Backport ProFTPd security fix

Francesco P. Lovergine frankie at debian.org
Sat Sep 26 17:04:48 BST 2020


On Sat, Sep 26, 2020 at 05:30:26PM +0200, Jozef Sudolsky ELBIA s. r. o. wrote:
>Hi guys,
>
>ProFTPd 1.3.6, which is a part of Debian Buster, contains a bug which 
>causes client-initiated renegotiation for FTPS to be enabled by 
>default without a way of disabling it (=no workaround). There is 
>already a fix which will be part of next 1.3.7b and 1.3.8 releases but 
>won't be backported to 1.3.6 line. As client-initiated renegotiation 
>can be used to DoS attack, i believe the fix should be backported to 
>Debian Buster.
>
>More info here:
>https://github.com/proftpd/proftpd/issues/1119
>
>What do you think?
>

I'll have personally a slot on monday to keep an eye on that and prepare
possibly a backport.

-- 
Francesco P. Lovergine



More information about the Pkg-proftpd-maintainers mailing list