Backport ProFTPd security fix
Francesco P. Lovergine
frankie at debian.org
Sat Sep 26 17:04:48 BST 2020
On Sat, Sep 26, 2020 at 05:30:26PM +0200, Jozef Sudolsky ELBIA s. r. o. wrote:
>Hi guys,
>
>ProFTPd 1.3.6, which is a part of Debian Buster, contains a bug which
>causes client-initiated renegotiation for FTPS to be enabled by
>default without a way of disabling it (=no workaround). There is
>already a fix which will be part of next 1.3.7b and 1.3.8 releases but
>won't be backported to 1.3.6 line. As client-initiated renegotiation
>can be used to DoS attack, i believe the fix should be backported to
>Debian Buster.
>
>More info here:
>https://github.com/proftpd/proftpd/issues/1119
>
>What do you think?
>
I'll have personally a slot on monday to keep an eye on that and prepare
possibly a backport.
--
Francesco P. Lovergine
More information about the Pkg-proftpd-maintainers
mailing list