From secunia: Description: A security issue has been reported in ProFTPD, which can be exploited by malicious people to conduct spoofing attacks. The security issues is caused due to an error in the "mod_tls" module when processing client SSL certificates. This can be exploited to trick a server into accepting a potentially malicious SSL certificate by including a NULL character in the "subjectAltName" certificate field. Solution: Update to version 1.3.2b. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://bugs.proftpd.org/show_bug.cgi?id=3275
Maintainers, please bump.
1.3.2b and 1.3.3_rc3 are in tree (from bug #290262), I suggest stabling 1.3.2b
Arches, please test and mark stable: =net-ftp/proftpd-1.3.2b Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
x86 stable
alpha/sparc stable
Stable for HPPA.
ppc64 done
CVE-2009-3639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3639): The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
ppc stable
amd64 stable, all arches done.
Ready to vote, I vote NO. I know that we had GLSAs for curl and wget on the same technical issue, but those are used by other software extensively (think of libcurl in php etc.).
GLSA vote: No. While SFTP is in active use around the world, FTPS is in fact rare. Use of client certificates for FTPS is something I haven't even seen in use anywhere. The target audience is very, very small.
Closing noglsa. Feel free to reopen if you think otherwise.
