Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13829 closed enhancement (fixed)

proftpd-1.3.7a

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: normal Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Bruce Dubbs, 4 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 4 years ago

1.3.7a - Released 21-Jul-2020

  • Issue 1055 - Fix build-time regression when using the --localstatedir configure option.

1.3.7 - Released 20-Jul-2020

  • Issue 1027 - mod_ldap crashes at ldap_mod_init().
  • Issue 1038 - Support the SOURCE_DATE_EPOCH environment variable, for reproducible builds.
  • Issue 1043 - Invalid SCP command leads to null pointer dereference.

1.3.7rc4 - Released 30-May-2020

  • Bug 4376 - mod_sftp incorrectly handles SFTP protocol version 5/6 disposition flag.
  • Issue 908 - mod_sql_passwd fails to compile on FreeBSD due to timingsafe_bcmp function.
  • Issue 907 - Implemented support for RSA SHA-2 publickey signatures in mod_sftp, per RFC 8332.
  • Issue 912 - Support logging of data transfer remote ports in ExtendedLog.
  • Issue 317 - Implement pread(2), pwrite(2) FSIO API.
  • Issue 857 - Fixed regression in the handling of %{env:...} configuration variables when the environment variable is not present.
  • Issue 940 - Second LIST of the same symlink shows different results.
  • Bug 4394 - LogFormat %a gives local server IP address instead of remote client IP address.
  • Issue 946 - Improve handling of ldaps URLs, LDAPUseTLS directive in mod_ldap.
  • Issue 82 - Support configurable certificate settings in LDAP SSL/TLS connections.
  • Issue 947 - Support use of SASL auth mechanisms for LDAPBindDN binds.
  • Issue 954 - Support buggy/ill-behaved FTPS client shutdown behavior for CCC command.
  • Issue 959 - FTPS uploads using TLSv1.3 are likely to fail unexpectedly.
  • Issue 682 - IPv6 addresses not properly parsed in From directives, causing unexpected <IfClass> mismatches.
  • Issue 964 - Unable to load mod_sftp, mod_sql_passwd as shared modules on Alpine.
  • Issue 968 - Require TLSv1.3 data connection sessions to reuse same session as control connection for TLSv1.3 session tickets.
  • Issue 366 - ftptop should support batch mode. ftptop now supports -b and -n command-line options, like top(1).
  • Issue 808 - ProFTPD should ignore supplemental groups when run as a non-root user.
  • Issue 980 - mod_sftp sends broken response when CREATETIME attribute is requested.
  • Bug 4390 - Implement keepalive support for mod_sql/database connections.
  • Issue 693 - mod_sftp unsuccessful login count issues on AIX.
  • Issue 984 - Do not send EXT_INFO messages to SSH clients which did not signal "ext-info-c".
  • Issue 983 - Use re-entrant versions of time functions where available.
  • Bug 4398 - Handle zero-length SFTP WRITE requests without error.
  • Bug 4185 - Implement options for tuning fields used in syslog/module logging.
  • Issue 1010 - Allow ban entries to apply to all <VirtualHost> sections.
  • Issue 1018 - PidFile should not be world-writable.
  • Issue 1014 - TLSv1.3 handshake fails due to missing session ticket key on some systems.
  • Issue 1023 - Lowercased FTP commands not properly identified.

1.3.7rc3 - Released 20-Feb-2020

  • Issue 810 - mod_tls does not compile with LibreSSL 2.9.x.
  • Issue 750 - MaxClientsPerUser not enforced for SFTP logins when mod_digest enabled.
  • Issue 850 - mod_tls should honor SNI in TLS handshake.
  • Issue 692 - Support bcrypt passwords in mod_sql_passwd.
  • Issue 793 - mod_sftp does not support OpenSSH-specific private key format.
  • Bug 4221 - Add support for ssh-ed25519 keys.
  • Issue 863 - Directory listing is slower compared to previous ProFTPD versions.
  • Issue 859 - Improper handling of TLS CRL lookups.
  • Bug 4340 - "SocketOptions keepalive off" does not disable TCP keepalive on control connection.
  • Issue 870 - Leaking PAM handler and data in case of unsuccessful authentication.
  • Bug 4385 - SSH authentication fails for many clients due to receiving of SSH_MSG_IGNORE packet.
  • Issue 872 - Show PathAllowFilter, PathDenyFilter failure in system logging. Commands denied by these Filter directives are now logged at the NOTICE level in the system logging.
  • Bug 4382 - Incorrect %F SQLLog with SFTP, not FTP, uploads.
  • Issue 882 - mod_sql "named connection already exists" error when using name-based virtual hosts.
  • Issue 890 - SFTP publickey authentication fails unexpectedly when user has no shadow password info.
  • Issue 898 - ftpasswd fails to restore password file permissions in some cases.
  • Issue 903 - Use-after-free vulnerability in memory pools during data transfer.
  • Issue 902 - Out-of-bounds read in mod_cap getstateflags() function. This happens because of an out-of-date libcap version; we now rely solely on the system-provided libcap library.

1.3.7rc2 - Released 19-Oct-2019

  • Issue 846 - Remote denial-of-service due to issue in network IO handling (CVE-2019-18217).

1.3.7rc1 - Released 12-Oct-2019

  • Bug 4304 - Configure script wrongly detects AIX lastlog functions.
  • Bug 3127 - ProFTPD does not build when configure is run from directory other than source directory.
  • Bug 4279 - Disable Blowfish, RC4, RIPE-MD160 SSH2 algorithms by default.
  • Bug 4306 - AllowChrootSymlinks off could cause login failures depending on filesystem permissions.
  • Issue 269 - Disable building of mod_ident by default.
  • Issue 501 - mod_ctrls: error: unable to bind to local socket: Address already in use.
  • Issue 507 - Failed to handle multiple %{env:...} variables in single word in configuration.
  • Issue 515 - Support %b variable for ExecEnviron directive.
  • Issue 521 - Broken OCSP Stapling implementation fails to find issuing certificate properly.
  • Issue 518 - Provide option to disable sending of fake "tryLater" OCSP response.
  • Issue 519 - Improve handling of cached OCSP responses.
  • Bug 4307 - High CPU load on CWD to non existing directory. This has been addressed by improving the in-memory config tree DFS algorithm to short-circuit recursive searching where possible.
  • Issue 505 - Support MODE Z even for FTPS sessions.
  • Issue 351 - Support FTP RANG command.
  • Bug 4308 - mod_sftp fails to check shadow password information when publickey authentication used.
  • Bug 4309 - Use of "AllowEmptyPasswords off" breaks SFTP/SCP logins.
  • Issue 534 - Support configuring multiple curves using TLSECDHCurve.
  • Bug 4310 - Use of mod_facl as static module causes ProFTPD to die on SIGHUP/restart.
  • Bug 4311 - Directory creation in mod_site_misc, mod_copy does not honor directory Umask.
  • Issue 445 - Remove non-functional TransferPriority directive.
  • Issue 550 - Support Redis SELECT for multiple databases.
  • Issue 396 - Support for Redis Sentinel deployments in mod_redis.
  • Issue 556 - Use of curve25519-sha256@… SSH2 key exchange sometimes fails.
  • Issue 536 - Support TLSv1.3 (assuming OpenSSL support).
  • Bug 4312 - Close extra file descriptors at startup.
  • Bug 4314 - <Anonymous> with AuthAliasOnly in effect does not work as expected.
  • Issue 568 - CreateHome NoRootPrivs only works partially.
  • Bug 4313 - ExtendedLog incorrectly/unexpectedly logs unknown/unsupported commands.
  • Issue 578 - SFTP OPEN response includes attribute flags that are not actually provided.
  • Bug 4318 - Truncation of file while being downloaded with sendfile enabled causes timeouts due to infinite loop.
  • Bug 4320 - Confusing mod_sftp log message "disconnected by user (Application error)" changed to "(Application disconnected)".
  • Bug 4241 - RootRevoke should be on/true by default.
  • Bug 4281 - Redesign support for Backend SQLAuthType for MySQL. If the MySQL client library cannot support the SQLAuthType Backend, mod_sql_mysql will emit a warning on startup.
  • Bug 4319 - FTP uploads frequently break due to "Interrupted system call" error.
  • Issue 618 - Site-to-site transfers over TLS fail.
  • Bug 4322 - Can't see symlinks using any FTP client when using MLSD.
  • Issue 610 - Generate new DH parameters for mod_tls, mod_sftp for 1.3.7.
  • Bug 4325 - mod_tls 1.3.6 fails to compile using OpenSSL 0.9.8e.
  • Bug 4326 - Using MaxClientsPerHost 1 in <Anonymous> section denies logins.
  • Issue 642 - SQLNamedConnectInfo with different backend database does not work properly.
  • Issue 654 - mod_sql_sqlite should error if configured SQLite database does not exist.
  • Issue 656 - Segfault with mod_sftp+mod_sftp_pam after successful authentication using keyboard-interactive method
  • Issue 660 - autoconf always fails to detect support for FIPS.
  • Issue 663 - SFTP connections fail when using "arcfour256" cipher.
  • Bug 4335 - mod_auth_otp fails to build with OpenSSL 1.1.x.
  • Bug 4341 - scp broken on FreeBSD 11.
  • Issue 676 - SQLLog for SCP: %{file-size} is not available.
  • Issue 674 - Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases.
  • Bug 4356 - Infinite loop possible in mod_sftp's set_sftphostkey() function.
  • Bug 4352 - Some ASCII text files corrupted when downloading.
  • Issue 797 - Properly use the --includedir, --libdir configure variables in the generated proftpd.pc pkgconfig file.
  • Bug 4350 - Reading invalid SSH key from database results in unexpected/unlogged disconnect failures.
  • Bug 4332 - Symlink navigation broken after 1.3.6 update. The changes for Bug#4219 have been rolled back.
  • Issue 795 - Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3.
  • Bug 4372 - SITE CPFR/CPTO do not honor <Limit> configurations.
  • Issue 807 - Using "TLSProtocol SSLv23" does not enable all protocol versions.

comment:3 by Bruce Dubbs, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23410.

comment:4 by Douglas R. Reno, 4 years ago

There was a security fix here, but we fixed it in 2019 with proftpd-1.3.6b

Note: See TracTickets for help on using tickets.