Backport ProFTPd security fix
Francesco P. Lovergine
frankie at debian.org
Mon Sep 28 14:49:39 BST 2020
On Sat, Sep 26, 2020 at 06:04:48PM +0200, Francesco P. Lovergine wrote:
>On Sat, Sep 26, 2020 at 05:30:26PM +0200, Jozef Sudolsky ELBIA s. r. o. wrote:
>>Hi guys,
>>
>>ProFTPd 1.3.6, which is a part of Debian Buster, contains a bug
>>which causes client-initiated renegotiation for FTPS to be enabled
>>by default without a way of disabling it (=no workaround). There is
>>already a fix which will be part of next 1.3.7b and 1.3.8 releases
>>but won't be backported to 1.3.6 line. As client-initiated
>>renegotiation can be used to DoS attack, i believe the fix should be
>>backported to Debian Buster.
>>
>>More info here:
>>https://github.com/proftpd/proftpd/issues/1119
>>
>>What do you think?
>>
>
>I'll have personally a slot on monday to keep an eye on that and prepare
>possibly a backport.
>
Apparently there is not more than the included patch to be applied to the
1.3.6 tree (as for current d-security source)
--
Francesco P. Lovergine
-------------- next part --------------
Index: proftpd-dfsg-1.3.6/contrib/mod_tls.c
===================================================================
--- proftpd-dfsg-1.3.6.orig/contrib/mod_tls.c
+++ proftpd-dfsg-1.3.6/contrib/mod_tls.c
@@ -951,7 +951,10 @@ static void tls_info_cb(const SSL *ssl,
}
} else if (where & SSL_CB_HANDSHAKE_DONE) {
- if (ssl == ctrl_ssl) {
+ /* ctrl_ssl is NULL if this is our initial ctrl SSL, and the handshake has
+ * not be completed yet.
+ */
+ if (ctrl_ssl == NULL) {
if (tls_ctrl_need_init_handshake == FALSE) {
int reused;
More information about the Pkg-proftpd-maintainers
mailing list