$file"))[2, 4, 5, 7];
-+
-+    # Is this entry a regular file, or a directory?
-+    unless (-f "$dir/$file" || (-l "$dir/$file" && !-f "$dir/$file") || -d "$dir/$file") {
-+      print STDOUT "$program: skipping '$dir/$file': not a file or directory\n" if $verbose;
-+      next;
-+    }
-+
-+    # Does this file match the given user/group ownership?
-+    if ($user_id != -1 && $group_id != -1) {
-+
-+      if ($uid == $user_id && $gid == $group_id) {
-+
-+        if (defined($opts{'dir-tally'}) && $file eq ".") {
-+          $nbytes += $size;
-+          $nfiles++;
-+ 
-+        } elsif (! -d "$dir/$file") {
-+          $nbytes += $size;
-+          $nfiles++;
-+        }
-+
-+      } else {
-+        print STDOUT "$program: '$file' does not match UID $user_id, GID $group_id\n" if $verbose;
-+      }
-+
-+    } elsif ($user_id != -1) {
-+
-+      if ($uid == $user_id) {
-+
-+        if (defined($opts{'dir-tally'}) && $file eq ".") {
-+          $nbytes += $size;
-+          $nfiles++;
-+
-+        } elsif (! -d "$dir/$file") {
-+          $nbytes += $size;
-+          $nfiles++;
-+        }
-+
-+      } else {
-+        print STDOUT "$program: '$file' does not match UID $user_id\n" if $verbose;
-+      }
-+
-+    } elsif ($group_id != -1) {
-+
-+      if ($gid == $group_id) {
-+
-+        if (defined($opts{'dir-tally'}) && $file eq ".") {
-+          $nbytes += $size;
-+          $nfiles++;
-+
-+        } elsif (! -d "$dir/$file") {
-+          $nbytes += $size;
-+          $nfiles++;
-+        }
-+
-+      } else {
-+        print STDOUT "$program: '$file' does not match GID $group_id\n" if $verbose;
-+      }
-+    }
-+
-+    # Is this entry a directory?  If so, add it to the subdir list.
-+    if (-d "$dir/$file") {
-+
-+      # Skip dot directories
-+      push(@subdirs, "$dir/$file") unless ($file eq "." || $file eq "..");
-+    }
-+  }
-+
-+  # Now, recurse through the directory's subdirectories
-+  foreach my $subdir (@subdirs) {
-+    my ($bytecount, $filecount) = get_dir_disk_use($subdir);
-+    $nbytes += $bytecount;
-+    $nfiles += $filecount;
-+  }
-+
-+  return ($nbytes, $nfiles);
-+}
-+
-+# --------------------------------------------------------------------------
-+sub usage {
-+
-+  print STDOUT <<END_OF_USAGE;
-+
-+usage: $program [options] dir1 dir2 ... dirN
-+
-+ $program calculates the amount of disk space used underneath the given
-+ directory (or directories).  Either a --group or a --user option is required.
-+ If both are used, only files whose ownership matches both the given name and
-+ group will be added to the disk usage sum.
-+
-+ Options:
-+
-+  --G          Display the number of bytes in units of gigabytes.  The default
-+               number is in bytes.
-+
-+  --K          Display the number of bytes in units of kilobytes.  The default
-+               number is in bytes.
-+
-+  --M          Display the number of bytes in units of megabytes.  The default
-+               number is in bytes.
-+
-+  --dir-tally  Count the size of directories toward the disk usage sum.  The
-+               default is to consider regular files only.
-+
-+  --group      Count files owned by this group in the disk usage sum.
-+
-+  --help       Display this message.
-+
-+  --user       Count files owned by this user in the disk usage sum.
-+
-+  --verbose    Display diagnostic output while $program is running.
-+
-+END_OF_USAGE
-+
-+  exit 0;
-+}
-+
-+# --------------------------------------------------------------------------
-Index: proftpd-dfsg/diskuse.html
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ proftpd-dfsg/diskuse.html	2011-02-08 13:33:10.000000000 +0100
-@@ -0,0 +1,103 @@
-+<!-- $Id: 14.quotatab_modules.diff,v 1.4 2003/11/17 15:30:12 frankie Exp $ -->
-+<!-- $Source: /cvsroot/pkg-proftpd/debian/patches/14.quotatab_modules.diff,v $ -->
-+
-+<html>
-+<head>
-+<title>diskuse: tool for ProFTPD mod_quotatab</title>
-+</head>
-+
-+<body bgcolor=white>
-+
-+<hr><br>
-+<center>
-+<h2><b><code>diskuse</code>: tool for ProFTPD module <code>mod_quotatab</code></b></h2>
-+</center>
-+<hr><br>
-+
-+This program is distributed with the
-+<a href="./mod_quotatab.html"><code>mod_quotatab</code></a> module for
-+ProFTPD 1.2.  It is used to calculate the amount of disk space currently
-+used by a given user and/or group.
-+
-+<p>
-+The most current version of <code>diskuse</code> can be found at:
-+<pre>
-+  <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
-+</pre>
-+
-+<h2>Author</h2>
-+<p>
-+Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any
-+questions, concerns, or suggestions regarding this program.
-+
-+<p>
-+<hr><br>
-+<h2><a name="Usage">Usage</a></h2>
-+The following describes the common usage of the <code>diskuse</code> tool.
-+The options supported are described in more detail
-+<a href="#Options">later</a>.
-+
-+<p>
-+Usage of this tool is fairly straightforward: choose the directory (or
-+directories) to scan, and the user or group for whom you wish to calculate
-+disk usage:
-+<pre>
-+  diskuse /home /usr /tmp --user=bob
-+</pre>
-+The <code>--K</code>, <code>--M</code>, and <code>--G</code> options can be
-+used to display the disk usage calculated in kilobytes, megabytes, or
-+gigabytes, respectively.
-+
-+<p>
-+<hr><br>
-+<h2><a name="Options">Options</a></h2>
-+The following is the output from running <code>diskuse --help</code>:
-+<pre>
-+usage: diskuse [options] dir1 dir2 ... dirN
-+
-+ diskuse calculates the amount of disk space used underneath the given
-+ directory (or directories).  Either a --group or a --user option is required.
-+ If both are used, only files whose ownership matches both the given name and
-+ group will be added to the disk usage sum.
-+
-+ Options:
-+
-+  --G          Display the number of bytes in units of gigabytes.  The default
-+               number is in bytes.
-+
-+  --K          Display the number of bytes in units of kilobytes.  The default
-+               number is in bytes.
-+
-+  --M          Display the number of bytes in units of megabytes.  The default
-+               number is in bytes.
-+
-+  --dir-tally  Count the size of directories toward the disk usage sum.  The
-+               default is to consider regular files only.
-+
-+  --group      Count files owned by this group in the disk usage sum.
-+
-+  --help       Display this message.
-+
-+  --user       Count files owned by this user in the disk usage sum.
-+
-+  --verbose    Display diagnostic output while diskuse is running.
-+</pre>
-+
-+<p>
-+<hr><br>
-+
-+Author: <i>$Author: frankie $</i><br>
-+Last Updated: <i>$Date: 2003/11/17 15:30:12 $</i><br>
-+
-+<br><hr>
-+
-+<font size=2><b><i>
-+© Copyright 2000-2002 TJ Saunders<br>
-+ All Rights Reserved<br>
-+</i></b></font>
-+
-+<hr><br>
-+
-+</body>
-+</html>
-+


=====================================
debian/patches/series
=====================================
@@ -1,7 +1,6 @@
 autotools
 change_pam_name
 ftpasswd.cracklib.location
-# quotatab_modules
 mod_sql_mysql.c
 mod_wrap_noparanoid
 ftpstats
@@ -9,18 +8,6 @@ ftpstats
 odbc
 #reproducible_build
 #spelling_errors
-# upstream_4335
-# upstream_4336
-# upstream_4312
-# upstream_4312_fix_version
-# github_pr_710
-# upstream_4356
 wrong-path-for-interpreter_perl.diff
-# github_pr_594
-# upstream_pull_567
-# upstream_4372_CVE-2019-12815.diff
-# issue_846_CVE-2019-18217.diff
-# upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
-# upstream_4385
 #cd9036f4ef7a05c107f0ffcb19a018b20267c531.patch
 #   proftpd-mysql-password-backend.patch


=====================================
debian/patches/upstream_4312 deleted
=====================================
@@ -1,227 +0,0 @@
-From 52dd3d34e04a0ecbf3deffb9d20368d68281176c Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Tue, 15 Aug 2017 19:41:52 -0700
-Subject: [PATCH] Bug#4312: Close any "extra" open fds at startup.
-
----
- contrib/mod_exec.c | 65 ++++--------------------------------------------------
- include/fsio.h     |  3 +++
- src/fsio.c         | 55 +++++++++++++++++++++++++++++++++++++++++++++
- src/main.c         |  1 +
- tests/api/fsio.c   |  7 ++++++
- 5 files changed, 70 insertions(+), 61 deletions(-)
-
-Index: proftpd-dfsg-1.3.6/contrib/mod_exec.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/contrib/mod_exec.c	2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/contrib/mod_exec.c	2018-02-20 21:24:24.000000000 +0100
-@@ -31,17 +31,15 @@
- # include <sys/resource.h>
- #endif
- 
--#define MOD_EXEC_VERSION	"mod_exec/0.9.14"
-+#define MOD_EXEC_VERSION	"mod_exec/0.9.16"
- 
- /* Make sure the version of proftpd is as necessary. */
--#if PROFTPD_VERSION_NUMBER < 0x0001030402
--# error "ProFTPD 1.3.4rc2 or later required"
-+#if PROFTPD_VERSION_NUMBER < 0x0001030701
-+# error "ProFTPD 1.3.7rc1 or later required"
- #endif
- 
- module exec_module;
- 
--#define EXEC_MAX_FD_COUNT		1024
--
- static pool *exec_pool = NULL;
- static int exec_engine = FALSE;
- static unsigned int exec_nexecs = 0;
-@@ -263,10 +261,6 @@
- }
- 
- static void exec_prepare_fds(int stdin_fd, int stdout_fd, int stderr_fd) {
--  long nfiles = 0;
--  register unsigned int i = 0;
--  struct rlimit rlim;
--
-   if (stdin_fd < 0) {
-     stdin_fd = open("/dev/null", O_RDONLY);
-     if (stdin_fd < 0) {
-@@ -314,59 +308,8 @@
-    * dup /dev/null.  For stdout and stderr, we dup some pipes, so that
-    * we can capture what the command may write to stdout or stderr.  The
-    * stderr output will be logged to the ExecLog.
--   *
--   * First, use getrlimit() to obtain the maximum number of open files
--   * for this process -- then close that number.
-    */
--#if defined(RLIMIT_NOFILE) || defined(RLIMIT_OFILE)
--# if defined(RLIMIT_NOFILE)
--  if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
--# elif defined(RLIMIT_OFILE)
--  if (getrlimit(RLIMIT_OFILE, &rlim) < 0) {
--# endif
--    /* Ignore ENOSYS (and EPERM, since some libc's use this as ENOSYS). */
--    if (errno != ENOSYS &&
--        errno != EPERM) {
--      exec_log("getrlimit() error: %s", strerror(errno));
--    }
--
--    /* Pick some arbitrary high number. */
--    nfiles = EXEC_MAX_FD_COUNT;
--
--  } else {
--    nfiles = rlim.rlim_max;
--  }
--
--#else /* no RLIMIT_NOFILE or RLIMIT_OFILE */
--   nfiles = EXEC_MAX_FD_COUNT;
--#endif
--
--  /* Yes, using a long for the nfiles variable is not quite kosher; it should
--   * be an unsigned type, otherwise a large limit (say, RLIMIT_INFINITY)
--   * might overflow the data type.  In that case, though, we want to know
--   * about it -- and using a signed type, we will know if the overflowed
--   * value is a negative number.  Chances are we do NOT want to be closing
--   * fds whose value is as high as they can possibly get; that's too many
--   * fds to iterate over.  Long story short, using a long int is just fine.
--   * (Plus it makes mod_exec work on Mac OSX 10.4; without this tweak,
--   * mod_exec's forked processes never return/exit.)
--   */
--
--  if (nfiles < 0 ||
--      nfiles > EXEC_MAX_FD_COUNT) {
--    nfiles = EXEC_MAX_FD_COUNT;
--  }
--
--  /* Close the "non-standard" file descriptors. */
--  for (i = 3; i < nfiles; i++) {
--
--    /* This is a potentially long-running loop, so handle signals. */
--    pr_signals_handle();
--
--    close(i);
--  }
--
--  return;
-+  pr_fs_close_extra_fds();
- }
- 
- static void exec_prepare_pipes(void) {
-Index: proftpd-dfsg-1.3.6/include/fsio.h
-===================================================================
---- proftpd-dfsg-1.3.6.orig/include/fsio.h	2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/include/fsio.h	2018-02-20 21:24:24.000000000 +0100
-@@ -413,6 +413,9 @@
- void pr_fs_globfree(glob_t *);
- void pr_resolve_fs_map(void);
- 
-+/* Close all but the main three fds. */
-+void pr_fs_close_extra_fds(void);
-+
- /* The main three fds (stdin, stdout, stderr) need to be protected, reserved
-  * for use.  This function uses dup(2) to open new fds on the given fd
-  * until the new fd is not one of the big three.
-Index: proftpd-dfsg-1.3.6/src/fsio.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/src/fsio.c	2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/src/fsio.c	2018-02-20 21:24:24.000000000 +0100
-@@ -6478,6 +6478,61 @@
-   return (buf > start ? start : NULL);
- }
- 
-+#define FSIO_MAX_FD_COUNT		1024
-+
-+void pr_fs_close_extra_fds(void) {
-+  register unsigned int i;
-+  long nfiles = 0;
-+  struct rlimit rlim;
-+
-+  /* Close any but the big three open fds.
-+   *
-+   * First, use getrlimit() to obtain the maximum number of open files
-+   * for this process -- then close that number.
-+   */
-+#if defined(RLIMIT_NOFILE) || defined(RLIMIT_OFILE)
-+# if defined(RLIMIT_NOFILE)
-+  if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
-+# elif defined(RLIMIT_OFILE)
-+  if (getrlimit(RLIMIT_OFILE, &rlim) < 0) {
-+# endif
-+    /* Ignore ENOSYS (and EPERM, since some libc's use this as ENOSYS); pick
-+     * some arbitrary high number.
-+     */
-+    nfiles = FSIO_MAX_FD_COUNT;
-+
-+  } else {
-+    nfiles = rlim.rlim_max;
-+  }
-+
-+#else /* no RLIMIT_NOFILE or RLIMIT_OFILE */
-+   nfiles = FSIO_MAX_FD_COUNT;
-+#endif
-+
-+  /* Yes, using a long for the nfiles variable is not quite kosher; it should
-+   * be an unsigned type, otherwise a large limit (say, RLIMIT_INFINITY)
-+   * might overflow the data type.  In that case, though, we want to know
-+   * about it -- and using a signed type, we will know if the overflowed
-+   * value is a negative number.  Chances are we do NOT want to be closing
-+   * fds whose value is as high as they can possibly get; that's too many
-+   * fds to iterate over.  Long story short, using a long int is just fine.
-+   * (Plus it makes mod_exec work on Mac OSX 10.4; without this tweak,
-+   * mod_exec's forked processes never return/exit.)
-+   */
-+
-+  if (nfiles < 0 ||
-+      nfiles > FSIO_MAX_FD_COUNT) {
-+    nfiles = FSIO_MAX_FD_COUNT;
-+  }
-+
-+  /* Close the "non-standard" file descriptors. */
-+  for (i = 3; i < nfiles; i++) {
-+    /* This is a potentially long-running loop, so handle signals. */
-+    pr_signals_handle();
-+    (void) close(i);
-+  }
-+}
-+
- /* Be generous in the maximum allowed number of dup fds, in our search for
-  * one that is outside the big three.
-  *
-Index: proftpd-dfsg-1.3.6/src/main.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/src/main.c	2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/src/main.c	2018-02-20 21:24:24.000000000 +0100
-@@ -2232,6 +2232,7 @@
- 
-   memset(&session, 0, sizeof(session));
- 
-+  pr_fs_close_extra_fds();
-   pr_proctitle_init(argc, argv, envp);
- 
-   /* Seed rand */
-Index: proftpd-dfsg-1.3.6/tests/api/fsio.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/tests/api/fsio.c	2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/tests/api/fsio.c	2018-02-20 21:24:24.000000000 +0100
-@@ -3888,6 +3888,12 @@
- }
- END_TEST
- 
-+START_TEST (fs_close_extra_fds_test) {
-+  mark_point();
-+  pr_fs_close_extra_fds();
-+}
-+END_TEST
-+
- START_TEST (fs_get_usable_fd_test) {
-   int fd, res;
- 
-@@ -4630,6 +4636,7 @@
-   tcase_add_test(testcase, fs_split_path_test);
-   tcase_add_test(testcase, fs_join_path_test);
-   tcase_add_test(testcase, fs_virtual_path_test);
-+  tcase_add_test(testcase, fs_close_extra_fds_test);
-   tcase_add_test(testcase, fs_get_usable_fd_test);
-   tcase_add_test(testcase, fs_get_usable_fd2_test);
-   tcase_add_test(testcase, fs_getsize_test);


=====================================
debian/patches/upstream_4312_fix_version deleted
=====================================
@@ -1,33 +0,0 @@
-From 4c1ebe8de771879e4cee005ee4fc9d96c82fc73b Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 17 Sep 2017 21:56:40 -0700
-Subject: [PATCH] Merge pulled in a bad version check, breaking the build. 
- Caught by Travis.
-
----
- contrib/mod_exec.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/mod_exec.c b/contrib/mod_exec.c
-index cb4356659..844c93807 100644
---- a/contrib/mod_exec.c
-+++ b/contrib/mod_exec.c
-@@ -1,6 +1,6 @@
- /*
-  * ProFTPD: mod_exec -- a module for executing external scripts
-- * Copyright (c) 2002-2016 TJ Saunders
-+ * Copyright (c) 2002-2017 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -34,8 +34,8 @@
- #define MOD_EXEC_VERSION	"mod_exec/0.9.16"
- 
- /* Make sure the version of proftpd is as necessary. */
--#if PROFTPD_VERSION_NUMBER < 0x0001030701
--# error "ProFTPD 1.3.7rc1 or later required"
-+#if PROFTPD_VERSION_NUMBER < 0x0001030605
-+# error "ProFTPD 1.3.6 or later required"
- #endif
- 
- module exec_module;


=====================================
debian/patches/upstream_4335 deleted
=====================================
@@ -1,33 +0,0 @@
-From e25f45d2dad79cb4e2f9fe8d12484cf0b81df320 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Tue, 16 Jan 2018 04:55:23 -0800
-Subject: [PATCH] Bug #4335: mod_auth_otp fails to build with OpenSSL 1.1.x.
-
----
- contrib/mod_auth_otp/crypto.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/contrib/mod_auth_otp/crypto.c b/contrib/mod_auth_otp/crypto.c
-index c479d56d4..076a26693 100644
---- a/contrib/mod_auth_otp/crypto.c
-+++ b/contrib/mod_auth_otp/crypto.c
-@@ -1,6 +1,6 @@
- /*
-  * ProFTPD - mod_auth_otp OpenSSL interface
-- * Copyright (c) 2015-2017 TJ Saunders
-+ * Copyright (c) 2015-2018 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -50,10 +50,7 @@ void auth_otp_crypto_free(int flags) {
-     ERR_free_strings();
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10000001L
--# if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
--     !defined(HAVE_LIBRESSL)
--    ERR_remove_thread_state();
--# else
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
-     /* The ERR_remove_state(0) usage is deprecated due to thread ID
-      * differences among platforms; see the OpenSSL-1.0.0c CHANGES file
-      * for details.  So for new enough OpenSSL installations, use the


=====================================
debian/patches/upstream_4336 deleted
=====================================
@@ -1,276 +0,0 @@
-From 322939023a6a92c24176b51dba0ea42b5f57849a Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 21 Jan 2018 13:12:47 -0800
-Subject: [PATCH] Bug #4336: Check for, and use, the necessary libraries for
- Memcache and Redis support.
-
----
- configure    | 217 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- configure.in |   5 ++
- 2 files changed, 221 insertions(+), 1 deletion(-)
-
-diff --git a/configure b/configure
-index ef7d236b3..61652baa3 100755
---- a/configure
-+++ b/configure
-@@ -16933,6 +16933,149 @@ fi
- 
- 
- if test x"$enable_memcache" = xyes; then
-+
-+{ echo "$as_me:$LINENO: checking for memcached_create in -lmemcached" >&5
-+echo $ECHO_N "checking for memcached_create in -lmemcached... $ECHO_C" >&6; }
-+if test "${ac_cv_lib_memcached_memcached_create+set}" = set; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lmemcached  $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+   Use char because int might match the return type of a GCC
-+   builtin and then its argument prototype would still apply.  */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char memcached_create ();
-+int
-+main ()
-+{
-+return memcached_create ();
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+  (eval "$ac_link") 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } && {
-+	 test -z "$ac_c_werror_flag" ||
-+	 test ! -s conftest.err
-+       } && test -s conftest$ac_exeext &&
-+       $as_test_x conftest$ac_exeext; then
-+  ac_cv_lib_memcached_memcached_create=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+	ac_cv_lib_memcached_memcached_create=no
-+fi
-+
-+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-+      conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ echo "$as_me:$LINENO: result: $ac_cv_lib_memcached_memcached_create" >&5
-+echo "${ECHO_T}$ac_cv_lib_memcached_memcached_create" >&6; }
-+if test $ac_cv_lib_memcached_memcached_create = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBMEMCACHED 1
-+_ACEOF
-+
-+  LIBS="-lmemcached $LIBS"
-+
-+fi
-+
-+
-+{ echo "$as_me:$LINENO: checking for libmemcached_util_ping in -lmemcachedutil" >&5
-+echo $ECHO_N "checking for libmemcached_util_ping in -lmemcachedutil... $ECHO_C" >&6; }
-+if test "${ac_cv_lib_memcachedutil_libmemcached_util_ping+set}" = set; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lmemcachedutil  $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+   Use char because int might match the return type of a GCC
-+   builtin and then its argument prototype would still apply.  */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char libmemcached_util_ping ();
-+int
-+main ()
-+{
-+return libmemcached_util_ping ();
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+  (eval "$ac_link") 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } && {
-+	 test -z "$ac_c_werror_flag" ||
-+	 test ! -s conftest.err
-+       } && test -s conftest$ac_exeext &&
-+       $as_test_x conftest$ac_exeext; then
-+  ac_cv_lib_memcachedutil_libmemcached_util_ping=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+	ac_cv_lib_memcachedutil_libmemcached_util_ping=no
-+fi
-+
-+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-+      conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ echo "$as_me:$LINENO: result: $ac_cv_lib_memcachedutil_libmemcached_util_ping" >&5
-+echo "${ECHO_T}$ac_cv_lib_memcachedutil_libmemcached_util_ping" >&6; }
-+if test $ac_cv_lib_memcachedutil_libmemcached_util_ping = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBMEMCACHEDUTIL 1
-+_ACEOF
-+
-+  LIBS="-lmemcachedutil $LIBS"
-+
-+fi
-+
-+
-   # Yes, we DO want mod_memcache AFTER the other modules in the static
-   # module list. Otherwise, the module load ordering will be such that
-   # memcache support will not work as expected
-@@ -16941,6 +17084,78 @@ if test x"$enable_memcache" = xyes; then
- fi
- 
- if test x"$enable_redis" = xyes; then
-+
-+{ echo "$as_me:$LINENO: checking for redisConnect in -lhiredis" >&5
-+echo $ECHO_N "checking for redisConnect in -lhiredis... $ECHO_C" >&6; }
-+if test "${ac_cv_lib_hiredis_redisConnect+set}" = set; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lhiredis  $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+   Use char because int might match the return type of a GCC
-+   builtin and then its argument prototype would still apply.  */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char redisConnect ();
-+int
-+main ()
-+{
-+return redisConnect ();
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (ac_try="$ac_link"
-+case "(($ac_try" in
-+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+  *) ac_try_echo=$ac_try;;
-+esac
-+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+  (eval "$ac_link") 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } && {
-+	 test -z "$ac_c_werror_flag" ||
-+	 test ! -s conftest.err
-+       } && test -s conftest$ac_exeext &&
-+       $as_test_x conftest$ac_exeext; then
-+  ac_cv_lib_hiredis_redisConnect=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+	ac_cv_lib_hiredis_redisConnect=no
-+fi
-+
-+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-+      conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ echo "$as_me:$LINENO: result: $ac_cv_lib_hiredis_redisConnect" >&5
-+echo "${ECHO_T}$ac_cv_lib_hiredis_redisConnect" >&6; }
-+if test $ac_cv_lib_hiredis_redisConnect = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBHIREDIS 1
-+_ACEOF
-+
-+  LIBS="-lhiredis $LIBS"
-+
-+fi
-+
-+
-   # Yes, we DO want mod_redis AFTER the other modules in the static
-   # module list. Otherwise, the module load ordering will be such that
-   # Redis support will not work as expected.
-@@ -18145,7 +18360,7 @@ else
-   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<_LT_EOF
--#line 18148 "configure"
-+#line 18363 "configure"
- #include "confdefs.h"
- 
- #if HAVE_DLFCN_H
-diff --git a/configure.in b/configure.in
-index f99596d49..fe3d1ab0c 100644
---- a/configure.in
-+++ b/configure.in
-@@ -411,6 +411,9 @@ AC_ARG_WITH(modules,
- 
- dnl Memcache
- if test x"$enable_memcache" = xyes; then
-+  AC_CHECK_LIB(memcached, memcached_create)
-+  AC_CHECK_LIB(memcachedutil, libmemcached_util_ping)
-+
-   # Yes, we DO want mod_memcache AFTER the other modules in the static
-   # module list. Otherwise, the module load ordering will be such that
-   # memcache support will not work as expected
-@@ -420,6 +423,8 @@ fi
- 
- dnl Redis
- if test x"$enable_redis" = xyes; then
-+  AC_CHECK_LIB(hiredis, redisConnect)
-+
-   # Yes, we DO want mod_redis AFTER the other modules in the static
-   # module list. Otherwise, the module load ordering will be such that
-   # Redis support will not work as expected.


=====================================
debian/patches/upstream_4356 deleted
=====================================
@@ -1,28 +0,0 @@
-From 22b689901775d1129530e8329556d32bae878125 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Wed, 8 Aug 2018 11:15:21 -0700
-Subject: [PATCH 1/2] Bug#4356: Fix infinite loop by actually iterating properly for the next configuration record.  Oops.
-
----
- contrib/mod_sftp/mod_sftp.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- proftpd-dfsg.orig/contrib/mod_sftp/mod_sftp.c
-+++ proftpd-dfsg/contrib/mod_sftp/mod_sftp.c
-@@ -1,6 +1,6 @@
- /*
-  * ProFTPD - mod_sftp
-- * Copyright (c) 2008-2017 TJ Saunders
-+ * Copyright (c) 2008-2018 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -1211,6 +1211,8 @@
-           insecure_hostkey_perms = TRUE;
-           break;
-         }
-+
-+        c = find_config_next(c, c->next, CONF_PARAM, "SFTPOptions", FALSE);
-       }
- 
-       if (insecure_hostkey_perms) {


=====================================
debian/patches/upstream_4372_CVE-2019-12815.diff deleted
=====================================
@@ -1,376 +0,0 @@
-From 71cd49ea82313f78d52a52d0c628a3770dc96608 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Wed, 17 Jul 2019 09:25:31 -0700
-Subject: [PATCH] Bug #4372: Ensure that mod_copy checks for <Limits> for its
- SITE CPFR/CPTO commands.
-
----
- contrib/mod_copy.c                            |  36 ++-
- tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm | 253 +++++++++++++++++-
- 2 files changed, 285 insertions(+), 4 deletions(-)
-
-diff --git a/contrib/mod_copy.c b/contrib/mod_copy.c
-index 26b72a91d..c8672c40d 100644
---- a/contrib/mod_copy.c
-+++ b/contrib/mod_copy.c
-@@ -1,7 +1,7 @@
- /*
-  * ProFTPD: mod_copy -- a module supporting copying of files on the server
-  *                      without transferring the data to the client and back
-- * Copyright (c) 2009-2016 TJ Saunders
-+ * Copyright (c) 2009-2019 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -657,7 +657,7 @@ MODRET copy_copy(cmd_rec *cmd) {
- MODRET copy_cpfr(cmd_rec *cmd) {
-   register unsigned int i;
-   int res;
--  char *path = "";
-+  char *cmd_name, *path = "";
-   unsigned char *authenticated = NULL;
- 
-   if (copy_engine == FALSE) {
-@@ -705,6 +705,21 @@ MODRET copy_cpfr(cmd_rec *cmd) {
-     path = pstrcat(cmd->tmp_pool, path, *path ? " " : "", decoded_path, NULL);
-   }
- 
-+  cmd_name = cmd->argv[0];
-+  pr_cmd_set_name(cmd, "SITE_CPFR");
-+  if (!dir_check(cmd->tmp_pool, cmd, G_READ, path, NULL)) {
-+    int xerrno = EPERM;
-+
-+    pr_cmd_set_name(cmd, cmd_name);
-+    pr_response_add_err(R_550, "%s: %s", (char *) cmd->argv[3],
-+      strerror(xerrno));
-+
-+    pr_cmd_set_errno(cmd, xerrno);
-+    errno = xerrno;
-+    return PR_ERROR(cmd);
-+  }
-+  pr_cmd_set_name(cmd, cmd_name);
-+
-   res = pr_filter_allow_path(CURRENT_CONF, path);
-   switch (res) {
-     case 0:
-@@ -758,6 +773,7 @@ MODRET copy_cpfr(cmd_rec *cmd) {
- MODRET copy_cpto(cmd_rec *cmd) {
-   register unsigned int i;
-   const char *from, *to = "";
-+  char *cmd_name;
-   unsigned char *authenticated = NULL;
- 
-   if (copy_engine == FALSE) {
-@@ -816,6 +832,20 @@ MODRET copy_cpto(cmd_rec *cmd) {
- 
-   to = dir_canonical_vpath(cmd->tmp_pool, to);
- 
-+  cmd_name = cmd->argv[0];
-+  pr_cmd_set_name(cmd, "SITE_CPTO");
-+  if (!dir_check(cmd->tmp_pool, cmd, G_WRITE, to, NULL)) {
-+    int xerrno = EPERM;
-+
-+    pr_cmd_set_name(cmd, cmd_name);
-+    pr_response_add_err(R_550, "%s: %s", to, strerror(xerrno));
-+
-+    pr_cmd_set_errno(cmd, xerrno);
-+    errno = xerrno;
-+    return PR_ERROR(cmd);
-+  }
-+  pr_cmd_set_name(cmd, cmd_name);
-+
-   if (copy_paths(cmd->tmp_pool, from, to) < 0) {
-     int xerrno = errno;
-     const char *err_code = R_550;
-@@ -940,7 +970,7 @@ static conftable copy_conftab[] = {
- 
- static cmdtable copy_cmdtab[] = {
-   { CMD, 	C_SITE, G_WRITE,	copy_copy,	FALSE,	FALSE, CL_MISC },
--  { CMD, 	C_SITE, G_DIRS,		copy_cpfr,	FALSE,	FALSE, CL_MISC },
-+  { CMD, 	C_SITE, G_READ,		copy_cpfr,	FALSE,	FALSE, CL_MISC },
-   { CMD, 	C_SITE, G_WRITE,	copy_cpto,	FALSE,	FALSE, CL_MISC },
-   { POST_CMD,	C_PASS,	G_NONE,		copy_post_pass, FALSE,	FALSE },
-   { LOG_CMD, 	C_SITE, G_NONE,		copy_log_site,	FALSE,	FALSE },
-diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-index 778bff839..2018e71bc 100644
---- a/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-+++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-@@ -121,6 +121,15 @@ my $TESTS = {
-     test_class => [qw(bug forking)],
-   },
- 
-+  copy_cpfr_config_limit_read_bug4372 => {
-+    order => ++$order,
-+    test_class => [qw(bug forking)],
-+  },
-+
-+  copy_cpto_config_limit_write_bug4372 => {
-+    order => ++$order,
-+    test_class => [qw(bug forking)],
-+  },
- };
- 
- sub new {
-@@ -3248,6 +3257,12 @@ sub copy_config_limit_bug3399 {
- 
-   my ($port, $config_user, $config_group) = config_write($config_file, $config);
- 
-+  my $config_subdir = $sub_dir;
-+  if ($^O eq 'darwin') {
-+    # MacOSX hack
-+    $config_subdir = '/private' . $sub_dir;
-+  }
-+
-   if (open(my $fh, ">> $config_file")) {
-     print $fh <<EOC;
- <Directory />
-@@ -3256,7 +3271,7 @@ sub copy_config_limit_bug3399 {
-   </Limit>
- </Directory>
- 
--<Directory $sub_dir>
-+<Directory $config_subdir>
-   <Limit WRITE>
-     AllowAll
-   </Limit>
-@@ -3652,4 +3667,240 @@ sub copy_cpto_timeout_bug4263 {
-   test_cleanup($setup->{log_file}, $ex);
- }
- 
-+sub copy_cpfr_config_limit_read_bug4372 {
-+  my $self = shift;
-+  my $tmpdir = $self->{tmpdir};
-+  my $setup = test_setup($tmpdir, 'copy');
-+
-+  my $src_file = File::Spec->rel2abs("$tmpdir/foo.dat");
-+  if (open(my $fh, "> $src_file")) {
-+    unless (close($fh)) {
-+      die("Can't write $src_file: $!");
-+    }
-+
-+  } else {
-+    die("Can't open $src_file: $!");
-+  }
-+
-+  my $config = {
-+    PidFile => $setup->{pid_file},
-+    ScoreboardFile => $setup->{scoreboard_file},
-+    SystemLog => $setup->{log_file},
-+    TraceLog => $setup->{log_file},
-+    Trace => 'copy:20 timer:20',
-+
-+    AuthUserFile => $setup->{auth_user_file},
-+    AuthGroupFile => $setup->{auth_group_file},
-+    TimeoutIdle => 3,
-+
-+    IfModules => {
-+      'mod_delay.c' => {
-+        DelayEngine => 'off',
-+      },
-+    },
-+  };
-+
-+  my ($port, $config_user, $config_group) = config_write($setup->{config_file},
-+    $config);
-+
-+  if (open(my $fh, ">> $setup->{config_file}")) {
-+    print $fh <<EOC;
-+<Directory />
-+  <Limit READ>
-+    DenyAll
-+  </Limit>
-+</Directory>
-+EOC
-+    unless (close($fh)) {
-+      die("Can't write $setup->{config_file}: $!");
-+    }
-+
-+  } else {
-+    die("Can't open $setup->{config_file}: $!");
-+  }
-+
-+  # Open pipes, for use between the parent and child processes.  Specifically,
-+  # the child will indicate when it's done with its test by writing a message
-+  # to the parent.
-+  my ($rfh, $wfh);
-+  unless (pipe($rfh, $wfh)) {
-+    die("Can't open pipe: $!");
-+  }
-+
-+  my $ex;
-+
-+  # Fork child
-+  $self->handle_sigchld();
-+  defined(my $pid = fork()) or die("Can't fork: $!");
-+  if ($pid) {
-+    eval {
-+      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 1);
-+      $client->login($setup->{user}, $setup->{passwd});
-+
-+      eval { $client->site('CPFR', 'foo.dat') };
-+      unless ($@) {
-+        die("SITE CPFR succeeded unexpectedly");
-+      }
-+
-+      my $resp_code = $client->response_code();
-+      my $resp_msg = $client->response_msg();
-+
-+      my $expected = 550;
-+      $self->assert($expected == $resp_code,
-+        test_msg("Expected response code $expected, got $resp_code"));
-+
-+      $expected = 'Operation not permitted';
-+      $self->assert(qr/$expected/, $resp_msg,
-+        test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+      $client->quit();
-+    };
-+    if ($@) {
-+      $ex = $@;
-+    }
-+
-+    $wfh->print("done\n");
-+    $wfh->flush();
-+
-+  } else {
-+    eval { server_wait($setup->{config_file}, $rfh, 30) };
-+    if ($@) {
-+      warn($@);
-+      exit 1;
-+    }
-+
-+    exit 0;
-+  }
-+
-+  # Stop server
-+  server_stop($setup->{pid_file});
-+  $self->assert_child_ok($pid);
-+
-+  test_cleanup($setup->{log_file}, $ex);
-+}
-+
-+sub copy_cpto_config_limit_write_bug4372 {
-+  my $self = shift;
-+  my $tmpdir = $self->{tmpdir};
-+  my $setup = test_setup($tmpdir, 'copy');
-+
-+  my $src_file = File::Spec->rel2abs("$tmpdir/foo.dat");
-+  if (open(my $fh, "> $src_file")) {
-+    unless (close($fh)) {
-+      die("Can't write $src_file: $!");
-+    }
-+
-+  } else {
-+    die("Can't open $src_file: $!");
-+  }
-+
-+  my $dst_file = File::Spec->rel2abs("$tmpdir/bar.dat");
-+
-+  my $config = {
-+    PidFile => $setup->{pid_file},
-+    ScoreboardFile => $setup->{scoreboard_file},
-+    SystemLog => $setup->{log_file},
-+    TraceLog => $setup->{log_file},
-+    Trace => 'copy:20 timer:20',
-+
-+    AuthUserFile => $setup->{auth_user_file},
-+    AuthGroupFile => $setup->{auth_group_file},
-+    TimeoutIdle => 3,
-+
-+    IfModules => {
-+      'mod_delay.c' => {
-+        DelayEngine => 'off',
-+      },
-+    },
-+  };
-+
-+  my ($port, $config_user, $config_group) = config_write($setup->{config_file},
-+    $config);
-+
-+  if (open(my $fh, ">> $setup->{config_file}")) {
-+    print $fh <<EOC;
-+<Directory />
-+  <Limit WRITE>
-+    DenyAll
-+  </Limit>
-+</Directory>
-+EOC
-+    unless (close($fh)) {
-+      die("Can't write $setup->{config_file}: $!");
-+    }
-+
-+  } else {
-+    die("Can't open $setup->{config_file}: $!");
-+  }
-+
-+  # Open pipes, for use between the parent and child processes.  Specifically,
-+  # the child will indicate when it's done with its test by writing a message
-+  # to the parent.
-+  my ($rfh, $wfh);
-+  unless (pipe($rfh, $wfh)) {
-+    die("Can't open pipe: $!");
-+  }
-+
-+  my $ex;
-+
-+  # Fork child
-+  $self->handle_sigchld();
-+  defined(my $pid = fork()) or die("Can't fork: $!");
-+  if ($pid) {
-+    eval {
-+      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 1);
-+      $client->login($setup->{user}, $setup->{passwd});
-+
-+      my ($resp_code, $resp_msg) = $client->site('CPFR', 'foo.dat');
-+
-+      my $expected = 350;
-+      $self->assert($expected == $resp_code,
-+        test_msg("Expected response code $expected, got $resp_code"));
-+
-+      $expected = 'File or directory exists, ready for destination name';
-+      $self->assert($expected eq $resp_msg,
-+        test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+      eval { $client->site('CPTO', 'bar.dat') };
-+      unless ($@) {
-+        die('SITE CPTO succeeded unexpectedly');
-+      }
-+
-+      my $resp_code = $client->response_code();
-+      my $resp_msg = $client->response_msg();
-+
-+      my $expected = 550;
-+      $self->assert($expected == $resp_code,
-+        test_msg("Expected response code $expected, got $resp_code"));
-+
-+      $expected = 'Operation not permitted';
-+      $self->assert(qr/$expected/, $resp_msg,
-+        test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+      $client->quit();
-+    };
-+    if ($@) {
-+      $ex = $@;
-+    }
-+
-+    $wfh->print("done\n");
-+    $wfh->flush();
-+
-+  } else {
-+    eval { server_wait($setup->{config_file}, $rfh, 30) };
-+    if ($@) {
-+      warn($@);
-+      exit 1;
-+    }
-+
-+    exit 0;
-+  }
-+
-+  # Stop server
-+  server_stop($setup->{pid_file});
-+  $self->assert_child_ok($pid);
-+
-+  test_cleanup($setup->{log_file}, $ex);
-+}
-+
- 1;


=====================================
debian/patches/upstream_4385 deleted
=====================================
@@ -1,147 +0,0 @@
-From 7f2f0ab15909c470cabb892e3c2a17803a439bee Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Tue, 21 Jan 2020 11:09:08 -0800
-Subject: [PATCH] Bug #4385: When handling the `keyboard-interactive`
- authentication mechanism, as used for _e.g._ PAM, make sure to properly
- handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253.
-
----
- contrib/mod_sftp/kbdint.c | 99 ++++++++++++++++++++++++++++++---------
- 1 file changed, 76 insertions(+), 23 deletions(-)
-
-diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
-index 6900f4dfc..98b0a28af 100644
---- a/contrib/mod_sftp/kbdint.c
-+++ b/contrib/mod_sftp/kbdint.c
-@@ -1,6 +1,6 @@
- /*
-  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
-- * Copyright (c) 2008-2017 TJ Saunders
-+ * Copyright (c) 2008-2020 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -254,6 +254,77 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction,
-   return res;
- }
- 
-+static struct ssh2_packet *read_response_packet(pool *p) {
-+  struct ssh2_packet *pkt = NULL;
-+
-+  /* Keep looping until we get the desired message, or we time out. */
-+  while (pkt == NULL) {
-+    int res;
-+    char mesg_type;
-+
-+    pr_signals_handle();
-+
-+    pkt = sftp_ssh2_packet_create(kbdint_pool);
-+    res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
-+    if (res < 0) {
-+      int xerrno = errno;
-+
-+      destroy_pool(pkt->pool);
-+
-+      errno = xerrno;
-+      return NULL;
-+    }
-+
-+    pr_response_clear(&resp_list);
-+    pr_response_clear(&resp_err_list);
-+
-+    /* Per RFC 4253, Section 11, DEBUG, DISCONNECT, IGNORE, and UNIMPLEMENTED
-+     * messages can occur at any time, even during KEX.  We have to be prepared
-+     * for this, and Do The Right Thing(tm).
-+     */
-+
-+    mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
-+
-+    switch (mesg_type) {
-+      case SFTP_SSH2_MSG_DEBUG:
-+        sftp_ssh2_packet_handle_debug(pkt);
-+        pkt = NULL;
-+        break;
-+
-+      case SFTP_SSH2_MSG_DISCONNECT:
-+        sftp_ssh2_packet_handle_disconnect(pkt);
-+        pkt = NULL;
-+        break;
-+
-+      case SFTP_SSH2_MSG_IGNORE:
-+        sftp_ssh2_packet_handle_ignore(pkt);
-+        pkt = NULL;
-+        break;
-+
-+      case SFTP_SSH2_MSG_UNIMPLEMENTED:
-+        sftp_ssh2_packet_handle_unimplemented(pkt);
-+        pkt = NULL;
-+        break;
-+
-+      case SFTP_SSH2_MSG_USER_AUTH_INFO_RESP:
-+        pr_trace_msg(trace_channel, 13,
-+          "received expected %s message",
-+          sftp_ssh2_packet_get_mesg_type_desc(mesg_type));
-+        break;
-+
-+      default:
-+        (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-+          "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
-+          sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
-+        destroy_pool(pkt->pool);
-+        errno = EPERM;
-+        return NULL;
-+    }
-+  }
-+
-+  return pkt;
-+}
-+
- int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
-     uint32_t *rcvd_count, const char ***responses) {
-   register unsigned int i;
-@@ -261,8 +332,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
-   cmd_rec *cmd;
-   array_header *list;
-   uint32_t buflen, resp_count;
--  struct ssh2_packet *pkt;
--  char mesg_type;
-+  struct ssh2_packet *pkt = NULL;
-   int res;
-   pool *resp_pool = NULL;
- 
-@@ -273,32 +343,15 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
-     return -1;
-   }
- 
--  pkt = sftp_ssh2_packet_create(kbdint_pool);
--
--  res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
--  if (res < 0) {
--    destroy_pool(pkt->pool);
--    return res;
-+  pkt = read_response_packet(p);
-+  if (pkt == NULL) {
-+    return -1;
-   }
- 
--  pr_response_clear(&resp_list);
--  pr_response_clear(&resp_err_list);
--
-   /* Cache a reference to the current response pool used. */
-   resp_pool = pr_response_get_pool();
-   pr_response_set_pool(pkt->pool);
- 
--  mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
--  if (mesg_type != SFTP_SSH2_MSG_USER_AUTH_INFO_RESP) {
--    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
--      "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
--      sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
--    destroy_pool(pkt->pool);
--    pr_response_set_pool(resp_pool);
--    errno = EPERM;
--    return -1;
--  }
--
-   cmd = pr_cmd_alloc(pkt->pool, 2, pstrdup(pkt->pool, "USER_AUTH_INFO_RESP"));
-   cmd->arg = "(data)";
- 


=====================================
debian/patches/upstream_pull_567 deleted
=====================================
@@ -1,176 +0,0 @@
-From 1fb36bcbf7c214aa146875420de12f5407107672 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Fri, 1 Sep 2017 23:08:41 -0700
-Subject: [PATCH] Bug#4314: When retrieving the appropriate <Anonymous> section
- for a client, the configured User/Group retrieved were from the parent
- section, not the retrieved <Anonymous> section.  This appeared to cause
- regressions when "AuthAliasOnly on" was used.  Let's hope that _this_ change
- does not itself cause regressions.
-
-The whole AuthAliasOnly is so buggy/fragile it should be removed entirely.
----
- modules/mod_auth.c                            |   5 +
- src/auth.c                                    |   8 ++
- .../lib/ProFTPD/Tests/Config/AuthAliasOnly.pm | 113 ++++++++++++++++++
- 3 files changed, 126 insertions(+)
-
---- proftpd-dfsg.orig/modules/mod_auth.c
-+++ proftpd-dfsg/modules/mod_auth.c
-@@ -1039,6 +1039,11 @@
-   origuser = user;
-   c = pr_auth_get_anon_config(p, &user, &ourname, &anonname);
-   if (c != NULL) {
-+    pr_trace_msg("auth", 13,
-+      "found <Anonymous> config: login user = %s, config user = %s, "
-+      "anon name = %s", user != NULL ? user : "(null)",
-+      ourname != NULL ? ourname : "(null)",
-+      anonname != NULL ? anonname : "(null)");
-     session.anon_config = c;
-   }
- 
---- proftpd-dfsg.orig/src/auth.c
-+++ proftpd-dfsg/src/auth.c
-@@ -1784,6 +1784,14 @@
-     }
-   }
- 
-+  if (anon_config != NULL) {
-+    config_user_name = get_param_ptr(anon_config->subset, "UserName", FALSE);
-+    if (config_user_name != NULL &&
-+        real_user != NULL) {
-+      *real_user = config_user_name;
-+    }
-+  }
-+
-   return anon_config;
- }
- 
---- proftpd-dfsg.orig/tests/t/lib/ProFTPD/Tests/Config/AuthAliasOnly.pm
-+++ proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Config/AuthAliasOnly.pm
-@@ -40,6 +40,11 @@
-     test_class => [qw(bug forking rootprivs)],
-   },
- 
-+  authaliasonly_on_anon_bug4314 => {
-+    order => ++$order,
-+    test_class => [qw(bug forking rootprivs)],
-+  },
-+
- };
- 
- sub new {
-@@ -626,6 +631,114 @@
-     if ($@) {
-       $ex = $@;
-     }
-+
-+    $wfh->print("done\n");
-+    $wfh->flush();
-+
-+  } else {
-+    eval { server_wait($setup->{config_file}, $rfh) };
-+    if ($@) {
-+      warn($@);
-+      exit 1;
-+    }
-+
-+    exit 0;
-+  }
-+
-+  # Stop server
-+  server_stop($setup->{pid_file});
-+  $self->assert_child_ok($pid);
-+
-+  test_cleanup($setup->{log_file}, $ex);
-+}
-+
-+sub authaliasonly_on_anon_bug4314 {
-+  my $self = shift;
-+  my $tmpdir = $self->{tmpdir};
-+  my $setup = test_setup($tmpdir, 'config');
-+
-+  my ($config_user, $config_group) = config_get_identity();
-+
-+  my $config = {
-+    PidFile => $setup->{pid_file},
-+    ScoreboardFile => $setup->{scoreboard_file},
-+    SystemLog => $setup->{log_file},
-+    TraceLog => $setup->{log_file},
-+    Trace => 'auth:20',
-+
-+    User => $config_user,
-+    Group => $config_group,
-+
-+    AuthUserFile => $setup->{auth_user_file},
-+    AuthGroupFile => $setup->{auth_group_file},
-+    AuthOrder => 'mod_auth_file.c',
-+
-+    Anonymous => {
-+      $setup->{home_dir} => {
-+        User => $setup->{user},
-+        Group => $setup->{group},
-+        RequireValidShell => 'off',
-+        UserAlias => "anonymous $setup->{user}",
-+        AuthAliasOnly => 'on',
-+        AnonRequirePassword => 'off',
-+      },
-+    },
-+
-+    IfModules => {
-+      'mod_delay.c' => {
-+        DelayEngine => 'off',
-+      },
-+    },
-+  };
-+
-+  my $port;
-+  ($port, $config_user, $config_group) = config_write($setup->{config_file},
-+    $config);
-+
-+  # Open pipes, for use between the parent and child processes.  Specifically,
-+  # the child will indicate when it's done with its test by writing a message
-+  # to the parent.
-+  my ($rfh, $wfh);
-+  unless (pipe($rfh, $wfh)) {
-+    die("Can't open pipe: $!");
-+  }
-+
-+  my $ex;
-+
-+  # Fork child
-+  $self->handle_sigchld();
-+  defined(my $pid = fork()) or die("Can't fork: $!");
-+  if ($pid) {
-+    eval {
-+      sleep(1);
-+
-+      # First, try logging in as user 'anonymous', i.e. the alias.
-+      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 1);
-+      my ($resp_code, $resp_msg) = $client->user("anonymous");
-+
-+      my $expected = 331;
-+      $self->assert($expected == $resp_code,
-+        "Expected response code $expected, got $resp_code");
-+
-+      $expected = 'Anonymous login ok, send your complete email address as your password';
-+      $self->assert($expected eq $resp_msg,
-+        "Expected response message '$expected', got '$resp_msg'");
-+
-+      ($resp_code, $resp_msg) = $client->pass('ftp at nospam.org');
-+
-+      $expected = 230;
-+      $self->assert($expected == $resp_code,
-+        "Expected response code $expected, got $resp_code");
-+
-+      $expected = 'Anonymous access granted, restrictions apply';
-+      $self->assert($expected eq $resp_msg,
-+        "Expected response message '$expected', got '$resp_msg'");
-+
-+      $client->quit();
-+    };
-+    if ($@) {
-+      $ex = $@;
-+    }
- 
-     $wfh->print("done\n");
-     $wfh->flush();


=====================================
debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 deleted
=====================================
@@ -1,35 +0,0 @@
-From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 24 Nov 2019 14:03:54 -0800
-Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly
- using issuer for lookups, and guarding against null pointers.
-
----
- contrib/mod_tls.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- proftpd-dfsg.orig/contrib/mod_tls.c
-+++ proftpd-dfsg/contrib/mod_tls.c
-@@ -9065,10 +9065,10 @@
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
--  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
-+  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
- #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
-       !defined(HAVE_LIBRESSL)
--  crls = X509_STORE_get1_crls(store_ctx, subject);
-+  crls = X509_STORE_get1_crls(store_ctx, issuer);
- #else
-   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
-   crls = NULL;
-@@ -9087,6 +9087,9 @@
-         ASN1_INTEGER *sn;
- 
-         revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
-+        if (revoked == NULL) {
-+          continue;
-+        }
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
-         sn = X509_REVOKED_get0_serialNumber(revoked);



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/cb38485e59579c593362c005e863020b80b815d0

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/cb38485e59579c593362c005e863020b80b815d0
You're receiving this email because of your account on salsa.debian.org.




More information about the Pkg-proftpd-maintainers mailing list