A security issue has been reported in ProFTPD, which can be exploited by malicious people to conduct spoofing attacks.
The security issues is caused due to an error in the "mod_tls" module when processing client SSL certificates. This can be exploited to trick a server into accepting a potentially malicious SSL certificate by including a NULL character in the "subjectAltName" certificate field.
Update to version 1.3.2b.
Provided and/or discovered by:
Reported by the vendor.
Maintainers, please bump.
1.3.2b and 1.3.3_rc3 are in tree (from bug #290262), I suggest stabling 1.3.2b
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Stable for HPPA.
The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before
1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not
properly handle a '\0' character in a domain name in the Subject
Alternative Name field of an X.509 client certificate, which allows
remote attackers to bypass intended client-hostname restrictions via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408.
amd64 stable, all arches done.
Ready to vote, I vote NO.
I know that we had GLSAs for curl and wget on the same technical issue, but those are used by other software extensively (think of libcurl in php etc.).
GLSA vote: No.
While SFTP is in active use around the world, FTPS is in fact rare. Use of client certificates for FTPS is something I haven't even seen in use anywhere. The target audience is very, very small.
Feel free to reopen if you think otherwise.