Package: linux-ftpd-ssl / 0.17.36+0.3-2.2

Metadata

Package Version Patches format
linux-ftpd-ssl 0.17.36+0.3-2.2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
001 from_hamm.diff | (download)

ftpd/ftpcmd.y | 27 14 + 13 - 0 !
ftpd/ftpd.8 | 19 18 + 1 - 0 !
ftpd/ftpd.c | 478 353 + 125 - 0 !
ftpd/logwtmp.c | 2 1 + 1 - 0 !
support/setproctitle.c | 2 1 + 1 - 0 !
5 files changed, 387 insertions(+), 141 deletions(-)

 patching recovered from linux-ftpd_0.17-13.diff.gz
002 from_sarge.diff | (download)

ftpd/ftpcmd.y | 9 5 + 4 - 0 !
ftpd/ftpd.8 | 20 12 + 8 - 0 !
ftpd/ftpd.c | 43 29 + 14 - 0 !
ftpd/popen.c | 9 7 + 2 - 0 !
4 files changed, 53 insertions(+), 28 deletions(-)

 patches taken from linux-ftpd_0.17-20sarge2.diff.gz.
003 from_etch.diff | (download)

ftpd/ftpcmd.y | 17 8 + 9 - 0 !
ftpd/popen.c | 2 1 + 1 - 0 !
2 files changed, 9 insertions(+), 10 deletions(-)

 patches recovered from linux-ftpd_0.17-23.diff.gz.
010 ftpd_csrf.diff | (download)

ftpd/extern.h | 2 1 + 1 - 0 !
ftpd/ftpcmd.y | 32 24 + 8 - 0 !
ftpd/ftpd.c | 7 6 + 1 - 0 !
3 files changed, 31 insertions(+), 10 deletions(-)

 fix cross-site request forgery (csrf) attacks.
016 family_independence.diff | (download)

ftpd/ftpcmd.y | 68 54 + 14 - 0 !
ftpd/ftpd.c | 300 206 + 94 - 0 !
2 files changed, 260 insertions(+), 108 deletions(-)

 make the tcp transport code independent of address family.
 Make sure to eliminate as much outdated dependency on AF_INET,
 even before migrating to true support for AF_INET6.
 .
 1. Rewrite dolog() and check_host().
 .
 2. Eliminate inet_ntoa(), gethostbyname(), gethostbyaddr().
 .
 3. Introduce helper functions get_port() and set_port()
    in order to hide family dependency, as well as representation
    in network byte order. This isolates use of ntohs() and htons()
    to the above two functions, with a single exception.
 .
 4. Make sure that the daemon initialization depends only on
    a single AF_INET used for getaddrinfo(). This will later
    be replaced by AF_UNSPEC.
 .
 5. Make name and address lookup in main() independent of
    address family.
 .
 6. Reconstruct passive() to inherit address family from the
    controlling socket, then building the listening socket
    in an address independent manner.
 .
 7. Let statcmd() and passive() report on IPv6 sockets
    using the EPSV semantics '(|||portnum|)'.
 .
 8. Let the parser in ftpcmd.y use getaddrinfo() with NI_NUMERICHOST
    when constructing the IP-address, instead of manipulating byte
    fields. Likewise, hide port extraction in get_port().
020 support_ipv6.diff | (download)

ftpd/extern.h | 7 5 + 2 - 0 !
ftpd/ftpcmd.y | 78 71 + 7 - 0 !
ftpd/ftpd.8 | 6 6 + 0 - 0 !
ftpd/ftpd.c | 185 165 + 20 - 0 !
ftpd/logwtmp.c | 32 30 + 2 - 0 !
5 files changed, 277 insertions(+), 31 deletions(-)

 activate support for ipv6 transport.
 This patch supplies working services for:
 .
 1. Mixed IPv4 and IPv6 in inetd mode.
 .
 2. Mixed IPv4 and IPv6 in standalone daemon mode.
 .
 3. Selectable options '-4' and '-6' to activate a
    single address family.
 .
 4. Registration in wtmp of the caller's address structure.
    This field in 'struct utmp' was earlier ignored, as it
    it an extension particular to Linux.
 .
 5. Implementation of ABOR for use in idle state.
 .
 6. Conversion of second time length in case a compatibility
    layer between 32 bits and 64 bits are in effect.
 .
 Testing was performed using xinetd and net.ipv6.bindv6only=1,
 on architectures i386 and amd64.
024 failing_va_list.diff | (download)

ftpd/ftpd.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 reinitialize variable argument list for vsyslog().
 The use of vprintf(fmt, ap) leaves the second argument in an
 undefined state after execution. On a system using the amd64
 architecture, this leads consistently to segmentation faults.
 The solution is to insert the required initialization before
 the call to vsyslog().
026 support_glibc_bsd_and_gnu.diff | (download)

ftpd/extern.h | 2 1 + 1 - 0 !
ftpd/ftpcmd.y | 4 2 + 2 - 0 !
ftpd/ftpd.c | 49 35 + 14 - 0 !
ftpd/logutmp.c | 8 4 + 4 - 0 !
ftpd/popen.c | 4 2 + 2 - 0 !
support/vis.c | 2 1 + 1 - 0 !
6 files changed, 45 insertions(+), 24 deletions(-)

 implement changes to support gnu/hurd and gnu/kfreebsd.
 Several conditionals on '__linux__' are altered to react identical
 to '__GLIBC__' and '__GNU__'. This should produce working code
 also for the Debian ports GNU/kfreebsd and GNU/Hurd.
 .
 GNU/kfreebsd uses distinct options IP_PORTRANGE and IPV6_PORTRANGE
 depending on address family.
 .
 Use IP_TOS only for IPv4 when compiling for non-Linux.
030 manpage_typos.diff | (download)

ftpd/ftpd.8 | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 spelling error in manual page.
044 support_gnu_hurd.diff | (download)

ftpd/ftpd.c | 13 12 + 1 - 0 !
1 file changed, 12 insertions(+), 1 deletion(-)

 support gnu/hurd.
 Since MAXPATHLEN and MAXHOSTNAMELEN are not prescribed
 by POSIX, GNU/Hurd need not specify these. Thus they are
 now assigned the default values as used on BSD systems.
500 ssl.diff | (download)

ftpd/ftpcmd.y | 96 84 + 12 - 0 !
ftpd/ftpd.c | 740 728 + 12 - 0 !
ftpd/ssl_port.h | 85 85 + 0 - 0 !
ftpd/sslapp.c | 186 186 + 0 - 0 !
ftpd/sslapp.h | 63 63 + 0 - 0 !
5 files changed, 1146 insertions(+), 24 deletions(-)

 base ssl patch
 The original ssl patch, modified to apply to debian's linux-ftpd package.
510 old_patches.diff | (download)

ftpd/ftpcmd.y | 2 1 + 1 - 0 !
ftpd/ftpd.8 | 47 47 + 0 - 0 !
ftpd/ftpd.c | 22 12 + 10 - 0 !
3 files changed, 60 insertions(+), 11 deletions(-)

 patches up to linux-ftpd-ssl 0.17.18+0.3-3
520 CVE 2005 3524.diff | (download)

ftpd/ftpd.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix cve-2005-3524 - a remotely exploitable buffer overflow.
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339074
530 CVE 2007 6263.diff | (download)

ftpd/ftpd.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 fix cve-2007-6263 - remote denial of service
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454733
540 docs.diff | (download)

ftpd/ftpd.8 | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 document ssl options in manpage, fix typo
550 fix_warnings.diff | (download)

ftpd/ftpcmd.y | 1 1 + 0 - 0 !
ftpd/ftpd.c | 2 2 + 0 - 0 !
ftpd/ssl_port.h | 1 1 + 0 - 0 !
ftpd/sslapp.c | 4 2 + 2 - 0 !
4 files changed, 6 insertions(+), 2 deletions(-)

 fix all warnings in source
560 set_default_key_and_cert.diff | (download)

ftpd/ftpd.c | 11 4 + 7 - 0 !
1 file changed, 4 insertions(+), 7 deletions(-)

 set default ssl key/cert file to /etc/ftpd-ssl/ftpd.pem
570 redirect_ssl_output.diff | (download)

ftpd/ftpcmd.y | 23 17 + 6 - 0 !
ftpd/ftpd.c | 183 156 + 27 - 0 !
2 files changed, 173 insertions(+), 33 deletions(-)

 missing use of ssl protected stream.
 The commands HELP and STAT are not directing all their
 output via the SSL mechanisms, instead sending data to
 stdout.  This appears as data loss to the client, or as
 errors during SSL protected transmission.
 .
 Four particular problem cases are notable:
  *  STAT
  *  STAT path
  *  HELP
  *  HELP SITE

580 recent_libssl.diff | (download)

ftpd/ftpd.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 make possible builds with libssl of version 1.1.0.
 Protected access to an opaque structure was made mandatory
 in version 1.1.0 of libssl.
600 better_conformity.diff | (download)

ftpd/ftpcmd.y | 74 70 + 4 - 0 !
ftpd/ftpd.8 | 102 73 + 29 - 0 !
ftpd/ftpd.c | 205 178 + 27 - 0 !
ftpd/sslapp.c | 147 132 + 15 - 0 !
ftpd/sslapp.h | 1 1 + 0 - 0 !
5 files changed, 454 insertions(+), 75 deletions(-)

 better contemporary tls abilities.
 The commands PBSZ, PROT and CCC are implemented to the minimal extent
 needed to fulfill RFC 2228 in the sense of negotiating with a client.
 Thereby 'AUTH TLS' and 'AUTH SSL' are treated correctly.  A client
 call like 'curl --ftp-ssl' is now successfully handled.  'Minimal'
 means in particular that the protected mode 'PROT P' is the only
 supported level for data exchange, once SSL handshaking is complete.
 .
 There are new SSL options, or corrected to be functional: 'debug=file',
 'cipher=list', 'cacert=file', 'key=file', and 'certrequired'.  The CA
 list collected from 'cacert=file' will be sent to the client, which
 is useful for advanced client software.
 .
 The option 'cert=file' reads a complete chain of certificates, which
 together with 'cacert=file' makes the whole spectrum of verification
 via 'verify=num' available.  Either of 'certsok' and 'certrequired'
 will set SSL_VERIFY_PEER, and 'certrequired' will also set
 SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
 .
 A temporary SSL option 'legacy' activates an ugly work around during
 verification, controlled by SSL_VERIFY_FAIL_IF_NO_PEER_CERT.  This
 quirk was present in the legacy patch set, but should not be used
 with the new ability to read chains and CA lists.  Its introduction
 should only be seen as a step in the transition to contemporary
 standards.
 .
 Include SSL_OP_NO_SSLv2 when setting library options.
 .
 Much effort has gone into sensible and helpful messages during SSL debug.
 .
 TODO: Autologin based on 'certsok' could be considered in SSL-only
 mode, or in secure mode.  Presently the PAM code only is able to emit
 debug messages as to whether certsok would accept or reject the claimed
 username for a corresponding subject identifier.
 .
use cmake as buildsystem.patch | (download)

CMakeLists.txt | 10 10 + 0 - 0 !
ftpd/CMakeLists.txt | 52 52 + 0 - 0 !
support/CMakeLists.txt | 9 9 + 0 - 0 !
3 files changed, 71 insertions(+)

 use cmake as build system
use cmake as buildsystem debian extras.patch | (download)

CMakeLists.txt | 8 8 + 0 - 0 !
ftpd/CMakeLists.txt | 5 5 + 0 - 0 !
2 files changed, 13 insertions(+)

 debian-specific changes to the cmake build system