[Git][debian-proftpd-team/proftpd][master] Finalize changelog for upload.
Hilmar Preuße
gitlab at salsa.debian.org
Thu Jul 23 06:58:18 BST 2020
Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd
Commits:
cb38485e by Hilmar Preusse at 2020-07-23T07:57:24+02:00
Finalize changelog for upload.
- - - - -
15 changed files:
- debian/changelog
- − debian/patches/github_pr_594
- − debian/patches/github_pr_710
- − debian/patches/issue_846_CVE-2019-18217.diff
- − debian/patches/quotatab_modules
- debian/patches/series
- − debian/patches/upstream_4312
- − debian/patches/upstream_4312_fix_version
- − debian/patches/upstream_4335
- − debian/patches/upstream_4336
- − debian/patches/upstream_4356
- − debian/patches/upstream_4372_CVE-2019-12815.diff
- − debian/patches/upstream_4385
- − debian/patches/upstream_pull_567
- − debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
Changes:
=====================================
debian/changelog
=====================================
@@ -1,20 +1,21 @@
-proftpd-dfsg (1.3.7a-1) UNRELEASED; urgency=medium
+proftpd-dfsg (1.3.7a-1) unstable; urgency=medium
New upstream release 1.3.7a:
- * Patches obsoleted, applied upstream: reproducible_build, spelling_errors
- * Patches obsoleted, not bundled libcap: mod_cap
- * Remove intermediate patches for security issues.
+ * Patches obsoleted
+ - applied upstream: reproducible_build, spelling_errors
+ - bundled libcap removed: mod_cap
+ * Disable/Remove intermediate patches for security issues.
Debian adaptions:
* d/clean reduced, clean handed over to upstream.
- * Enable all modules available (and compilable) in 1.3.7a.
- (Closes: #965051)
+ * Enable all modules available (and compilable) in 1.3.7a
+ (Closes: #965051).
+ * Compile and link with libsodium for better crypto support.
- * Add support for libsodium.
* Install xferstats.holger-preiss the Debian way; using dh-exec.
* Raise debhelper compat Level to 10.
- -- Hilmar Preusse <hille42 at web.de> Tue, 14 Jul 2020 21:32:06 +0000
+ -- Hilmar Preusse <hille42 at web.de> Thu, 23 Jul 2020 07:53:17 +0200
proftpd-dfsg (1.3.6c-3) unstable; urgency=medium
=====================================
debian/patches/github_pr_594 deleted
=====================================
@@ -1,97 +0,0 @@
-From ceed3cb3dea993e05d8651646213a94a6d1b5271 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Mon, 25 Sep 2017 12:57:37 -0700
-Subject: [PATCH] Issue #593: If the IgnoreExtendedAttributes FSOption is used,
- then do not include the EXTENDED attribute flag in the SFTP ATTRS responses.
-
----
- contrib/mod_sftp/fxp.c | 36 +++++++++++++++++++++++++++++++++---
- 1 file changed, 33 insertions(+), 3 deletions(-)
-
---- proftpd-dfsg.orig/contrib/mod_sftp/fxp.c
-+++ proftpd-dfsg/contrib/mod_sftp/fxp.c
-@@ -297,6 +297,8 @@
- static pool *fxp_pool = NULL;
- static int fxp_use_gmt = TRUE;
-
-+/* FSOptions */
-+static unsigned long fxp_fsio_opts = 0UL;
- static unsigned int fxp_min_client_version = 1;
- static unsigned int fxp_max_client_version = 6;
- static unsigned int fxp_utf8_protocol_version = 4;
-@@ -7453,6 +7455,11 @@
- pr_trace_msg(trace_channel, 7, "received request: FSTAT %s", name);
- attr_flags = SSH2_FX_ATTR_SIZE|SSH2_FX_ATTR_UIDGID|SSH2_FX_ATTR_PERMISSIONS|
- SSH2_FX_ATTR_ACMODTIME;
-+#ifdef PR_USE_XATTR
-+ if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+ attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ }
-+#endif /* PR_USE_XATTR */
- }
-
- fxb = pcalloc(fxp->pool, sizeof(struct fxp_buffer));
-@@ -7603,6 +7610,7 @@
- uint32_t buflen, bufsz;
- struct fxp_packet *resp;
- cmd_rec *cmd;
-+ config_rec *c;
-
- fxp_session->client_version = sftp_msg_read_int(fxp->pool, &fxp->payload,
- &fxp->payload_sz);
-@@ -7692,6 +7700,22 @@
-
- fxp_version_add_openssh_exts(fxp->pool, &buf, &buflen);
-
-+ /* Look up the FSOptions here, for use later (Issue #593). We do not need
-+ * set these for the FSIO API; that is already done by mod_core. Instead,
-+ * we look them up for ourselves, for our own consumption/use.
-+ */
-+ c = find_config(main_server->conf, CONF_PARAM, "FSOptions", FALSE);
-+ while (c != NULL) {
-+ unsigned long opts = 0;
-+
-+ pr_signals_handle();
-+
-+ opts = *((unsigned long *) c->argv[0]);
-+ fxp_fsio_opts |= opts;
-+
-+ c = find_config_next(c, c->next, CONF_PARAM, "FSOptions", FALSE);
-+ }
-+
- pr_event_generate("mod_sftp.sftp.protocol-version",
- &(fxp_session->client_version));
-
-@@ -8142,7 +8166,9 @@
- attr_flags = SSH2_FX_ATTR_SIZE|SSH2_FX_ATTR_UIDGID|SSH2_FX_ATTR_PERMISSIONS|
- SSH2_FX_ATTR_ACMODTIME;
- #ifdef PR_USE_XATTR
-- attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+ attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ }
- #endif /* PR_USE_XATTR */
- }
-
-@@ -10352,7 +10378,9 @@
- * to protocol version 6 clients.
- */
- #ifdef PR_USE_XATTR
-- attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+ attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ }
- #endif /* PR_USE_XATTR */
- }
-
-@@ -12208,7 +12236,9 @@
- attr_flags = SSH2_FX_ATTR_SIZE|SSH2_FX_ATTR_UIDGID|SSH2_FX_ATTR_PERMISSIONS|
- SSH2_FX_ATTR_ACMODTIME;
- #ifdef PR_USE_XATTR
-- attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ if (!(fxp_fsio_opts & PR_FSIO_OPT_IGNORE_XATTR)) {
-+ attr_flags |= SSH2_FX_ATTR_EXTENDED;
-+ }
- #endif /* PR_USE_XATTR */
- }
-
=====================================
debian/patches/github_pr_710 deleted
=====================================
@@ -1,58 +0,0 @@
-From e2f77c00e217eeb94459e104322b9a7d02c257e0 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 27 May 2018 16:11:24 -0700
-Subject: [PATCH] Issue #674: Update mod_sftp to handle changed APIs in OpenSSL
- 1.1.x releases.
-
----
- contrib/mod_sftp/keys.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/contrib/mod_sftp/keys.c b/contrib/mod_sftp/keys.c
-index 4a3c460db..efd1ff981 100644
---- a/contrib/mod_sftp/keys.c
-+++ b/contrib/mod_sftp/keys.c
-@@ -1,6 +1,6 @@
- /*
- * ProFTPD - mod_sftp key mgmt (keys)
-- * Copyright (c) 2008-2017 TJ Saunders
-+ * Copyright (c) 2008-2018 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -2780,7 +2780,7 @@ static const unsigned char *dsa_sign_data(pool *p, const unsigned char *data,
-
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
- !defined(HAVE_LIBRESSL)
-- DSA_SIG_get0(&sig_r, &sig_s, sig);
-+ DSA_SIG_get0(sig, &sig_r, &sig_s);
- #else
- sig_r = sig->r;
- sig_s = sig->s;
-@@ -2960,7 +2960,7 @@ static const unsigned char *ecdsa_sign_data(pool *p, const unsigned char *data,
-
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
- !defined(HAVE_LIBRESSL)
-- ECDSA_SIG_get0(&sig_r, &sig_s, sig);
-+ ECDSA_SIG_get0(sig, &sig_r, &sig_s);
- #else
- sig_r = sig->r;
- sig_s = sig->s;
-@@ -3307,7 +3307,7 @@ int sftp_keys_verify_signed_data(pool *p, const char *pubkey_algo,
- dsa_sig = DSA_SIG_new();
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
- !defined(HAVE_LIBRESSL)
-- DSA_SIG_get0(&sig_r, &sig_s, dsa_sig);
-+ DSA_SIG_get0(sig, &sig_r, &sig_s);
- #else
- sig_r = dsa_sig->r;
- sig_s = dsa_sig->s;
-@@ -3426,7 +3426,7 @@ int sftp_keys_verify_signed_data(pool *p, const char *pubkey_algo,
-
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
- !defined(HAVE_LIBRESSL)
-- ECDSA_SIG_get0(&sig_r, &sig_s, ecdsa_sig);
-+ ECDSA_SIG_get0(ecdsa_sig, &sig_r, &sig_s);
- #else
- sig_r = ecdsa_sig->r;
- sig_s = ecdsa_sig->s;
=====================================
debian/patches/issue_846_CVE-2019-18217.diff deleted
=====================================
@@ -1,56 +0,0 @@
-From 13fe9462787b9a551152162f46f1641d65fe4df4 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sat, 19 Oct 2019 12:37:56 -0700
-Subject: [PATCH] Issue #846: Handle the case where a client tries to send
- too-large commands in an effort to DoS the server.
-
----
- src/main.c | 10 +++++++++-
- src/netio.c | 3 ++-
- 2 files changed, 11 insertions(+), 2 deletions(-)
-
---- proftpd-dfsg.orig/src/main.c
-+++ proftpd-dfsg/src/main.c
-@@ -462,6 +462,7 @@
- static long cmd_bufsz = -1;
- static char *cmd_buf = NULL;
- int cmd_buflen;
-+ unsigned int too_large_count = 0;
- char *ptr;
-
- if (res == NULL) {
-@@ -487,8 +488,15 @@
- if (cmd_buflen < 0) {
- if (errno == E2BIG) {
- /* The client sent a too-long command which was ignored; give
-- * them another chance?
-+ * them a few more chances, with minor delays?
- */
-+ too_large_count++;
-+ pr_timer_usleep(250 * 1000);
-+
-+ if (too_large_count > 3) {
-+ return -1;
-+ }
-+
- continue;
- }
-
---- proftpd-dfsg.orig/src/netio.c
-+++ proftpd-dfsg/src/netio.c
-@@ -1,6 +1,6 @@
- /*
- * ProFTPD - FTP server daemon
-- * Copyright (c) 2001-2016 The ProFTPD Project team
-+ * Copyright (c) 2001-2019 The ProFTPD Project team
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -1446,6 +1446,7 @@
- }
-
- nstrm->strm_errno = 0;
-+ errno = EOF;
- break;
- }
-
=====================================
debian/patches/quotatab_modules deleted
=====================================
@@ -1,708 +0,0 @@
-Description: Add mod_quotatab module
-Author: Francesco Paolo Lovergine <frankie at debian.org>
-Forwarded: not needed
-
-Index: proftpd-dfsg/README.mod_quotatab
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ proftpd-dfsg/README.mod_quotatab 2011-02-08 13:33:10.000000000 +0100
-@@ -0,0 +1,354 @@
-+ ------------------------------------------------------------------------
-+
-+ ProFTPD module mod_quotatab
-+
-+ ------------------------------------------------------------------------
-+
-+This module is contained in the mod_quotatab.c, mod_quotatab.h, and in its
-+submodule source files, for ProFTPD 1.2, found here, and is not compiled by
-+default. Installation instructions can be found here.
-+
-+This module is designed to impose quotas, both byte- and file-based, on FTP
-+accounts, based on user, group, class, or for all accounts. It is based on
-+the ideas contained in Eric Estabrook's mod_quota; however, this module has
-+been written from scratch to implement quotas in a very different manner. A
-+more detailed explanation of the usage of this module follows the directive
-+explanations.
-+
-+The most current version of mod_quotatab's submodules supports storage of
-+quota table information in various formats:
-+
-+ * mod_quotatab_file for file-based quota tables
-+ * mod_quotatab_sql for SQL-based quota tables
-+
-+The most current version of mod_quotatab can be found at:
-+
-+ http://www.castaglia.org/proftpd/
-+
-+The eventual goal of this module is to make use of the Confstream API, an
-+experimental API described here. This API would make support for tables in
-+other formats (e.g. LDAP, CDB, DBM) much easier to implement.
-+
-+Author
-+
-+Please contact TJ Saunders <tj at castaglia.org> with any questions,
-+concerns, or suggestions regarding this module.
-+
-+Thanks
-+
-+2002-01-12: Thanks to SupaFly <ntlfy at ntlworld.com> for helping debug an
-+issue with a missing tally table.
-+
-+2002-03-30: Thanks to Kai Langheim <kl at q-nic.de> for pointing out several
-+small bugs affecting users with no quota entries.
-+
-+Directives
-+
-+ * QuotaDirectoryTally
-+ * QuotaDisplayUnits
-+ * QuotaEngine
-+ * QuotaLimitTable
-+ * QuotaLog
-+ * QuotaShowQuotas
-+ * QuotaTallyTable
-+
-+SITE Commands
-+
-+ * SITE QUOTA
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaDirectoryTally
-+
-+Syntax: QuotaDirectoryTally on|off
-+Default: QuotaDirectoryTally off
-+Context: server config, <VirtualHost>, <Global>
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaDirectoryTally directive configures mod_quotatab to take directory
-+operations (e.g. creating a directory, removing a directory) into account
-+when tallying.
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaDisplayUnits
-+
-+Syntax: QuotaDisplayUnits "b"|"Kb"|"Mb"|"Gb"
-+Default: None
-+Context: server config, <VirtualHost>, <Global>
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+This directive configures how the user's current byte quota values will be
-+reported to them. Note that this directive does not affect how the quota
-+values are stored in the quota table, only their presentation to the user.
-+
-+"b" causes quotas to be displayed in bytes; "Kb", kilobytes; "Mb",
-+megabytes; and "Gb", gigabytes.
-+
-+Example:
-+
-+ # display quota information in megabytes
-+ QuotaDisplayUnits Mb
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaEngine
-+
-+Syntax: QuotaEngine on|off
-+Default: None
-+Context: server config, <VirtualHost>, <Global>
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaEngine directive enables or disables the module's runtime quota
-+engine. If it is set to off this module does no runtime processing at all.
-+Use this directive to disable the module instead of commenting out all
-+mod_quotatab directives.
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaLimitTable
-+
-+Syntax: QuotaLimitTable source-type:source-info
-+Default: None
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+This directive configures the information necessary for the module to locate
-+and use the table containing the quota limit, the maximum number of bytes
-+and/or files defined for use by specific users, groups, classes, etc, and is
-+required for mod_quotatab to function.
-+
-+Please consult the relevant submodule documentation for details on that
-+module's syntax for this configuration directive.
-+
-+See also: QuotaTallyTable
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaLog
-+
-+Syntax: QuotaLog file|"none"
-+Default: None
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaLog directive is used to a specify a log file for mod_quotatab
-+reporting, and can be done a per-server basis. The file parameter must be
-+the full path to the file to use for logging. Note that this path must not
-+be to a world-writeable directory and, unless AllowLogSymlinks is explicitly
-+set to on (generally a bad idea), the path must not be a symbolic link.
-+
-+If file is "none", no logging will be done at all; this setting can be used
-+to override a QuotaLog setting inherited from a <Global> context.
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaShowQuotas
-+
-+Syntax: QuotaShowQuotas on|off
-+Default: on
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+The QuotaShowQuotas directive can be used to enable/disable mod_quotatab's
-+response to a SITE QUOTA request. For some sites, revealing the current
-+quota information may be considered an unnecessary, perhaps even
-+detrimental, information leak; other sites may consider this a definite
-+feature.
-+
-+ ------------------------------------------------------------------------
-+
-+QuotaTallyTable
-+
-+Syntax: QuotaTallyTable source-type:source-info
-+Default: None
-+Context:
-+Module: mod_quotatab
-+Compatibility: 1.2.5rc2 and later
-+
-+This directive configures the information necessary for the module to locate
-+and use the table containing the quota tally, or the current byte/file
-+counts for users, groups, classes, etc, and is required for mod_quotatab to
-+function.
-+
-+Please consult the relevant submodule documentation for details on that
-+module's syntax for this configuration directive.
-+
-+See also: QuotaLimitTable
-+
-+ ------------------------------------------------------------------------
-+
-+SITE QUOTA
-+
-+The SITE QUOTA command will display the quota, both the limit and the
-+current tally, to the client. This SITE command accepts no parameters, and
-+can only be used once the client has successfully logged in.
-+
-+Example:
-+
-+ftp> quote SITE QUOTA
-+200-The current quota for this session are [current/limit]:
-+ Name: tj
-+ Quota Type: User
-+ Per Session: True
-+ Limit Type: Hard
-+ Uploaded Kb: unlimited
-+ Downloaded Kb: unlimited
-+ Transferred Kb: unlimited
-+ Uploaded files: 1/1
-+ Downloaded files: unlimited
-+ Transferred files: unlimited
-+200 Please contact root at familiar.castaglia.org if these entries are inaccurate
-+ftp>
-+
-+Use of this SITE command can be controlled via <Limit>, e.g.:
-+
-+ <Limit SITE_QUOTA>
-+ AllowUser tj
-+ DenyAll
-+ </Limit>
-+
-+Like many SITE commands, the FTP client will probably not recognize or
-+support SITE QUOTA. Hopefully the client does have the ability to send
-+arbitrary commands to the server, as the common ftp(1) client does via
-+quote.
-+
-+The email address displayed in the SITE QUOTA output can be configured via
-+the ServerAdmin directive.
-+
-+ ------------------------------------------------------------------------
-+
-+Usage
-+
-+To use mod_quotatab's functionality, you must first define the tables that
-+together contain the quota information.
-+
-+There are two such quota tables: one table for providing quota information
-+about the absolute byte/file limits for users, groups, and classes, and a
-+separate table for maintaining the current tally, or number of bytes/files
-+used, for those same users, groups, and classes. This separation of
-+information allows for a configuration such as using LDAP to efficiently
-+distribute the limit information, and local SQL databases for efficiently
-+storing the tally. The limit table is considered a read-only table, and is
-+only accessed at the start of session in order to determine what the session
-+limits should be. The tally table is accessed in read-write mode, and is
-+updated after the relevant FTP commands have been processed.
-+
-+This module was not explicitly designed for easy interaction with other
-+applications, but rather for other criteria:
-+
-+ * efficient lookups and updates
-+ * no need for ~/.quota files
-+ * no need of requirement for root privileges to access quotas
-+ * easy support for an abstraction layer for storing quota information in
-+ other formats
-+ * support for a SITE command that allows users to view their current
-+ quotas
-+
-+This module maintains its quotas based solely on FTP commands - it does not
-+enforce quotas based on files that may have been added, deleted, or moved
-+via shell access or any mechanism other than through the proftpd server..
-+
-+When a client logs in, assuming QuotaEngine is on, mod_quotatab will check
-+the limit table for the record most appropriate for that client. This check
-+first examines the table for records of type user that match the client's
-+login name. If no such matching records are found, it checks for records of
-+type group that match any of the user's groups (both primary and
-+supplemental). Failing that, it will check for records of type class that
-+belong to the class (if enabled) from which the client is connecting. If
-+still no matching records are found, the table will be searched for a record
-+of type all; if absent, the module will assume that no quotas apply to the
-+client.
-+
-+Once the limits for the current session have been established, mod_quotatab
-+examines the tally table to see what the current numbers in the matching
-+tally record are. Should the client have an applicable limit record but no
-+matching tally record, the module will initialize a new record in the tally
-+table.
-+
-+For the purposes of tracking the number of uploaded bytes/files, the tally
-+will be adjusted accordingly upon use of the following FTP commands: APPE
-+(bytes only), DELE, STOR, and STOU. The number of bytes used for the
-+calculation will be determined from the difference in file size of the file
-+in question.
-+
-+For the purposes of tracking the number of downloaded bytes/files, the tally
-+will be adjusted accordingly upon use of the following FTP commands: RETR.
-+The number of bytes used for the calculation will be determined from the
-+number of bytes sent to the client.
-+
-+For the purposes of tracking the number of transferred bytes/files, the
-+tally will be adjusted accordingly upon use of the following FTP commands:
-+APPE (bytes only), DELE, RETR, STOR, and STOU. The number of bytes used for
-+the calculation will be determined from the number of bytes sent to the
-+client. This type of limit allows for byte/file limits to be set that
-+encompass both uploads and downloads.
-+
-+Note that if all three types of quotas are set (upload, download, and
-+transfer), any quota reached will cause denial of FTP commands. This means
-+that a high upload quota will never be reached if a low transfer quota is in
-+effect. This holds true for bytes and files quota. For example, if a user
-+has a limited number of both bytes and files to be uploaded in their limit
-+record, the first limit reached (bytes or files) is the effective limit..
-+Caveat emptor.
-+
-+For any quota limit that is set as "unlimited", mod_quotatab will not keep
-+the tally. Many site administrators might want this ability, for accounting
-+purposes. However, that ability is outside of the intended design of this
-+module; other logging modules are much better suited for accounting purposes
-+(e.g. mod_sql's SQLLog directive).
-+
-+If any developers wish to make use of mod_quotatab's quota information, or
-+to develop a new submodule, there is developer documentation available here.
-+
-+ ------------------------------------------------------------------------
-+
-+Installation
-+
-+To install mod_quotatab, follow these instructions. After unpacking the
-+tarball, copy the mod_quotatab.c, mod_quotatab.h, mod_quotatab_file.c, and
-+mod_quotatab_sql.c files into:
-+
-+ proftpd-dir/contrib/
-+
-+after unpacking the latest proftpd-1.2 source code. Follow the usual steps
-+for using third-party modules in proftpd:
-+
-+ ./configure --with-modules=quotatab-modules
-+ make
-+ make install
-+
-+where quotatab-modules will depend on the types of quota tables you wish to
-+support.
-+
-+For file-based quota tables, include the mod_quotatab_file submodule, e.g.:
-+
-+ mod_quotatab:mod_quotatab_file
-+
-+For SQL-based quota tables, include the mod_quotatab_sql submodule, e.g.:
-+
-+ mod_quotatab:mod_quotatab_sql
-+
-+And, if you wish to support file- and SQL-based quota tables:
-+
-+ mod_quotatab:mod_quotatab_file:mod_quotatab_sql
-+
-+Note that SQL tables require that a correct installation of mod_sql (and any
-+of its backend modules) also be used. Consult the mod_sql documentation for
-+installation instructions for that module.
-+
-+ ------------------------------------------------------------------------
-+
-+Author: $Author: frankie $
-+Last Updated: $Date: 2003/11/17 15:30:12 $
-+
-+ ------------------------------------------------------------------------
-+© Copyright 2000-2002 TJ Saunders
-+All Rights Reserved
-+ ------------------------------------------------------------------------
-Index: proftpd-dfsg/diskuse
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ proftpd-dfsg/diskuse 2011-02-08 13:33:10.000000000 +0100
-@@ -0,0 +1,232 @@
-+#!/usr/bin/perl
-+# -------------------------------------------------------------------------
-+# Copyright (C) 2002 TJ Saunders <tj at castaglia.org>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; either version 2 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
-+#
-+# $Id: 14.quotatab_modules.diff,v 1.4 2003/11/17 15:30:12 frankie Exp $
-+#
-+# -------------------------------------------------------------------------
-+
-+use strict;
-+
-+use Fcntl;
-+use File::Basename qw(basename);
-+use Getopt::Long;
-+
-+my $program = basename($0);
-+my %opts = {};
-+
-+GetOptions(\%opts, 'G', 'K', 'M', 'dir-tally', 'group=s', 'help',
-+ 'user=s', 'verbose');
-+
-+my $verbose = 0;
-+my $user_id = -1;
-+my $group_id = -1;
-+
-+usage() if defined($opts{'help'});
-+
-+if (length(@ARGV) < 1) {
-+ print STDOUT "$program: wrong number of parameters\n";
-+ exit 0;
-+}
-+
-+unless (defined($opts{'user'}) || defined($opts{'group'})) {
-+ print STDOUT "$program: missing required --group or --user option\n";
-+ exit 0;
-+}
-+
-+if (defined($opts{'user'})) {
-+ $user_id = getpwnam($opts{'user'}) or
-+ die "$program: no such user: $opts{'user'}\n";
-+}
-+
-+if (defined($opts{'group'})) {
-+ $group_id = getgrnam($opts{'group'}) or
-+ die "$program: no such group: $opts{'group'}\n";
-+}
-+
-+$verbose = 1 if (defined($opts{'verbose'}));
-+
-+my ($total_bytes, $total_files);
-+
-+foreach my $dir (@ARGV) {
-+ my ($bytes, $files) = get_dir_disk_use($dir);
-+
-+ $total_bytes += $bytes;
-+ $total_files += $files;
-+}
-+
-+my $byte_units = "bytes";
-+
-+if (defined($opts{'K'})) {
-+ $total_bytes /= 1024;
-+ $byte_units = "KB";
-+
-+} elsif (defined($opts{'M'})) {
-+ $total_bytes /= (1024 * 1024);
-+ $byte_units = "MB";
-+
-+} elsif (defined($opts{'G'})) {
-+ $total_bytes /= (1024 * 1024 * 1024);
-+ $byte_units = "GB";
-+}
-+
-+my $file_units = "files";
-+$file_units = "file" if ($total_files == 1);
-+
-+print STDOUT "$program: $total_bytes $byte_units in $total_files $file_units\n";
-+
-+# done
-+exit 0;
-+
-+# --------------------------------------------------------------------------
-+sub get_dir_disk_use {
-+ my ($dir) = @_;
-+
-+ print STDOUT "$program: examining directory '$dir'\n" if $verbose;
-+
-+ my @subdirs = ();
-+ my $nbytes = 0;
-+ my $nfiles = 0;
-+
-+ unless (opendir(DIR, $dir)) {
-+ print STDERR "$program: unable to open directory '$dir': $!\n";
-+ return (0, 0);
-+ }
-+
-+ my @files = readdir(DIR);
-+ close(DIR);
-+
-+ foreach my $file (@files) {
-+ my ($mode, $uid, $gid, $size) = (lstat("$dir/$file"))[2, 4, 5, 7];
-+
-+ # Is this entry a regular file, or a directory?
-+ unless (-f "$dir/$file" || (-l "$dir/$file" && !-f "$dir/$file") || -d "$dir/$file") {
-+ print STDOUT "$program: skipping '$dir/$file': not a file or directory\n" if $verbose;
-+ next;
-+ }
-+
-+ # Does this file match the given user/group ownership?
-+ if ($user_id != -1 && $group_id != -1) {
-+
-+ if ($uid == $user_id && $gid == $group_id) {
-+
-+ if (defined($opts{'dir-tally'}) && $file eq ".") {
-+ $nbytes += $size;
-+ $nfiles++;
-+
-+ } elsif (! -d "$dir/$file") {
-+ $nbytes += $size;
-+ $nfiles++;
-+ }
-+
-+ } else {
-+ print STDOUT "$program: '$file' does not match UID $user_id, GID $group_id\n" if $verbose;
-+ }
-+
-+ } elsif ($user_id != -1) {
-+
-+ if ($uid == $user_id) {
-+
-+ if (defined($opts{'dir-tally'}) && $file eq ".") {
-+ $nbytes += $size;
-+ $nfiles++;
-+
-+ } elsif (! -d "$dir/$file") {
-+ $nbytes += $size;
-+ $nfiles++;
-+ }
-+
-+ } else {
-+ print STDOUT "$program: '$file' does not match UID $user_id\n" if $verbose;
-+ }
-+
-+ } elsif ($group_id != -1) {
-+
-+ if ($gid == $group_id) {
-+
-+ if (defined($opts{'dir-tally'}) && $file eq ".") {
-+ $nbytes += $size;
-+ $nfiles++;
-+
-+ } elsif (! -d "$dir/$file") {
-+ $nbytes += $size;
-+ $nfiles++;
-+ }
-+
-+ } else {
-+ print STDOUT "$program: '$file' does not match GID $group_id\n" if $verbose;
-+ }
-+ }
-+
-+ # Is this entry a directory? If so, add it to the subdir list.
-+ if (-d "$dir/$file") {
-+
-+ # Skip dot directories
-+ push(@subdirs, "$dir/$file") unless ($file eq "." || $file eq "..");
-+ }
-+ }
-+
-+ # Now, recurse through the directory's subdirectories
-+ foreach my $subdir (@subdirs) {
-+ my ($bytecount, $filecount) = get_dir_disk_use($subdir);
-+ $nbytes += $bytecount;
-+ $nfiles += $filecount;
-+ }
-+
-+ return ($nbytes, $nfiles);
-+}
-+
-+# --------------------------------------------------------------------------
-+sub usage {
-+
-+ print STDOUT <<END_OF_USAGE;
-+
-+usage: $program [options] dir1 dir2 ... dirN
-+
-+ $program calculates the amount of disk space used underneath the given
-+ directory (or directories). Either a --group or a --user option is required.
-+ If both are used, only files whose ownership matches both the given name and
-+ group will be added to the disk usage sum.
-+
-+ Options:
-+
-+ --G Display the number of bytes in units of gigabytes. The default
-+ number is in bytes.
-+
-+ --K Display the number of bytes in units of kilobytes. The default
-+ number is in bytes.
-+
-+ --M Display the number of bytes in units of megabytes. The default
-+ number is in bytes.
-+
-+ --dir-tally Count the size of directories toward the disk usage sum. The
-+ default is to consider regular files only.
-+
-+ --group Count files owned by this group in the disk usage sum.
-+
-+ --help Display this message.
-+
-+ --user Count files owned by this user in the disk usage sum.
-+
-+ --verbose Display diagnostic output while $program is running.
-+
-+END_OF_USAGE
-+
-+ exit 0;
-+}
-+
-+# --------------------------------------------------------------------------
-Index: proftpd-dfsg/diskuse.html
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ proftpd-dfsg/diskuse.html 2011-02-08 13:33:10.000000000 +0100
-@@ -0,0 +1,103 @@
-+<!-- $Id: 14.quotatab_modules.diff,v 1.4 2003/11/17 15:30:12 frankie Exp $ -->
-+<!-- $Source: /cvsroot/pkg-proftpd/debian/patches/14.quotatab_modules.diff,v $ -->
-+
-+<html>
-+<head>
-+<title>diskuse: tool for ProFTPD mod_quotatab</title>
-+</head>
-+
-+<body bgcolor=white>
-+
-+<hr><br>
-+<center>
-+<h2><b><code>diskuse</code>: tool for ProFTPD module <code>mod_quotatab</code></b></h2>
-+</center>
-+<hr><br>
-+
-+This program is distributed with the
-+<a href="./mod_quotatab.html"><code>mod_quotatab</code></a> module for
-+ProFTPD 1.2. It is used to calculate the amount of disk space currently
-+used by a given user and/or group.
-+
-+<p>
-+The most current version of <code>diskuse</code> can be found at:
-+<pre>
-+ <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
-+</pre>
-+
-+<h2>Author</h2>
-+<p>
-+Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any
-+questions, concerns, or suggestions regarding this program.
-+
-+<p>
-+<hr><br>
-+<h2><a name="Usage">Usage</a></h2>
-+The following describes the common usage of the <code>diskuse</code> tool.
-+The options supported are described in more detail
-+<a href="#Options">later</a>.
-+
-+<p>
-+Usage of this tool is fairly straightforward: choose the directory (or
-+directories) to scan, and the user or group for whom you wish to calculate
-+disk usage:
-+<pre>
-+ diskuse /home /usr /tmp --user=bob
-+</pre>
-+The <code>--K</code>, <code>--M</code>, and <code>--G</code> options can be
-+used to display the disk usage calculated in kilobytes, megabytes, or
-+gigabytes, respectively.
-+
-+<p>
-+<hr><br>
-+<h2><a name="Options">Options</a></h2>
-+The following is the output from running <code>diskuse --help</code>:
-+<pre>
-+usage: diskuse [options] dir1 dir2 ... dirN
-+
-+ diskuse calculates the amount of disk space used underneath the given
-+ directory (or directories). Either a --group or a --user option is required.
-+ If both are used, only files whose ownership matches both the given name and
-+ group will be added to the disk usage sum.
-+
-+ Options:
-+
-+ --G Display the number of bytes in units of gigabytes. The default
-+ number is in bytes.
-+
-+ --K Display the number of bytes in units of kilobytes. The default
-+ number is in bytes.
-+
-+ --M Display the number of bytes in units of megabytes. The default
-+ number is in bytes.
-+
-+ --dir-tally Count the size of directories toward the disk usage sum. The
-+ default is to consider regular files only.
-+
-+ --group Count files owned by this group in the disk usage sum.
-+
-+ --help Display this message.
-+
-+ --user Count files owned by this user in the disk usage sum.
-+
-+ --verbose Display diagnostic output while diskuse is running.
-+</pre>
-+
-+<p>
-+<hr><br>
-+
-+Author: <i>$Author: frankie $</i><br>
-+Last Updated: <i>$Date: 2003/11/17 15:30:12 $</i><br>
-+
-+<br><hr>
-+
-+<font size=2><b><i>
-+© Copyright 2000-2002 TJ Saunders<br>
-+ All Rights Reserved<br>
-+</i></b></font>
-+
-+<hr><br>
-+
-+</body>
-+</html>
-+
=====================================
debian/patches/series
=====================================
@@ -1,7 +1,6 @@
autotools
change_pam_name
ftpasswd.cracklib.location
-# quotatab_modules
mod_sql_mysql.c
mod_wrap_noparanoid
ftpstats
@@ -9,18 +8,6 @@ ftpstats
odbc
#reproducible_build
#spelling_errors
-# upstream_4335
-# upstream_4336
-# upstream_4312
-# upstream_4312_fix_version
-# github_pr_710
-# upstream_4356
wrong-path-for-interpreter_perl.diff
-# github_pr_594
-# upstream_pull_567
-# upstream_4372_CVE-2019-12815.diff
-# issue_846_CVE-2019-18217.diff
-# upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
-# upstream_4385
#cd9036f4ef7a05c107f0ffcb19a018b20267c531.patch
# proftpd-mysql-password-backend.patch
=====================================
debian/patches/upstream_4312 deleted
=====================================
@@ -1,227 +0,0 @@
-From 52dd3d34e04a0ecbf3deffb9d20368d68281176c Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Tue, 15 Aug 2017 19:41:52 -0700
-Subject: [PATCH] Bug#4312: Close any "extra" open fds at startup.
-
----
- contrib/mod_exec.c | 65 ++++--------------------------------------------------
- include/fsio.h | 3 +++
- src/fsio.c | 55 +++++++++++++++++++++++++++++++++++++++++++++
- src/main.c | 1 +
- tests/api/fsio.c | 7 ++++++
- 5 files changed, 70 insertions(+), 61 deletions(-)
-
-Index: proftpd-dfsg-1.3.6/contrib/mod_exec.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/contrib/mod_exec.c 2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/contrib/mod_exec.c 2018-02-20 21:24:24.000000000 +0100
-@@ -31,17 +31,15 @@
- # include <sys/resource.h>
- #endif
-
--#define MOD_EXEC_VERSION "mod_exec/0.9.14"
-+#define MOD_EXEC_VERSION "mod_exec/0.9.16"
-
- /* Make sure the version of proftpd is as necessary. */
--#if PROFTPD_VERSION_NUMBER < 0x0001030402
--# error "ProFTPD 1.3.4rc2 or later required"
-+#if PROFTPD_VERSION_NUMBER < 0x0001030701
-+# error "ProFTPD 1.3.7rc1 or later required"
- #endif
-
- module exec_module;
-
--#define EXEC_MAX_FD_COUNT 1024
--
- static pool *exec_pool = NULL;
- static int exec_engine = FALSE;
- static unsigned int exec_nexecs = 0;
-@@ -263,10 +261,6 @@
- }
-
- static void exec_prepare_fds(int stdin_fd, int stdout_fd, int stderr_fd) {
-- long nfiles = 0;
-- register unsigned int i = 0;
-- struct rlimit rlim;
--
- if (stdin_fd < 0) {
- stdin_fd = open("/dev/null", O_RDONLY);
- if (stdin_fd < 0) {
-@@ -314,59 +308,8 @@
- * dup /dev/null. For stdout and stderr, we dup some pipes, so that
- * we can capture what the command may write to stdout or stderr. The
- * stderr output will be logged to the ExecLog.
-- *
-- * First, use getrlimit() to obtain the maximum number of open files
-- * for this process -- then close that number.
- */
--#if defined(RLIMIT_NOFILE) || defined(RLIMIT_OFILE)
--# if defined(RLIMIT_NOFILE)
-- if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
--# elif defined(RLIMIT_OFILE)
-- if (getrlimit(RLIMIT_OFILE, &rlim) < 0) {
--# endif
-- /* Ignore ENOSYS (and EPERM, since some libc's use this as ENOSYS). */
-- if (errno != ENOSYS &&
-- errno != EPERM) {
-- exec_log("getrlimit() error: %s", strerror(errno));
-- }
--
-- /* Pick some arbitrary high number. */
-- nfiles = EXEC_MAX_FD_COUNT;
--
-- } else {
-- nfiles = rlim.rlim_max;
-- }
--
--#else /* no RLIMIT_NOFILE or RLIMIT_OFILE */
-- nfiles = EXEC_MAX_FD_COUNT;
--#endif
--
-- /* Yes, using a long for the nfiles variable is not quite kosher; it should
-- * be an unsigned type, otherwise a large limit (say, RLIMIT_INFINITY)
-- * might overflow the data type. In that case, though, we want to know
-- * about it -- and using a signed type, we will know if the overflowed
-- * value is a negative number. Chances are we do NOT want to be closing
-- * fds whose value is as high as they can possibly get; that's too many
-- * fds to iterate over. Long story short, using a long int is just fine.
-- * (Plus it makes mod_exec work on Mac OSX 10.4; without this tweak,
-- * mod_exec's forked processes never return/exit.)
-- */
--
-- if (nfiles < 0 ||
-- nfiles > EXEC_MAX_FD_COUNT) {
-- nfiles = EXEC_MAX_FD_COUNT;
-- }
--
-- /* Close the "non-standard" file descriptors. */
-- for (i = 3; i < nfiles; i++) {
--
-- /* This is a potentially long-running loop, so handle signals. */
-- pr_signals_handle();
--
-- close(i);
-- }
--
-- return;
-+ pr_fs_close_extra_fds();
- }
-
- static void exec_prepare_pipes(void) {
-Index: proftpd-dfsg-1.3.6/include/fsio.h
-===================================================================
---- proftpd-dfsg-1.3.6.orig/include/fsio.h 2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/include/fsio.h 2018-02-20 21:24:24.000000000 +0100
-@@ -413,6 +413,9 @@
- void pr_fs_globfree(glob_t *);
- void pr_resolve_fs_map(void);
-
-+/* Close all but the main three fds. */
-+void pr_fs_close_extra_fds(void);
-+
- /* The main three fds (stdin, stdout, stderr) need to be protected, reserved
- * for use. This function uses dup(2) to open new fds on the given fd
- * until the new fd is not one of the big three.
-Index: proftpd-dfsg-1.3.6/src/fsio.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/src/fsio.c 2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/src/fsio.c 2018-02-20 21:24:24.000000000 +0100
-@@ -6478,6 +6478,61 @@
- return (buf > start ? start : NULL);
- }
-
-+#define FSIO_MAX_FD_COUNT 1024
-+
-+void pr_fs_close_extra_fds(void) {
-+ register unsigned int i;
-+ long nfiles = 0;
-+ struct rlimit rlim;
-+
-+ /* Close any but the big three open fds.
-+ *
-+ * First, use getrlimit() to obtain the maximum number of open files
-+ * for this process -- then close that number.
-+ */
-+#if defined(RLIMIT_NOFILE) || defined(RLIMIT_OFILE)
-+# if defined(RLIMIT_NOFILE)
-+ if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
-+# elif defined(RLIMIT_OFILE)
-+ if (getrlimit(RLIMIT_OFILE, &rlim) < 0) {
-+# endif
-+ /* Ignore ENOSYS (and EPERM, since some libc's use this as ENOSYS); pick
-+ * some arbitrary high number.
-+ */
-+ nfiles = FSIO_MAX_FD_COUNT;
-+
-+ } else {
-+ nfiles = rlim.rlim_max;
-+ }
-+
-+#else /* no RLIMIT_NOFILE or RLIMIT_OFILE */
-+ nfiles = FSIO_MAX_FD_COUNT;
-+#endif
-+
-+ /* Yes, using a long for the nfiles variable is not quite kosher; it should
-+ * be an unsigned type, otherwise a large limit (say, RLIMIT_INFINITY)
-+ * might overflow the data type. In that case, though, we want to know
-+ * about it -- and using a signed type, we will know if the overflowed
-+ * value is a negative number. Chances are we do NOT want to be closing
-+ * fds whose value is as high as they can possibly get; that's too many
-+ * fds to iterate over. Long story short, using a long int is just fine.
-+ * (Plus it makes mod_exec work on Mac OSX 10.4; without this tweak,
-+ * mod_exec's forked processes never return/exit.)
-+ */
-+
-+ if (nfiles < 0 ||
-+ nfiles > FSIO_MAX_FD_COUNT) {
-+ nfiles = FSIO_MAX_FD_COUNT;
-+ }
-+
-+ /* Close the "non-standard" file descriptors. */
-+ for (i = 3; i < nfiles; i++) {
-+ /* This is a potentially long-running loop, so handle signals. */
-+ pr_signals_handle();
-+ (void) close(i);
-+ }
-+}
-+
- /* Be generous in the maximum allowed number of dup fds, in our search for
- * one that is outside the big three.
- *
-Index: proftpd-dfsg-1.3.6/src/main.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/src/main.c 2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/src/main.c 2018-02-20 21:24:24.000000000 +0100
-@@ -2232,6 +2232,7 @@
-
- memset(&session, 0, sizeof(session));
-
-+ pr_fs_close_extra_fds();
- pr_proctitle_init(argc, argv, envp);
-
- /* Seed rand */
-Index: proftpd-dfsg-1.3.6/tests/api/fsio.c
-===================================================================
---- proftpd-dfsg-1.3.6.orig/tests/api/fsio.c 2018-02-20 21:24:24.000000000 +0100
-+++ proftpd-dfsg-1.3.6/tests/api/fsio.c 2018-02-20 21:24:24.000000000 +0100
-@@ -3888,6 +3888,12 @@
- }
- END_TEST
-
-+START_TEST (fs_close_extra_fds_test) {
-+ mark_point();
-+ pr_fs_close_extra_fds();
-+}
-+END_TEST
-+
- START_TEST (fs_get_usable_fd_test) {
- int fd, res;
-
-@@ -4630,6 +4636,7 @@
- tcase_add_test(testcase, fs_split_path_test);
- tcase_add_test(testcase, fs_join_path_test);
- tcase_add_test(testcase, fs_virtual_path_test);
-+ tcase_add_test(testcase, fs_close_extra_fds_test);
- tcase_add_test(testcase, fs_get_usable_fd_test);
- tcase_add_test(testcase, fs_get_usable_fd2_test);
- tcase_add_test(testcase, fs_getsize_test);
=====================================
debian/patches/upstream_4312_fix_version deleted
=====================================
@@ -1,33 +0,0 @@
-From 4c1ebe8de771879e4cee005ee4fc9d96c82fc73b Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 17 Sep 2017 21:56:40 -0700
-Subject: [PATCH] Merge pulled in a bad version check, breaking the build.
- Caught by Travis.
-
----
- contrib/mod_exec.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/mod_exec.c b/contrib/mod_exec.c
-index cb4356659..844c93807 100644
---- a/contrib/mod_exec.c
-+++ b/contrib/mod_exec.c
-@@ -1,6 +1,6 @@
- /*
- * ProFTPD: mod_exec -- a module for executing external scripts
-- * Copyright (c) 2002-2016 TJ Saunders
-+ * Copyright (c) 2002-2017 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -34,8 +34,8 @@
- #define MOD_EXEC_VERSION "mod_exec/0.9.16"
-
- /* Make sure the version of proftpd is as necessary. */
--#if PROFTPD_VERSION_NUMBER < 0x0001030701
--# error "ProFTPD 1.3.7rc1 or later required"
-+#if PROFTPD_VERSION_NUMBER < 0x0001030605
-+# error "ProFTPD 1.3.6 or later required"
- #endif
-
- module exec_module;
=====================================
debian/patches/upstream_4335 deleted
=====================================
@@ -1,33 +0,0 @@
-From e25f45d2dad79cb4e2f9fe8d12484cf0b81df320 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Tue, 16 Jan 2018 04:55:23 -0800
-Subject: [PATCH] Bug #4335: mod_auth_otp fails to build with OpenSSL 1.1.x.
-
----
- contrib/mod_auth_otp/crypto.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/contrib/mod_auth_otp/crypto.c b/contrib/mod_auth_otp/crypto.c
-index c479d56d4..076a26693 100644
---- a/contrib/mod_auth_otp/crypto.c
-+++ b/contrib/mod_auth_otp/crypto.c
-@@ -1,6 +1,6 @@
- /*
- * ProFTPD - mod_auth_otp OpenSSL interface
-- * Copyright (c) 2015-2017 TJ Saunders
-+ * Copyright (c) 2015-2018 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -50,10 +50,7 @@ void auth_otp_crypto_free(int flags) {
- ERR_free_strings();
-
- #if OPENSSL_VERSION_NUMBER >= 0x10000001L
--# if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-- !defined(HAVE_LIBRESSL)
-- ERR_remove_thread_state();
--# else
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
- /* The ERR_remove_state(0) usage is deprecated due to thread ID
- * differences among platforms; see the OpenSSL-1.0.0c CHANGES file
- * for details. So for new enough OpenSSL installations, use the
=====================================
debian/patches/upstream_4336 deleted
=====================================
@@ -1,276 +0,0 @@
-From 322939023a6a92c24176b51dba0ea42b5f57849a Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 21 Jan 2018 13:12:47 -0800
-Subject: [PATCH] Bug #4336: Check for, and use, the necessary libraries for
- Memcache and Redis support.
-
----
- configure | 217 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- configure.in | 5 ++
- 2 files changed, 221 insertions(+), 1 deletion(-)
-
-diff --git a/configure b/configure
-index ef7d236b3..61652baa3 100755
---- a/configure
-+++ b/configure
-@@ -16933,6 +16933,149 @@ fi
-
-
- if test x"$enable_memcache" = xyes; then
-+
-+{ echo "$as_me:$LINENO: checking for memcached_create in -lmemcached" >&5
-+echo $ECHO_N "checking for memcached_create in -lmemcached... $ECHO_C" >&6; }
-+if test "${ac_cv_lib_memcached_memcached_create+set}" = set; then
-+ echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+ ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lmemcached $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h. */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h. */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+ Use char because int might match the return type of a GCC
-+ builtin and then its argument prototype would still apply. */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char memcached_create ();
-+int
-+main ()
-+{
-+return memcached_create ();
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+ (eval "$ac_link") 2>conftest.er1
-+ ac_status=$?
-+ grep -v '^ *+' conftest.er1 >conftest.err
-+ rm -f conftest.er1
-+ cat conftest.err >&5
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext &&
-+ $as_test_x conftest$ac_exeext; then
-+ ac_cv_lib_memcached_memcached_create=yes
-+else
-+ echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_cv_lib_memcached_memcached_create=no
-+fi
-+
-+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-+ conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ echo "$as_me:$LINENO: result: $ac_cv_lib_memcached_memcached_create" >&5
-+echo "${ECHO_T}$ac_cv_lib_memcached_memcached_create" >&6; }
-+if test $ac_cv_lib_memcached_memcached_create = yes; then
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBMEMCACHED 1
-+_ACEOF
-+
-+ LIBS="-lmemcached $LIBS"
-+
-+fi
-+
-+
-+{ echo "$as_me:$LINENO: checking for libmemcached_util_ping in -lmemcachedutil" >&5
-+echo $ECHO_N "checking for libmemcached_util_ping in -lmemcachedutil... $ECHO_C" >&6; }
-+if test "${ac_cv_lib_memcachedutil_libmemcached_util_ping+set}" = set; then
-+ echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+ ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lmemcachedutil $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h. */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h. */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+ Use char because int might match the return type of a GCC
-+ builtin and then its argument prototype would still apply. */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char libmemcached_util_ping ();
-+int
-+main ()
-+{
-+return libmemcached_util_ping ();
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+ (eval "$ac_link") 2>conftest.er1
-+ ac_status=$?
-+ grep -v '^ *+' conftest.er1 >conftest.err
-+ rm -f conftest.er1
-+ cat conftest.err >&5
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext &&
-+ $as_test_x conftest$ac_exeext; then
-+ ac_cv_lib_memcachedutil_libmemcached_util_ping=yes
-+else
-+ echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_cv_lib_memcachedutil_libmemcached_util_ping=no
-+fi
-+
-+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-+ conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ echo "$as_me:$LINENO: result: $ac_cv_lib_memcachedutil_libmemcached_util_ping" >&5
-+echo "${ECHO_T}$ac_cv_lib_memcachedutil_libmemcached_util_ping" >&6; }
-+if test $ac_cv_lib_memcachedutil_libmemcached_util_ping = yes; then
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBMEMCACHEDUTIL 1
-+_ACEOF
-+
-+ LIBS="-lmemcachedutil $LIBS"
-+
-+fi
-+
-+
- # Yes, we DO want mod_memcache AFTER the other modules in the static
- # module list. Otherwise, the module load ordering will be such that
- # memcache support will not work as expected
-@@ -16941,6 +17084,78 @@ if test x"$enable_memcache" = xyes; then
- fi
-
- if test x"$enable_redis" = xyes; then
-+
-+{ echo "$as_me:$LINENO: checking for redisConnect in -lhiredis" >&5
-+echo $ECHO_N "checking for redisConnect in -lhiredis... $ECHO_C" >&6; }
-+if test "${ac_cv_lib_hiredis_redisConnect+set}" = set; then
-+ echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+ ac_check_lib_save_LIBS=$LIBS
-+LIBS="-lhiredis $LIBS"
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h. */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h. */
-+
-+/* Override any GCC internal prototype to avoid an error.
-+ Use char because int might match the return type of a GCC
-+ builtin and then its argument prototype would still apply. */
-+#ifdef __cplusplus
-+extern "C"
-+#endif
-+char redisConnect ();
-+int
-+main ()
-+{
-+return redisConnect ();
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-+ (eval "$ac_link") 2>conftest.er1
-+ ac_status=$?
-+ grep -v '^ *+' conftest.er1 >conftest.err
-+ rm -f conftest.er1
-+ cat conftest.err >&5
-+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+ (exit $ac_status); } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext &&
-+ $as_test_x conftest$ac_exeext; then
-+ ac_cv_lib_hiredis_redisConnect=yes
-+else
-+ echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_cv_lib_hiredis_redisConnect=no
-+fi
-+
-+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-+ conftest$ac_exeext conftest.$ac_ext
-+LIBS=$ac_check_lib_save_LIBS
-+fi
-+{ echo "$as_me:$LINENO: result: $ac_cv_lib_hiredis_redisConnect" >&5
-+echo "${ECHO_T}$ac_cv_lib_hiredis_redisConnect" >&6; }
-+if test $ac_cv_lib_hiredis_redisConnect = yes; then
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_LIBHIREDIS 1
-+_ACEOF
-+
-+ LIBS="-lhiredis $LIBS"
-+
-+fi
-+
-+
- # Yes, we DO want mod_redis AFTER the other modules in the static
- # module list. Otherwise, the module load ordering will be such that
- # Redis support will not work as expected.
-@@ -18145,7 +18360,7 @@ else
- lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
- lt_status=$lt_dlunknown
- cat > conftest.$ac_ext <<_LT_EOF
--#line 18148 "configure"
-+#line 18363 "configure"
- #include "confdefs.h"
-
- #if HAVE_DLFCN_H
-diff --git a/configure.in b/configure.in
-index f99596d49..fe3d1ab0c 100644
---- a/configure.in
-+++ b/configure.in
-@@ -411,6 +411,9 @@ AC_ARG_WITH(modules,
-
- dnl Memcache
- if test x"$enable_memcache" = xyes; then
-+ AC_CHECK_LIB(memcached, memcached_create)
-+ AC_CHECK_LIB(memcachedutil, libmemcached_util_ping)
-+
- # Yes, we DO want mod_memcache AFTER the other modules in the static
- # module list. Otherwise, the module load ordering will be such that
- # memcache support will not work as expected
-@@ -420,6 +423,8 @@ fi
-
- dnl Redis
- if test x"$enable_redis" = xyes; then
-+ AC_CHECK_LIB(hiredis, redisConnect)
-+
- # Yes, we DO want mod_redis AFTER the other modules in the static
- # module list. Otherwise, the module load ordering will be such that
- # Redis support will not work as expected.
=====================================
debian/patches/upstream_4356 deleted
=====================================
@@ -1,28 +0,0 @@
-From 22b689901775d1129530e8329556d32bae878125 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Wed, 8 Aug 2018 11:15:21 -0700
-Subject: [PATCH 1/2] Bug#4356: Fix infinite loop by actually iterating properly for the next configuration record. Oops.
-
----
- contrib/mod_sftp/mod_sftp.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- proftpd-dfsg.orig/contrib/mod_sftp/mod_sftp.c
-+++ proftpd-dfsg/contrib/mod_sftp/mod_sftp.c
-@@ -1,6 +1,6 @@
- /*
- * ProFTPD - mod_sftp
-- * Copyright (c) 2008-2017 TJ Saunders
-+ * Copyright (c) 2008-2018 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -1211,6 +1211,8 @@
- insecure_hostkey_perms = TRUE;
- break;
- }
-+
-+ c = find_config_next(c, c->next, CONF_PARAM, "SFTPOptions", FALSE);
- }
-
- if (insecure_hostkey_perms) {
=====================================
debian/patches/upstream_4372_CVE-2019-12815.diff deleted
=====================================
@@ -1,376 +0,0 @@
-From 71cd49ea82313f78d52a52d0c628a3770dc96608 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Wed, 17 Jul 2019 09:25:31 -0700
-Subject: [PATCH] Bug #4372: Ensure that mod_copy checks for <Limits> for its
- SITE CPFR/CPTO commands.
-
----
- contrib/mod_copy.c | 36 ++-
- tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm | 253 +++++++++++++++++-
- 2 files changed, 285 insertions(+), 4 deletions(-)
-
-diff --git a/contrib/mod_copy.c b/contrib/mod_copy.c
-index 26b72a91d..c8672c40d 100644
---- a/contrib/mod_copy.c
-+++ b/contrib/mod_copy.c
-@@ -1,7 +1,7 @@
- /*
- * ProFTPD: mod_copy -- a module supporting copying of files on the server
- * without transferring the data to the client and back
-- * Copyright (c) 2009-2016 TJ Saunders
-+ * Copyright (c) 2009-2019 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -657,7 +657,7 @@ MODRET copy_copy(cmd_rec *cmd) {
- MODRET copy_cpfr(cmd_rec *cmd) {
- register unsigned int i;
- int res;
-- char *path = "";
-+ char *cmd_name, *path = "";
- unsigned char *authenticated = NULL;
-
- if (copy_engine == FALSE) {
-@@ -705,6 +705,21 @@ MODRET copy_cpfr(cmd_rec *cmd) {
- path = pstrcat(cmd->tmp_pool, path, *path ? " " : "", decoded_path, NULL);
- }
-
-+ cmd_name = cmd->argv[0];
-+ pr_cmd_set_name(cmd, "SITE_CPFR");
-+ if (!dir_check(cmd->tmp_pool, cmd, G_READ, path, NULL)) {
-+ int xerrno = EPERM;
-+
-+ pr_cmd_set_name(cmd, cmd_name);
-+ pr_response_add_err(R_550, "%s: %s", (char *) cmd->argv[3],
-+ strerror(xerrno));
-+
-+ pr_cmd_set_errno(cmd, xerrno);
-+ errno = xerrno;
-+ return PR_ERROR(cmd);
-+ }
-+ pr_cmd_set_name(cmd, cmd_name);
-+
- res = pr_filter_allow_path(CURRENT_CONF, path);
- switch (res) {
- case 0:
-@@ -758,6 +773,7 @@ MODRET copy_cpfr(cmd_rec *cmd) {
- MODRET copy_cpto(cmd_rec *cmd) {
- register unsigned int i;
- const char *from, *to = "";
-+ char *cmd_name;
- unsigned char *authenticated = NULL;
-
- if (copy_engine == FALSE) {
-@@ -816,6 +832,20 @@ MODRET copy_cpto(cmd_rec *cmd) {
-
- to = dir_canonical_vpath(cmd->tmp_pool, to);
-
-+ cmd_name = cmd->argv[0];
-+ pr_cmd_set_name(cmd, "SITE_CPTO");
-+ if (!dir_check(cmd->tmp_pool, cmd, G_WRITE, to, NULL)) {
-+ int xerrno = EPERM;
-+
-+ pr_cmd_set_name(cmd, cmd_name);
-+ pr_response_add_err(R_550, "%s: %s", to, strerror(xerrno));
-+
-+ pr_cmd_set_errno(cmd, xerrno);
-+ errno = xerrno;
-+ return PR_ERROR(cmd);
-+ }
-+ pr_cmd_set_name(cmd, cmd_name);
-+
- if (copy_paths(cmd->tmp_pool, from, to) < 0) {
- int xerrno = errno;
- const char *err_code = R_550;
-@@ -940,7 +970,7 @@ static conftable copy_conftab[] = {
-
- static cmdtable copy_cmdtab[] = {
- { CMD, C_SITE, G_WRITE, copy_copy, FALSE, FALSE, CL_MISC },
-- { CMD, C_SITE, G_DIRS, copy_cpfr, FALSE, FALSE, CL_MISC },
-+ { CMD, C_SITE, G_READ, copy_cpfr, FALSE, FALSE, CL_MISC },
- { CMD, C_SITE, G_WRITE, copy_cpto, FALSE, FALSE, CL_MISC },
- { POST_CMD, C_PASS, G_NONE, copy_post_pass, FALSE, FALSE },
- { LOG_CMD, C_SITE, G_NONE, copy_log_site, FALSE, FALSE },
-diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-index 778bff839..2018e71bc 100644
---- a/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-+++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-@@ -121,6 +121,15 @@ my $TESTS = {
- test_class => [qw(bug forking)],
- },
-
-+ copy_cpfr_config_limit_read_bug4372 => {
-+ order => ++$order,
-+ test_class => [qw(bug forking)],
-+ },
-+
-+ copy_cpto_config_limit_write_bug4372 => {
-+ order => ++$order,
-+ test_class => [qw(bug forking)],
-+ },
- };
-
- sub new {
-@@ -3248,6 +3257,12 @@ sub copy_config_limit_bug3399 {
-
- my ($port, $config_user, $config_group) = config_write($config_file, $config);
-
-+ my $config_subdir = $sub_dir;
-+ if ($^O eq 'darwin') {
-+ # MacOSX hack
-+ $config_subdir = '/private' . $sub_dir;
-+ }
-+
- if (open(my $fh, ">> $config_file")) {
- print $fh <<EOC;
- <Directory />
-@@ -3256,7 +3271,7 @@ sub copy_config_limit_bug3399 {
- </Limit>
- </Directory>
-
--<Directory $sub_dir>
-+<Directory $config_subdir>
- <Limit WRITE>
- AllowAll
- </Limit>
-@@ -3652,4 +3667,240 @@ sub copy_cpto_timeout_bug4263 {
- test_cleanup($setup->{log_file}, $ex);
- }
-
-+sub copy_cpfr_config_limit_read_bug4372 {
-+ my $self = shift;
-+ my $tmpdir = $self->{tmpdir};
-+ my $setup = test_setup($tmpdir, 'copy');
-+
-+ my $src_file = File::Spec->rel2abs("$tmpdir/foo.dat");
-+ if (open(my $fh, "> $src_file")) {
-+ unless (close($fh)) {
-+ die("Can't write $src_file: $!");
-+ }
-+
-+ } else {
-+ die("Can't open $src_file: $!");
-+ }
-+
-+ my $config = {
-+ PidFile => $setup->{pid_file},
-+ ScoreboardFile => $setup->{scoreboard_file},
-+ SystemLog => $setup->{log_file},
-+ TraceLog => $setup->{log_file},
-+ Trace => 'copy:20 timer:20',
-+
-+ AuthUserFile => $setup->{auth_user_file},
-+ AuthGroupFile => $setup->{auth_group_file},
-+ TimeoutIdle => 3,
-+
-+ IfModules => {
-+ 'mod_delay.c' => {
-+ DelayEngine => 'off',
-+ },
-+ },
-+ };
-+
-+ my ($port, $config_user, $config_group) = config_write($setup->{config_file},
-+ $config);
-+
-+ if (open(my $fh, ">> $setup->{config_file}")) {
-+ print $fh <<EOC;
-+<Directory />
-+ <Limit READ>
-+ DenyAll
-+ </Limit>
-+</Directory>
-+EOC
-+ unless (close($fh)) {
-+ die("Can't write $setup->{config_file}: $!");
-+ }
-+
-+ } else {
-+ die("Can't open $setup->{config_file}: $!");
-+ }
-+
-+ # Open pipes, for use between the parent and child processes. Specifically,
-+ # the child will indicate when it's done with its test by writing a message
-+ # to the parent.
-+ my ($rfh, $wfh);
-+ unless (pipe($rfh, $wfh)) {
-+ die("Can't open pipe: $!");
-+ }
-+
-+ my $ex;
-+
-+ # Fork child
-+ $self->handle_sigchld();
-+ defined(my $pid = fork()) or die("Can't fork: $!");
-+ if ($pid) {
-+ eval {
-+ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 1);
-+ $client->login($setup->{user}, $setup->{passwd});
-+
-+ eval { $client->site('CPFR', 'foo.dat') };
-+ unless ($@) {
-+ die("SITE CPFR succeeded unexpectedly");
-+ }
-+
-+ my $resp_code = $client->response_code();
-+ my $resp_msg = $client->response_msg();
-+
-+ my $expected = 550;
-+ $self->assert($expected == $resp_code,
-+ test_msg("Expected response code $expected, got $resp_code"));
-+
-+ $expected = 'Operation not permitted';
-+ $self->assert(qr/$expected/, $resp_msg,
-+ test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+ $client->quit();
-+ };
-+ if ($@) {
-+ $ex = $@;
-+ }
-+
-+ $wfh->print("done\n");
-+ $wfh->flush();
-+
-+ } else {
-+ eval { server_wait($setup->{config_file}, $rfh, 30) };
-+ if ($@) {
-+ warn($@);
-+ exit 1;
-+ }
-+
-+ exit 0;
-+ }
-+
-+ # Stop server
-+ server_stop($setup->{pid_file});
-+ $self->assert_child_ok($pid);
-+
-+ test_cleanup($setup->{log_file}, $ex);
-+}
-+
-+sub copy_cpto_config_limit_write_bug4372 {
-+ my $self = shift;
-+ my $tmpdir = $self->{tmpdir};
-+ my $setup = test_setup($tmpdir, 'copy');
-+
-+ my $src_file = File::Spec->rel2abs("$tmpdir/foo.dat");
-+ if (open(my $fh, "> $src_file")) {
-+ unless (close($fh)) {
-+ die("Can't write $src_file: $!");
-+ }
-+
-+ } else {
-+ die("Can't open $src_file: $!");
-+ }
-+
-+ my $dst_file = File::Spec->rel2abs("$tmpdir/bar.dat");
-+
-+ my $config = {
-+ PidFile => $setup->{pid_file},
-+ ScoreboardFile => $setup->{scoreboard_file},
-+ SystemLog => $setup->{log_file},
-+ TraceLog => $setup->{log_file},
-+ Trace => 'copy:20 timer:20',
-+
-+ AuthUserFile => $setup->{auth_user_file},
-+ AuthGroupFile => $setup->{auth_group_file},
-+ TimeoutIdle => 3,
-+
-+ IfModules => {
-+ 'mod_delay.c' => {
-+ DelayEngine => 'off',
-+ },
-+ },
-+ };
-+
-+ my ($port, $config_user, $config_group) = config_write($setup->{config_file},
-+ $config);
-+
-+ if (open(my $fh, ">> $setup->{config_file}")) {
-+ print $fh <<EOC;
-+<Directory />
-+ <Limit WRITE>
-+ DenyAll
-+ </Limit>
-+</Directory>
-+EOC
-+ unless (close($fh)) {
-+ die("Can't write $setup->{config_file}: $!");
-+ }
-+
-+ } else {
-+ die("Can't open $setup->{config_file}: $!");
-+ }
-+
-+ # Open pipes, for use between the parent and child processes. Specifically,
-+ # the child will indicate when it's done with its test by writing a message
-+ # to the parent.
-+ my ($rfh, $wfh);
-+ unless (pipe($rfh, $wfh)) {
-+ die("Can't open pipe: $!");
-+ }
-+
-+ my $ex;
-+
-+ # Fork child
-+ $self->handle_sigchld();
-+ defined(my $pid = fork()) or die("Can't fork: $!");
-+ if ($pid) {
-+ eval {
-+ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 1);
-+ $client->login($setup->{user}, $setup->{passwd});
-+
-+ my ($resp_code, $resp_msg) = $client->site('CPFR', 'foo.dat');
-+
-+ my $expected = 350;
-+ $self->assert($expected == $resp_code,
-+ test_msg("Expected response code $expected, got $resp_code"));
-+
-+ $expected = 'File or directory exists, ready for destination name';
-+ $self->assert($expected eq $resp_msg,
-+ test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+ eval { $client->site('CPTO', 'bar.dat') };
-+ unless ($@) {
-+ die('SITE CPTO succeeded unexpectedly');
-+ }
-+
-+ my $resp_code = $client->response_code();
-+ my $resp_msg = $client->response_msg();
-+
-+ my $expected = 550;
-+ $self->assert($expected == $resp_code,
-+ test_msg("Expected response code $expected, got $resp_code"));
-+
-+ $expected = 'Operation not permitted';
-+ $self->assert(qr/$expected/, $resp_msg,
-+ test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+ $client->quit();
-+ };
-+ if ($@) {
-+ $ex = $@;
-+ }
-+
-+ $wfh->print("done\n");
-+ $wfh->flush();
-+
-+ } else {
-+ eval { server_wait($setup->{config_file}, $rfh, 30) };
-+ if ($@) {
-+ warn($@);
-+ exit 1;
-+ }
-+
-+ exit 0;
-+ }
-+
-+ # Stop server
-+ server_stop($setup->{pid_file});
-+ $self->assert_child_ok($pid);
-+
-+ test_cleanup($setup->{log_file}, $ex);
-+}
-+
- 1;
=====================================
debian/patches/upstream_4385 deleted
=====================================
@@ -1,147 +0,0 @@
-From 7f2f0ab15909c470cabb892e3c2a17803a439bee Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Tue, 21 Jan 2020 11:09:08 -0800
-Subject: [PATCH] Bug #4385: When handling the `keyboard-interactive`
- authentication mechanism, as used for _e.g._ PAM, make sure to properly
- handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253.
-
----
- contrib/mod_sftp/kbdint.c | 99 ++++++++++++++++++++++++++++++---------
- 1 file changed, 76 insertions(+), 23 deletions(-)
-
-diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
-index 6900f4dfc..98b0a28af 100644
---- a/contrib/mod_sftp/kbdint.c
-+++ b/contrib/mod_sftp/kbdint.c
-@@ -1,6 +1,6 @@
- /*
- * ProFTPD - mod_sftp keyboard-interactive driver mgmt
-- * Copyright (c) 2008-2017 TJ Saunders
-+ * Copyright (c) 2008-2020 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -254,6 +254,77 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction,
- return res;
- }
-
-+static struct ssh2_packet *read_response_packet(pool *p) {
-+ struct ssh2_packet *pkt = NULL;
-+
-+ /* Keep looping until we get the desired message, or we time out. */
-+ while (pkt == NULL) {
-+ int res;
-+ char mesg_type;
-+
-+ pr_signals_handle();
-+
-+ pkt = sftp_ssh2_packet_create(kbdint_pool);
-+ res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
-+ if (res < 0) {
-+ int xerrno = errno;
-+
-+ destroy_pool(pkt->pool);
-+
-+ errno = xerrno;
-+ return NULL;
-+ }
-+
-+ pr_response_clear(&resp_list);
-+ pr_response_clear(&resp_err_list);
-+
-+ /* Per RFC 4253, Section 11, DEBUG, DISCONNECT, IGNORE, and UNIMPLEMENTED
-+ * messages can occur at any time, even during KEX. We have to be prepared
-+ * for this, and Do The Right Thing(tm).
-+ */
-+
-+ mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
-+
-+ switch (mesg_type) {
-+ case SFTP_SSH2_MSG_DEBUG:
-+ sftp_ssh2_packet_handle_debug(pkt);
-+ pkt = NULL;
-+ break;
-+
-+ case SFTP_SSH2_MSG_DISCONNECT:
-+ sftp_ssh2_packet_handle_disconnect(pkt);
-+ pkt = NULL;
-+ break;
-+
-+ case SFTP_SSH2_MSG_IGNORE:
-+ sftp_ssh2_packet_handle_ignore(pkt);
-+ pkt = NULL;
-+ break;
-+
-+ case SFTP_SSH2_MSG_UNIMPLEMENTED:
-+ sftp_ssh2_packet_handle_unimplemented(pkt);
-+ pkt = NULL;
-+ break;
-+
-+ case SFTP_SSH2_MSG_USER_AUTH_INFO_RESP:
-+ pr_trace_msg(trace_channel, 13,
-+ "received expected %s message",
-+ sftp_ssh2_packet_get_mesg_type_desc(mesg_type));
-+ break;
-+
-+ default:
-+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-+ "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
-+ sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
-+ destroy_pool(pkt->pool);
-+ errno = EPERM;
-+ return NULL;
-+ }
-+ }
-+
-+ return pkt;
-+}
-+
- int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
- uint32_t *rcvd_count, const char ***responses) {
- register unsigned int i;
-@@ -261,8 +332,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
- cmd_rec *cmd;
- array_header *list;
- uint32_t buflen, resp_count;
-- struct ssh2_packet *pkt;
-- char mesg_type;
-+ struct ssh2_packet *pkt = NULL;
- int res;
- pool *resp_pool = NULL;
-
-@@ -273,32 +343,15 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
- return -1;
- }
-
-- pkt = sftp_ssh2_packet_create(kbdint_pool);
--
-- res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
-- if (res < 0) {
-- destroy_pool(pkt->pool);
-- return res;
-+ pkt = read_response_packet(p);
-+ if (pkt == NULL) {
-+ return -1;
- }
-
-- pr_response_clear(&resp_list);
-- pr_response_clear(&resp_err_list);
--
- /* Cache a reference to the current response pool used. */
- resp_pool = pr_response_get_pool();
- pr_response_set_pool(pkt->pool);
-
-- mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
-- if (mesg_type != SFTP_SSH2_MSG_USER_AUTH_INFO_RESP) {
-- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-- "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
-- sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
-- destroy_pool(pkt->pool);
-- pr_response_set_pool(resp_pool);
-- errno = EPERM;
-- return -1;
-- }
--
- cmd = pr_cmd_alloc(pkt->pool, 2, pstrdup(pkt->pool, "USER_AUTH_INFO_RESP"));
- cmd->arg = "(data)";
-
=====================================
debian/patches/upstream_pull_567 deleted
=====================================
@@ -1,176 +0,0 @@
-From 1fb36bcbf7c214aa146875420de12f5407107672 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Fri, 1 Sep 2017 23:08:41 -0700
-Subject: [PATCH] Bug#4314: When retrieving the appropriate <Anonymous> section
- for a client, the configured User/Group retrieved were from the parent
- section, not the retrieved <Anonymous> section. This appeared to cause
- regressions when "AuthAliasOnly on" was used. Let's hope that _this_ change
- does not itself cause regressions.
-
-The whole AuthAliasOnly is so buggy/fragile it should be removed entirely.
----
- modules/mod_auth.c | 5 +
- src/auth.c | 8 ++
- .../lib/ProFTPD/Tests/Config/AuthAliasOnly.pm | 113 ++++++++++++++++++
- 3 files changed, 126 insertions(+)
-
---- proftpd-dfsg.orig/modules/mod_auth.c
-+++ proftpd-dfsg/modules/mod_auth.c
-@@ -1039,6 +1039,11 @@
- origuser = user;
- c = pr_auth_get_anon_config(p, &user, &ourname, &anonname);
- if (c != NULL) {
-+ pr_trace_msg("auth", 13,
-+ "found <Anonymous> config: login user = %s, config user = %s, "
-+ "anon name = %s", user != NULL ? user : "(null)",
-+ ourname != NULL ? ourname : "(null)",
-+ anonname != NULL ? anonname : "(null)");
- session.anon_config = c;
- }
-
---- proftpd-dfsg.orig/src/auth.c
-+++ proftpd-dfsg/src/auth.c
-@@ -1784,6 +1784,14 @@
- }
- }
-
-+ if (anon_config != NULL) {
-+ config_user_name = get_param_ptr(anon_config->subset, "UserName", FALSE);
-+ if (config_user_name != NULL &&
-+ real_user != NULL) {
-+ *real_user = config_user_name;
-+ }
-+ }
-+
- return anon_config;
- }
-
---- proftpd-dfsg.orig/tests/t/lib/ProFTPD/Tests/Config/AuthAliasOnly.pm
-+++ proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Config/AuthAliasOnly.pm
-@@ -40,6 +40,11 @@
- test_class => [qw(bug forking rootprivs)],
- },
-
-+ authaliasonly_on_anon_bug4314 => {
-+ order => ++$order,
-+ test_class => [qw(bug forking rootprivs)],
-+ },
-+
- };
-
- sub new {
-@@ -626,6 +631,114 @@
- if ($@) {
- $ex = $@;
- }
-+
-+ $wfh->print("done\n");
-+ $wfh->flush();
-+
-+ } else {
-+ eval { server_wait($setup->{config_file}, $rfh) };
-+ if ($@) {
-+ warn($@);
-+ exit 1;
-+ }
-+
-+ exit 0;
-+ }
-+
-+ # Stop server
-+ server_stop($setup->{pid_file});
-+ $self->assert_child_ok($pid);
-+
-+ test_cleanup($setup->{log_file}, $ex);
-+}
-+
-+sub authaliasonly_on_anon_bug4314 {
-+ my $self = shift;
-+ my $tmpdir = $self->{tmpdir};
-+ my $setup = test_setup($tmpdir, 'config');
-+
-+ my ($config_user, $config_group) = config_get_identity();
-+
-+ my $config = {
-+ PidFile => $setup->{pid_file},
-+ ScoreboardFile => $setup->{scoreboard_file},
-+ SystemLog => $setup->{log_file},
-+ TraceLog => $setup->{log_file},
-+ Trace => 'auth:20',
-+
-+ User => $config_user,
-+ Group => $config_group,
-+
-+ AuthUserFile => $setup->{auth_user_file},
-+ AuthGroupFile => $setup->{auth_group_file},
-+ AuthOrder => 'mod_auth_file.c',
-+
-+ Anonymous => {
-+ $setup->{home_dir} => {
-+ User => $setup->{user},
-+ Group => $setup->{group},
-+ RequireValidShell => 'off',
-+ UserAlias => "anonymous $setup->{user}",
-+ AuthAliasOnly => 'on',
-+ AnonRequirePassword => 'off',
-+ },
-+ },
-+
-+ IfModules => {
-+ 'mod_delay.c' => {
-+ DelayEngine => 'off',
-+ },
-+ },
-+ };
-+
-+ my $port;
-+ ($port, $config_user, $config_group) = config_write($setup->{config_file},
-+ $config);
-+
-+ # Open pipes, for use between the parent and child processes. Specifically,
-+ # the child will indicate when it's done with its test by writing a message
-+ # to the parent.
-+ my ($rfh, $wfh);
-+ unless (pipe($rfh, $wfh)) {
-+ die("Can't open pipe: $!");
-+ }
-+
-+ my $ex;
-+
-+ # Fork child
-+ $self->handle_sigchld();
-+ defined(my $pid = fork()) or die("Can't fork: $!");
-+ if ($pid) {
-+ eval {
-+ sleep(1);
-+
-+ # First, try logging in as user 'anonymous', i.e. the alias.
-+ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port, 0, 1);
-+ my ($resp_code, $resp_msg) = $client->user("anonymous");
-+
-+ my $expected = 331;
-+ $self->assert($expected == $resp_code,
-+ "Expected response code $expected, got $resp_code");
-+
-+ $expected = 'Anonymous login ok, send your complete email address as your password';
-+ $self->assert($expected eq $resp_msg,
-+ "Expected response message '$expected', got '$resp_msg'");
-+
-+ ($resp_code, $resp_msg) = $client->pass('ftp at nospam.org');
-+
-+ $expected = 230;
-+ $self->assert($expected == $resp_code,
-+ "Expected response code $expected, got $resp_code");
-+
-+ $expected = 'Anonymous access granted, restrictions apply';
-+ $self->assert($expected eq $resp_msg,
-+ "Expected response message '$expected', got '$resp_msg'");
-+
-+ $client->quit();
-+ };
-+ if ($@) {
-+ $ex = $@;
-+ }
-
- $wfh->print("done\n");
- $wfh->flush();
=====================================
debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 deleted
=====================================
@@ -1,35 +0,0 @@
-From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj at castaglia.org>
-Date: Sun, 24 Nov 2019 14:03:54 -0800
-Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly
- using issuer for lookups, and guarding against null pointers.
-
----
- contrib/mod_tls.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- proftpd-dfsg.orig/contrib/mod_tls.c
-+++ proftpd-dfsg/contrib/mod_tls.c
-@@ -9065,10 +9065,10 @@
-
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
- !defined(HAVE_LIBRESSL)
-- crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
-+ crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
- #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
- !defined(HAVE_LIBRESSL)
-- crls = X509_STORE_get1_crls(store_ctx, subject);
-+ crls = X509_STORE_get1_crls(store_ctx, issuer);
- #else
- /* Your OpenSSL is before 1.0.0. You really need to upgrade. */
- crls = NULL;
-@@ -9087,6 +9087,9 @@
- ASN1_INTEGER *sn;
-
- revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
-+ if (revoked == NULL) {
-+ continue;
-+ }
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
- !defined(HAVE_LIBRESSL)
- sn = X509_REVOKED_get0_serialNumber(revoked);
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/cb38485e59579c593362c005e863020b80b815d0
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/cb38485e59579c593362c005e863020b80b815d0
You're receiving this email because of your account on salsa.debian.org.
More information about the Pkg-proftpd-maintainers
mailing list