Backport ProFTPd security fix

Francesco P. Lovergine frankie at debian.org
Mon Sep 28 14:49:39 BST 2020


On Sat, Sep 26, 2020 at 06:04:48PM +0200, Francesco P. Lovergine wrote:
>On Sat, Sep 26, 2020 at 05:30:26PM +0200, Jozef Sudolsky ELBIA s. r. o. wrote:
>>Hi guys,
>>
>>ProFTPd 1.3.6, which is a part of Debian Buster, contains a bug 
>>which causes client-initiated renegotiation for FTPS to be enabled 
>>by default without a way of disabling it (=no workaround). There is 
>>already a fix which will be part of next 1.3.7b and 1.3.8 releases 
>>but won't be backported to 1.3.6 line. As client-initiated 
>>renegotiation can be used to DoS attack, i believe the fix should be 
>>backported to Debian Buster.
>>
>>More info here:
>>https://github.com/proftpd/proftpd/issues/1119
>>
>>What do you think?
>>
>
>I'll have personally a slot on monday to keep an eye on that and prepare
>possibly a backport.
>

Apparently there is not more than the included patch to be applied to the 
1.3.6 tree (as for current d-security source) 

-- 
Francesco P. Lovergine
-------------- next part --------------
Index: proftpd-dfsg-1.3.6/contrib/mod_tls.c
===================================================================
--- proftpd-dfsg-1.3.6.orig/contrib/mod_tls.c
+++ proftpd-dfsg-1.3.6/contrib/mod_tls.c
@@ -951,7 +951,10 @@ static void tls_info_cb(const SSL *ssl,
     }
 
   } else if (where & SSL_CB_HANDSHAKE_DONE) {
-    if (ssl == ctrl_ssl) {
+    /* ctrl_ssl is NULL if this is our initial ctrl SSL, and the handshake has
+     * not be completed yet.
+     */
+    if (ctrl_ssl == NULL) {
       if (tls_ctrl_need_init_handshake == FALSE) {
         int reused;
 


More information about the Pkg-proftpd-maintainers mailing list