Hello, a few days ago ProFTPD 1.3.2d [1,2] (just a bugfix-release of the stable ProFTPD 1.3.2) and ProFTPD 1.3.3rc4 [3,4] has been released. As there are not big changes in ProFTPD 1.3.2d a copy of the proftpd-1.3.2c.ebuild should work. Maybe we should bump mod_deflate to 0.5 in proftpd_1.3.2d.ebuild. Furthermore I will attach a ProFTPD 1.3.3rc4 ebuild patch (proftpd-1.3.3_rc4.ebuild.patch against proftpd-1.3.3_rc3-r1.ebuild) and the proftpd.initd which have the following changes: * Update mod_deflate to 0.5. * Remove redundant patch. * Some code style changes. * Rename proftpd.rc7 to proftpd.initd with some changes: * Update "use" dependencies. Fixes Gentoo Bug #301266. * Add existent check of /var/run/proftpd. If this needed directory is missing (e.g. if /var/run is a tmpfs) create it. Fixes Gentoo Bug #301264. * Small code style changes. Best regards. Bernd Lommerzheim [1] http://proftpd.org/docs/RELEASE_NOTES-1.3.2d [2] http://proftpd.org/docs/NEWS-1.3.2d [3] http://proftpd.org/docs/RELEASE_NOTES-1.3.3rc4 [4] http://proftpd.org/docs/NEWS-1.3.3rc4
Created attachment 219843 [details, diff] proftpd-1.3.3_rc4.ebuild (patch against proftpd-1.3.3_rc3-r1.ebuild)
Created attachment 219845 [details] proftpd.initd (replaces proftpd.rc7)
Created attachment 219893 [details] proftpd.initd (replaces proftpd.rc7)
The previous version bump (bug #295545) missed this bit: 1.3.2c (maintenance) --------------------- + Added Taiwan translation. + Added a workaround in mod_tls to deal with the vulnerability found in SSL/TLS protocol during renegotiation (CVE-2009-3555). Good descriptions of this vulnerability can be found here: http://extendedsubset.com/?p=8 http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html The workaround implemented in mod_tls (Bug#3324) is one of the suggested mitigation approaches: the server now refuses all client-initiated SSL/TLS session renegotiations. and the latest release adds this: 1.3.2d (maintenance) --------------------- + Fixed mod_tls compilation when using OpenSSL versions older than 0.9.7.
I think we should add ProFTPD 1.3.2d to the portage tree and start a stabilization request for it. Although it does not directly fix a security issue it solves some segfaults and compatibility problems.
Ok, 1.3.3_rc4 added in tree with your changes, thanks Bernd! I've also added 1.3.2d as as simple copy of 1.3.2c, to keep minimal changes for testing. Thanks Jer for spotting the security issue, recommend 1.3.2d stable round then, target arches: alpha amd64 hppa ppc ppc64 sparc x86
obsolete by bug 307075
Arches, please test and mark stable: =net-ftp/proftpd-1.3.2d Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
x86 stable
amd64 stable
ppc64 done
Marked ppc stable.
Stable for HPPA.
alpha/sparc stable
GLSA with 343389.
CVE-2009-3555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555): The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle).