Debian Bug report logs -
#818492
proftpd-dfsg: CVE-2016-3125: usage of 1024 bit DH key even with manual parameters set
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#818492; Package src:proftpd-dfsg.
(Thu, 17 Mar 2016 15:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Thu, 17 Mar 2016 15:36:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Version: 1.3.5a-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: http://bugs.proftpd.org/show_bug.cgi?id=4230
Hi,
the following vulnerability was published for proftpd-dfsg.
CVE-2016-3125[0]:
TLSDHParamFile directive ignored
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3125
[1] http://bugs.proftpd.org/show_bug.cgi?id=4230
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions proftpd-dfsg/1.3.5-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 17 Mar 2016 15:54:08 GMT) (full text, mbox, link).
Reply sent
to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility.
(Mon, 12 Dec 2016 13:06:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 12 Dec 2016 13:06:18 GMT) (full text, mbox, link).
Message #12 received at 818492-close@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Source-Version: 1.3.5b-1
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 818492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 11 Dec 2016 14:48:30 +0100
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip
Architecture: source amd64 all
Version: 1.3.5b-1
Distribution: unstable
Urgency: medium
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 717235 745493 774390 804322 809068 818492 831381 831961 836759
Changes:
proftpd-dfsg (1.3.5b-1) unstable; urgency=medium
.
[ Mahyuddin Susanto ]
* Fix FTBFS for missing build-indep, Thanks Santiago Vila
(Closes: #831961).
* Fix FTBFS in hurd-i386, thanks Svante Signell (Closes: #745493).
.
[Hilmar Preuße]
* Apply patch for ftpasswd.8 (Closes: #774390)
* Some files created during build were not removed during clean.
* Apply patch to allow transfer large files (more than 1 GB)
with SFTP module (Closes: #809068), large_files_SFTP.diff
* Apply patch for reproducible build. Thanks to Chris Lamb
(Closes: #831381).
* Remove hardening check in debian/rules, remove BD on
hardening-includes (Closes: #836759).
* Use common-session-noninteractive PAM configuration fragment,
(instead of common-session) in pam config of proftpd-basic
(Closes: #804322).
* Apply patch to not request the whole passwd DB at each login. Thanks
to Arthur de Jong <adejong@debian.org>. (Closes: #717235).
<quote src=AdJ>
I still question the usefulness of setpwent()/getpwent() in the first
place as there is no guarantee that any resources opened for setpwent()
are used for other getpw{nam,uid}() calls.
</quote>
* OpenSSL 1.1 transition: we'll have OpenSSL 1.0 in Stretch (see [1]).
Change BD from libssl-dev to libssl1.0-dev. This lowers severity of
(#828513) to non-rc.
* lintian "W: invalid-short-name-in-dep5-copyright bsd" (BSD-3-clause).
* lintian "E: proftpd-basic: init.d-script-needs-depends-on-lsb-base (...)"
* lintian "E: proftpd-dfsg source: build-depends-on-obsolete-package
build-depends: libmysqlclient-dev => default-libmysqlclient-dev"
* Same URL for Vcs-Git & Vcs-Browser in control file.
* Some suggestions by Mattia Rizzolo <mattia@debian.org> for d/rules
- Update of config.{sub,guess} is done by dh_update_autotools_config
- build done by dh_auto_build, instead of manual "make all"
- call dh_auto_clean instead of manual "make distclean"
- replace some install calls by entries in $package.install files
- remove "-l option" from dh_shlibdeps call
- install init script and defaults file using dh_installinit
- Some files in clean target are removed using debian/clean
- install files using dh_auto_install, do not strip during installation
.
[1] https://lists.debian.org/debian-devel-announce/2016/11/msg00001.html
.
[ Francesco Paolo Lovergine ]
* Team upload.
* New upstream release. Merged patch for #809068.
Contains fix for CVE-2016-3125 (Closes: #818492)
* Patchset updated and uniformed for name.
* ABI version updated.
* Debhelper compatibility set to 9.
* Policy bumped to 3.9.8, no changes required.
Checksums-Sha1:
0c7393ac730e92992f8ba2869268711e7552005f 2739 proftpd-dfsg_1.3.5b-1.dsc
e30b1e77afb2996072e1d5c9b72429354f5060fd 29849767 proftpd-dfsg_1.3.5b.orig.tar.gz
f021238a228d33484b3a380617f8ea3c4d8f1cb8 90008 proftpd-dfsg_1.3.5b-1.debian.tar.xz
2e30563a300ede2020e9e73ae741f982eb0bfd40 2480646 proftpd-basic_1.3.5b-1_amd64.deb
2ecac2ef73c4338645b3766a195acb2f92666a32 982422 proftpd-dev_1.3.5b-1_amd64.deb
d40cd68fd13b144d5b0bf54e7851d2d982f8c75a 8563 proftpd-dfsg_1.3.5b-1_amd64.buildinfo
1987f542d9e29b00ce2bfe172bd7cc51e66e2979 1625284 proftpd-doc_1.3.5b-1_all.deb
2438bda1068e34f404eeab5960c8d77181182be2 477888 proftpd-mod-geoip_1.3.5b-1_amd64.deb
115ec0dc90953ba785875353670deeca744ffadc 484876 proftpd-mod-ldap_1.3.5b-1_amd64.deb
85f135d7e75242b6c5f4a77156907fa581872539 477162 proftpd-mod-mysql_1.3.5b-1_amd64.deb
7bdcf88b0fd3c38a7a6535e2487a4f1326414987 478176 proftpd-mod-odbc_1.3.5b-1_amd64.deb
454cdc68bf0d3f4e62dc46e8a3295c60ac538bc7 476694 proftpd-mod-pgsql_1.3.5b-1_amd64.deb
b866afc955ee07a542664572d4c1ebf86bd2bdf9 476196 proftpd-mod-sqlite_1.3.5b-1_amd64.deb
Checksums-Sha256:
3664c2794bbacfbe5a43f4717a0cbcb3f95af95e3d3980d1e9094f2280bf8688 2739 proftpd-dfsg_1.3.5b-1.dsc
1a8102a664d952809eb30993d7fff9b3b692d1e0768a4ba4e6f3d1fce30d2120 29849767 proftpd-dfsg_1.3.5b.orig.tar.gz
f6812ed8d2d0c45da8cd9d90617cd7833b85c97f0c672f968d34ca7362d41128 90008 proftpd-dfsg_1.3.5b-1.debian.tar.xz
44b17d95e3902710052a87300d0a5cae30093fe44151a4a654cf8610ee7c37e1 2480646 proftpd-basic_1.3.5b-1_amd64.deb
6c51ace0111d451d8b3e2a8bed58b0b07155f96b3b98dc9b813a4632f41a4cab 982422 proftpd-dev_1.3.5b-1_amd64.deb
ec5a39d1cf0500ea92d0bbfeb0f9c4a1dc28643cf6a5d59e770e32b9db0bffa4 8563 proftpd-dfsg_1.3.5b-1_amd64.buildinfo
7dc55d9b7e07014cd39099e3584bf7ad5ba338eca3af9e3be78139b8c9702c9d 1625284 proftpd-doc_1.3.5b-1_all.deb
981cbde0ea8c584333822bcfdc8e6669f9fde457a6aad5f65413ce116021942c 477888 proftpd-mod-geoip_1.3.5b-1_amd64.deb
ebf64788e61a998a61c2d04bc08953165ef71c9fef51ca6f175a04bf1c778aac 484876 proftpd-mod-ldap_1.3.5b-1_amd64.deb
6f1f40bf927320bfe6a63fe58b4e187cc9bd5fae0005056c6d43013a110fbce8 477162 proftpd-mod-mysql_1.3.5b-1_amd64.deb
19ff9c812d3dcff99750c568fa388bcb05b634cc896e9e57f87188868df2b175 478176 proftpd-mod-odbc_1.3.5b-1_amd64.deb
2b2a474f932ad8e6bb9bb3b4f21afa550da2257128ab0f65014d7b33f54d0d4c 476694 proftpd-mod-pgsql_1.3.5b-1_amd64.deb
c28e082f75affd1bd7cee246e15c510369c917448d590328ae50c24845083c85 476196 proftpd-mod-sqlite_1.3.5b-1_amd64.deb
Files:
2ccaff3fa881b83b1166b97d98b54d4e 2739 net optional proftpd-dfsg_1.3.5b-1.dsc
4cc5c68f1309e8e9db7207e1bcb3fc2f 29849767 net optional proftpd-dfsg_1.3.5b.orig.tar.gz
753e1e0aa98da76e90ae11f49fa4bc62 90008 net optional proftpd-dfsg_1.3.5b-1.debian.tar.xz
648193182174d6a4f25162f5dcbef272 2480646 net optional proftpd-basic_1.3.5b-1_amd64.deb
d360dc2bfdbb1250a2e50a31c5a558dc 982422 net optional proftpd-dev_1.3.5b-1_amd64.deb
f0be8c3e6bdccb8dcd640a504b258028 8563 net optional proftpd-dfsg_1.3.5b-1_amd64.buildinfo
a2b21c102ac1251bcadd1179205acc6e 1625284 doc optional proftpd-doc_1.3.5b-1_all.deb
bd441d2353c2c34c4e370bcd8a6857ef 477888 net optional proftpd-mod-geoip_1.3.5b-1_amd64.deb
36768bad13bea5cafcd281c4d08f827e 484876 net optional proftpd-mod-ldap_1.3.5b-1_amd64.deb
5689371113a349a96cf9a328a63e3df5 477162 net optional proftpd-mod-mysql_1.3.5b-1_amd64.deb
024564829968ae8650cf0963111594f4 478176 net optional proftpd-mod-odbc_1.3.5b-1_amd64.deb
494a412ac53139476ae586151f92bce6 476694 net optional proftpd-mod-pgsql_1.3.5b-1_amd64.deb
e7ee97c236a83f0e3471702a212d0830 476196 net optional proftpd-mod-sqlite_1.3.5b-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYTl40AAoJEA8CpeEWNoakHsMQAJesilzKUGCEu6/vl7Uz5Bqu
4yEEaSzBiPT2CuhS+UTqcxiAbCE74tYjWdMIOjD7KCNs9N1BV2USneTIGUMwlFLR
8OJ3ICPC2eJN+R3VkIVWctgiogoEexgzxBt0wTKgNloE0VO9r5g6mn5rfzfb+zDY
+YLvUXSrui62n6H0RcoNUVLaycQ4HaGd9hI7yT+hmyjRS6PDBpzc4kul7d6TKbUH
hAVZ6hHCkZGiWIJYNWr/Ltnd9rZ9WC/SNoTYKEjrwmx+eIdlZMHGtQbFB11En4CL
kewWXl9U1ZQISdgR4FL9PwFq1G6zCUQJqdfaaXZBCYfmh7RjZUSK8vhU0u8AvqAG
oyoLqTFyB4bBLo40Scj0xJ+Z6/ev6UHILfLyysoVrX867WZOjKDeAtu84hDEu7xP
5zA2zp0BiV8m6DxFW1ueGDazUSlBY/Qq1YmzQvEVsbKnzjmOe1fvn+Po/TTxmrjr
ZU5JvspajprGQZKWk52CPV+YfGJiR4IqYW8Ddhp8Ut9LiojBAL8m3PhtJEpZL1Wc
sF6WlUaXcWnxTVTA0UbAB9ZTSU7q6tX9zfGi6FvyKo1PCvLXRG3sPqIOND8mXE1B
xqxVchXfJH45NQvtg40X2mvs4w5cguYXmv8op9TZyt9qfCoHmOBDwBlmWuBeJST3
c2/ywba7MHRtkgo/zfBH
=Fzsq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 11:53:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:22:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon