I discovered a bug in proftpd, it ignores diffie hellman parameters configured by the user with TLSDHParamFile and uses predefined 1024 bit parameters. 1024 bit diffie hellman is considered risky these days and may be breakable by a powerful attacker. Upstream has fixed this in 1.3.5b. See http://bugs.proftpd.org/show_bug.cgi?id=4230
Pushed 1.3.5b addressing the issue as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6870b2269b486c6456bc3402fc4e23d4d31ee6c7 Thank you!
Can we start stabilizing?
@arches, please stabilize: =net-ftp/proftpd-1.3.5b
amd64 stable
x86 stable
Stable for HPPA PPC64.
ppc stable
arm stable
Stable on alpha.
@maintainer, please cleanup the vulnerable version.
Dropped as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c956361dce86ec2c3fed71e0502d12a53b1cfd
CVE-2016-3125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3125): The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.
(In reply to Sergei Trofimovich from comment #11) > Dropped as: > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=a2c956361dce86ec2c3fed71e0502d12a53b1cfd Thanks! GLSA Vote: No