Backport ProFTPd security fix

Jozef Sudolsky ELBIA s. r. o. jozef.sudolsky at elbia.sk
Sat Sep 26 16:30:26 BST 2020


Hi guys,

ProFTPd 1.3.6, which is a part of Debian Buster, contains a bug which  
causes client-initiated renegotiation for FTPS to be enabled by  
default without a way of disabling it (=no workaround). There is  
already a fix which will be part of next 1.3.7b and 1.3.8 releases but  
won't be backported to 1.3.6 line. As client-initiated renegotiation  
can be used to DoS attack, i believe the fix should be backported to  
Debian Buster.

More info here:
https://github.com/proftpd/proftpd/issues/1119

What do you think?

Have a nice day.


--
S pozdravom
Bc. Jozef Sudolsky

ELBIA, s. r. o.
Stoličková 870/4
974 01 Banská Bystrica

IČO: 36 702 897
IČ DPH: SK2022300995
Spoločnosť je zapísana v OR vedenom OS v Banskej Bystrici pod spisovou značkou
12334/S v zložke Sro.

Pred vytlačením tohto mailu, prosím, zvážte dopad na životné  
prostredie. Ďakujeme.
Please consider the environment before printing this e-mail. Thanks.




More information about the Pkg-proftpd-maintainers mailing list