commit 2b9228d5c4f2e17ec9fd3b40ddb64ca0d5a9ffe8030596cf46b6b40ba56d2566 Author: Marcus Meissner Date: Fri Jan 10 13:13:12 2025 +0000 fix for boo#1233997 (CVE-2024-48651) OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=104 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/harden_proftpd.service.patch b/harden_proftpd.service.patch new file mode 100644 index 0000000..b9f018a --- /dev/null +++ b/harden_proftpd.service.patch @@ -0,0 +1,23 @@ +Index: contrib/dist/rpm/proftpd.service +=================================================================== +--- contrib/dist/rpm/proftpd.service.orig ++++ contrib/dist/rpm/proftpd.service +@@ -4,6 +4,18 @@ Wants=network-online.target + After=network-online.target nss-lookup.target local-fs.target remote-fs.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type = simple + Environment = PROFTPD_OPTIONS= + EnvironmentFile = -/etc/sysconfig/proftpd diff --git a/proftpd-1.3.8b.tar.gz b/proftpd-1.3.8b.tar.gz new file mode 100644 index 0000000..01afd3f --- /dev/null +++ b/proftpd-1.3.8b.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:183ab7c6107de271a2959ff268f55c9b6c76b2cf0029e6584fccc019686601e0 +size 19752808 diff --git a/proftpd-1.3.8b.tar.gz.asc b/proftpd-1.3.8b.tar.gz.asc new file mode 100644 index 0000000..baa3083 --- /dev/null +++ b/proftpd-1.3.8b.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iEYEABECAAYFAmWCcGMACgkQt46JP6URl2rOOACgqd6poiniUeOej3gVoE4ZHA1Z +PKgAoKgsyi9zqoilnOtZJKfzWw4BJ546 +=GIJC +-----END PGP SIGNATURE----- diff --git a/proftpd-1.3.8c.tar.gz b/proftpd-1.3.8c.tar.gz new file mode 100644 index 0000000..147e125 --- /dev/null +++ b/proftpd-1.3.8c.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a48f2ca338456e750d2373bf671025ed799e04e0baa16c7bb8dbfd67d8734d2 +size 19751847 diff --git a/proftpd-1.3.8c.tar.gz.asc b/proftpd-1.3.8c.tar.gz.asc new file mode 100644 index 0000000..eb81939 --- /dev/null +++ b/proftpd-1.3.8c.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQRpfmhNFmjWloQoQFy3jok/pRGXagUCZ1nafgAKCRC3jok/pRGX +arsZAKDP6Vk4oWO9BB0TbMnNNe1TRZwjOwCdH+pBD7f0WDsf6cO4D9oF6iqNgvY= +=YGOJ +-----END PGP SIGNATURE----- diff --git a/proftpd-basic.conf.patch b/proftpd-basic.conf.patch new file mode 100644 index 0000000..78280d5 --- /dev/null +++ b/proftpd-basic.conf.patch @@ -0,0 +1,275 @@ +Index: sample-configurations/basic.conf +=================================================================== +--- sample-configurations/basic.conf.orig ++++ sample-configurations/basic.conf +@@ -3,19 +3,29 @@ + # and a single anonymous login. It assumes that you have a user/group + # "nobody" and "ftp" for normal operation and anon. + +-ServerName "ProFTPD Default Installation" +-ServerType standalone +-DefaultServer on ++ServerName "ProFTPD" ++ServerType standalone ++DefaultServer on + + # Port 21 is the standard FTP port. +-Port 21 ++Port 21 ++ ++# FireWall PortRange for PASV ++PassivePorts 40000 40999 ++ ++# Set DebugLevel to values between 0 and 9 ++# default is 0 ++DebugLevel 0 ++ ++# SystemLog -- Redirect syslogging to a file ++SystemLog /var/log/proftpd/proftpd.log + + # Don't use IPv6 support by default. +-UseIPv6 off ++UseIPv6 off + + # Umask 022 is a good standard umask to prevent new dirs and files + # from being group and world writable. +-Umask 022 ++Umask 022 + + # To prevent DoS attacks, set the maximum number of child processes + # to 30. If you need to allow more than 30 concurrent connections +@@ -23,43 +33,207 @@ Umask 022 + # in standalone mode, in inetd mode you should use an inetd server + # that allows you to limit maximum number of processes per service + # (such as xinetd). +-MaxInstances 30 ++MaxInstances 30 + + # Set the user and group under which the server will run. +-User nobody +-Group nogroup +- +-# To cause every FTP user to be "jailed" (chrooted) into their home +-# directory, uncomment this line. +-#DefaultRoot ~ ++User ftp ++Group ftp + +-# Normally, we want files to be overwriteable. +-AllowOverwrite on ++# Some logging formats ++LogFormat default "%h %l %u %t \"%r\" %s %b" ++LogFormat auth "%v [%P] %h %t \"%r\" %s" ++LogFormat write "%h %l %u %t \"%r\" %s %b" ++ ++# ------------------------------ ++# Global Settings ++# ------------------------------ ++ ++ ++ # ------------------------------ ++ # Login ++ # ------------------------------ ++ ++ ServerIdent on "FTP server ready" ++ DeferWelcome on ++ #DisplayConnect /etc/proftpd/msg ++ ++ ++ IdentLookups off ++ ++ UseFtpUsers off ++ RequireValidShell off ++ ++ TimeoutLogin 60 ++ MaxLoginAttempts 3 ++ #MaxClientsPerHost none ++ #MaxClientsPerUser 1 "Only one connection at a time." ++ ++ # ------------------------------ ++ # Authentication ++ # ------------------------------ ++ ++ ### PAM Authentication ++ # AuthPAM: default: on ++ AuthPAM off ++ ++ # changed AuthPAMConfig file ++ AuthPAMConfig proftpd ++ ### PAM Authentication ++ ++ AuthUserFile /etc/proftpd/auth/passwd ++ AuthGroupFile /etc/group ++ ++ ### order of auth modules ++ #AuthOrder mod_auth_unix.c mod_auth_file.c ++ AuthOrder mod_auth_file.c ++ ++ # ------------------------------ ++ # Post-Login ++ # ------------------------------ ++ ++ DisplayLogin welcome.msg ++ DisplayChdir .message ++ AllowOverride off ++ ++ TimeoutIdle 600 ++ TimeoutNoTransfer 900 ++ TimeoutStalled 300 ++ TimeoutSession 3600 ++ ++ # ------------------------------ ++ # Session ++ # ------------------------------ ++ ++ # To cause every FTP user to be "jailed" (chrooted) into their home ++ # directory, uncomment this line. ++ DefaultRoot ~ web,!users ++ ++ DenyFilter \*.*/ ++ ListOptions "-A +R" strict ++ UseGlobbing off ++ ++ ShowSymlinks on ++ TimesGMT on ++ ++ # ------------------------------ ++ # Up- & Download ++ # ------------------------------ ++ ++ # having to delete before uploading is a pain ;) ++ AllowOverwrite on ++ AllowRetrieveRestart on ++ HiddenStores on ++ DeleteAbortedStores on ++ #AllowStoreRestart off # is contrary to "DeleteAbortedStores" ++ ++ # ------------------------------ ++ # Logging ++ # ------------------------------ ++ ++ WtmpLog off ++ TransferLog /var/log/proftpd/xferlog ++ ++ # Record all logins ++ ExtendedLog /var/log/proftpd/auth.log AUTH auth ++ ++ # Logging file/dir access ++ ExtendedLog /var/log/proftpd/access.log WRITE,READ write ++ ++ # Paranoia logging level.... ++ ExtendedLog /var/log/proftpd/paranoid.log ALL default ++ ++ # SQLLogFile ++ #SQLLogFile /var/log/proftpd/SQL.log ++ + + # Bar use of SITE CHMOD by default + + DenyAll + + ++##### ++# Include other confs, e.g. tls.conf ++#Include /etc/proftpd/conf.d/*.conf ++ ++##### ++ ++# ------------------------------ ++# Anonymous Settings ++# ------------------------------ + # A basic anonymous configuration, no upload directories. If you do not + # want anonymous users, simply delete this entire section. + +- User ftp +- Group ftp +- +- # We want clients to be able to login with "anonymous" as well as "ftp" +- UserAlias anonymous ftp +- +- # Limit the maximum number of anonymous logins +- MaxClients 10 +- +- # We want 'welcome.msg' displayed at login, and '.message' displayed +- # in each newly chdired directory. +- DisplayLogin welcome.msg +- DisplayChdir .message +- +- # Limit WRITE everywhere in the anonymous chroot +- +- DenyAll +- ++ # Limit LOGIN ++ # ++ # Order Allow,Deny ++ # Allow from .examples.net,113.141.114.1 ++ # Deny from All ++ # ++ ++ ## or 'Include' a limit file with rules ++ ## include one file and use more than once ;) ++ # ++ # Order Allow,Deny ++ # Include /etc/proftpd/includes/limit.conf ++ # Deny from All ++ # ++ ++ # Limit WRITE everywhere in the anonymous chroot ++ ++ DenyAll ++ ++ ++ # DirFakeMode -- Hide real file/directory permissions ++ DirFakeMode 0640 ++ ++ # DirFakeUser -- Hide real file/directory owner ++ DirFakeUser On ++ ++ # DirFakeGroup -- Hide real file/directory group ++ DirFakeGroup On ++ ++ # We want clients to be able to login with "anonymous" as well as "ftp" ++ UserAlias anonymous ftp ++ ++ # Limit the maximum number of anonymous logins ++ MaxClients 10 ++ #MaxRetrieveFileSize 512 Mb ++ ++ # Limit Up/Downloads to 255 K/sec ++ #TransferRate APPE,RETR,STOR,STOU 255 ++ ++ # We want 'welcome.msg' displayed at login, and '.message' displayed ++ # in each newly chdired directory. ++ DisplayLogin welcome.msg ++ DisplayChdir .message ++ ++ # ++ # ++ # Order Allow,Deny ++ # Allow from .examples.net,113.141.114.1 ++ # Deny from All ++ # ++ # ++ ++ ## or 'Include' a limit file with rules ++ ## include one file and use more than once ;) ++ # ++ # ++ # Order Allow,Deny ++ # Include /etc/proftpd/includes/limit.conf ++ # Deny from All ++ # ++ # ++ ++ # An upload directory that allows storing files but not retrieving ++ # or creating directories. ++ # ++ # ++ # DenyAll ++ # ++ # ++ # AllowAll ++ # ++ # + ++ diff --git a/proftpd-dist.patch b/proftpd-dist.patch new file mode 100644 index 0000000..46122f3 --- /dev/null +++ b/proftpd-dist.patch @@ -0,0 +1,77 @@ +Index: contrib/dist/rpm/ftp.pamd +=================================================================== +--- contrib/dist/rpm/ftp.pamd.orig ++++ contrib/dist/rpm/ftp.pamd +@@ -1,6 +1,7 @@ + #%PAM-1.0 ++ + auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +-auth required pam_unix.so shadow nullok ++#auth required pam_unix.so shadow nullok + + # If this is enabled, anonymous logins will fail because the 'ftp' user does + # not have a "valid" shell, as listed in /etc/shells. +@@ -11,5 +12,9 @@ auth required pam_unix.so shadow n + # + #auth required pam_shells.so + +-account required pam_unix.so +-session required pam_unix.so ++auth required pam_unix2.so ++auth required pam_shells.so ++account required pam_unix2.so ++password required pam_unix2.so ++session required pam_unix2.so ++session optional pam_keyinit.so revoke +Index: contrib/dist/rpm/proftpd.logrotate +=================================================================== +--- contrib/dist/rpm/proftpd.logrotate.orig ++++ contrib/dist/rpm/proftpd.logrotate +@@ -1,10 +1,15 @@ +-/var/log/proftpd/*.log /var/log/xferlog { ++/var/log/proftpd/xferlog /var/log/proftpd/*.log { + compress +- missingok ++ dateext ++ maxage 365 ++ rotate 99 ++ size=+4096k + notifempty ++ missingok ++ create 640 root root + sharedscripts + postrotate +- test -f /var/lock/subsys/proftpd && /usr/bin/killall -HUP proftpd || : ++ /usr/sbin/rcproftpd reload + endscript + } + +Index: contrib/dist/rpm/xinetd +=================================================================== +--- contrib/dist/rpm/xinetd.orig ++++ contrib/dist/rpm/xinetd +@@ -2,13 +2,15 @@ + # description: The ProFTPD FTP server + service ftp + { +- flags = REUSE +- socket_type = stream +- wait = no +- user = root +- server = /usr/sbin/in.proftpd +- log_on_success += DURATION +- log_on_failure += USERID +- nice = 10 +- disable = yes ++ socket_type = stream ++ protocol = tcp ++ wait = no ++# bind = IP ++ instances = 30 ++ user = root ++ server = /usr/sbin/in.proftpd ++ log_on_success += PID HOST USERID EXIT DURATION ++ log_on_failure += HOST USERID ATTEMPT ++# nice = 10 ++ disable = yes + } diff --git a/proftpd-ftpasswd.patch b/proftpd-ftpasswd.patch new file mode 100644 index 0000000..9303550 --- /dev/null +++ b/proftpd-ftpasswd.patch @@ -0,0 +1,62 @@ +Index: contrib/ftpasswd +=================================================================== +--- contrib/ftpasswd.orig ++++ contrib/ftpasswd +@@ -32,8 +32,8 @@ use Getopt::Long; + $Getopt::Long::auto_abbrev = 0; + + my $program = basename($0); +-my $default_passwd_file = "./ftpd.passwd"; +-my $default_group_file = "./ftpd.group"; ++my $default_passwd_file = "/etc/proftpd/auth/passwd"; ++my $default_group_file = "/etc/proftpd/auth/group"; + my $shell_file = "/etc/shells"; + my $default_cracklib_dict = "/usr/lib/cracklib_dict"; + my $cracklib_dict; +@@ -1218,6 +1218,46 @@ usage: $program [--help] [--hash|--group + --version + Displays the version of $program. + ++Creating Files ++ ++The ftpasswd program can create and update files for both AuthUserFile and ++ AuthGroupFile. When it is used for the first time, the program will create ++ the necessary file. If that file already exists, ftpasswd will update it ++ with the new information. ++ ++ftpasswd must first know what type of file to create. Use either the ++ --passwd option (for handling AuthUserFiles), or the --group option ++ (for handling AuthGroupFiles); this is required. ++ ++When creating an AuthUserFile, the following options are also ++ required: --name, --uid, --home, and --shell. ++ This information is required by proftpd to authenticate a user. The optional ++ parameters for an AuthUserFile include --gid ++ (defaults to the given --uid argument when not provided) ++ and --gecos (not used by proftpd at all). For example: ++ ++ ftpasswd --passwd --name=bob --uid=1001 --home=/home/bob --shell=/bin/false ++ ++creates an account for user bob. ++ ++To create a file with a name or location other than the default ++ (which, for --passwd mode is /etc/proftpd/auth/passwd), use the --file option. ++ ++For example, to create the alternate password file in /usr/local/etc/ftpd/passwd: ++ ++ ftpasswd --passwd --file=/usr/local/etc/ftpd/passwd --name=bob --uid=1001 \ ++ --home=/home/bob --shell=/bin/false ++ ++For AuthGroupFiles, use --group: ++ ++ ftpasswd --group --name=group-name --gid=group-id --member=user-member1 \ ++ --member=user-member2 ... --member=user-memberN ++ ++The most common change to these files is made to AuthUserFiles, to change ++ a user's password. The --change-password option was provided just for this scenario: ++ ++ ftpasswd --passwd --name=user --change-password ++ + END_OF_USAGE + + exit 0; diff --git a/proftpd-limit.template b/proftpd-limit.template new file mode 100644 index 0000000..a9c283c --- /dev/null +++ b/proftpd-limit.template @@ -0,0 +1,6 @@ +### when you use spaces as separator then you can use it also with apache ;) +### just some examples + Allow from localhost 127.0.0.1 ::1 + Allow from 1.2.3.4 5.6.7.8 + Allow from .example.com .test.org + Allow from 2.3.4.5 11:22:33:44::/64 diff --git a/proftpd-no_BuildDate.patch b/proftpd-no_BuildDate.patch new file mode 100644 index 0000000..1633bd9 --- /dev/null +++ b/proftpd-no_BuildDate.patch @@ -0,0 +1,103 @@ +--- + Makefile.in | 14 ++++++-------- + contrib/mod_snmp/db.c | 2 +- + include/version.h | 2 -- + src/main.c | 6 ++---- + 4 files changed, 9 insertions(+), 15 deletions(-) + +Index: contrib/mod_snmp/db.c +=================================================================== +--- contrib/mod_snmp/db.c.orig ++++ contrib/mod_snmp/db.c +@@ -1122,7 +1122,7 @@ int snmp_db_get_value(pool *p, unsigned + return 0; + + case SNMP_DB_DAEMON_F_VERSION: +- *str_value = "ProFTPD Version " PROFTPD_VERSION_TEXT " (built at " BUILD_STAMP ")"; ++ *str_value = "ProFTPD Version " PROFTPD_VERSION_TEXT; + *str_valuelen = strlen(*str_value); + + pr_trace_msg(trace_channel, 19, +Index: src/main.c +=================================================================== +--- src/main.c.orig ++++ src/main.c +@@ -1989,8 +1989,8 @@ static void standalone_main(void) { + exit(1); + } + +- pr_log_pri(PR_LOG_NOTICE, "ProFTPD %s (built %s) standalone mode STARTUP", +- PROFTPD_VERSION_TEXT " " PR_STATUS, BUILD_STAMP); ++ pr_log_pri(PR_LOG_NOTICE, "ProFTPD %s standalone mode STARTUP", ++ PROFTPD_VERSION_TEXT " " PR_STATUS); + + daemon_loop(); + } +@@ -2145,7 +2145,6 @@ static void show_settings(void) { + + show_os_release(); + +- printf("%s", " Built: " BUILD_STAMP "\n"); + printf("%s", " Built With:\n configure " PR_BUILD_OPTS "\n\n"); + + printf("%s", " CFLAGS: " PR_BUILD_CFLAGS "\n"); +@@ -2742,7 +2741,6 @@ int main(int argc, char *argv[], char ** + if (show_version >= 2) { + printf("ProFTPD Version: %s", PROFTPD_VERSION_TEXT " " PR_STATUS "\n"); + printf(" Scoreboard Version: %08x\n", PR_SCOREBOARD_VERSION); +- printf(" Built: %s\n\n", BUILD_STAMP); + + modules_list2(NULL, PR_MODULES_LIST_FL_SHOW_VERSION); + +Index: Makefile.in +=================================================================== +--- Makefile.in.orig ++++ Makefile.in +@@ -47,17 +47,17 @@ include/buildstamp.h: + + dummy: + +-lib: include/buildstamp.h dummy ++lib: dummy + cd lib/ && $(MAKE) lib + +-src: include/buildstamp.h dummy ++src: dummy + cd src/ && $(MAKE) src + +-modules: include/buildstamp.h dummy ++modules: dummy + cd modules/ && $(MAKE) static + test -z "$(SHARED_MODULE_OBJS)" -a -z "$(SHARED_MODULE_DIRS)" || (cd modules/ && $(MAKE) shared) + +-utils: include/buildstamp.h dummy ++utils: dummy + cd utils/ && $(MAKE) utils + + clang-tidy: +@@ -66,10 +66,10 @@ clang-tidy: + -cd modules/ && $(MAKE) clang-tidy + # cd utils/ && $(MAKE) clang-tidy + +-locale: include/buildstamp.h dummy ++locale: dummy + test -z "$(ENABLE_NLS)" || (cd locale/ && $(MAKE) locale) + +-dirs: include/buildstamp.h dummy ++dirs: dummy + @dirs="$(DIRS)"; \ + for dir in $$dirs; do \ + if [ -d "$$dir" ]; then cd $$dir/ && $(MAKE); fi; \ +Index: include/version.h +=================================================================== +--- include/version.h.orig ++++ include/version.h +@@ -25,8 +25,6 @@ + #ifndef PR_VERSION_H + #define PR_VERSION_H + +-#include "buildstamp.h" +- + /* Application version (in various forms) */ + #define PROFTPD_VERSION_NUMBER 0x0001030808 + #define PROFTPD_VERSION_TEXT "1.3.8c" diff --git a/proftpd-ssl.README b/proftpd-ssl.README new file mode 100644 index 0000000..b83c7a8 --- /dev/null +++ b/proftpd-ssl.README @@ -0,0 +1,16 @@ +Place your CA.crt, crt and key file here and create sysmlinks like following ... + +ssl +├── proftpd.cacert.pem -> CA.crt +├── proftpd.cert.pem -> wildcard.example.com.crt +├── proftpd.key.pem -> wildcard.example.com.pem +├── CA.crt +├── wildcard.example.com.crt +└── wildcard.example.com.pem + +then: +copy conf.d/tls.template to conf.d/tls.conf + +finally: +uncomment '#Include /etc/proftpd/conf.d/*.conf' in proftp.conf + diff --git a/proftpd-strip.patch b/proftpd-strip.patch new file mode 100644 index 0000000..fecda7e --- /dev/null +++ b/proftpd-strip.patch @@ -0,0 +1,16 @@ +Index: ltmain.sh +=================================================================== +--- ltmain.sh.orig ++++ ltmain.sh +@@ -2056,7 +2056,10 @@ func_mode_install () + ;; + esac + if test -n "$tstripme" && test -n "$striplib"; then +- func_show_eval "$striplib $destdir/$realname" 'exit $?' ++ #func_show_eval "$striplib $destdir/$realname" 'exit $?' ++ echo "strip patch" ++ func_quote_for_expand "$striplib $destdir/$realname" ++ func_echo $func_quote_for_expand_result + fi + + if test "$#" -gt 0; then diff --git a/proftpd-tls.template b/proftpd-tls.template new file mode 100644 index 0000000..3127027 --- /dev/null +++ b/proftpd-tls.template @@ -0,0 +1,42 @@ +############################################################################### +# http://www.proftpd.org/docs/contrib/mod_tls.html +############################################################################### + + # If mod_tls was built as a shared/DSO module, load it + LoadModule mod_tls.c + + + + TLSEngine on + TLSLog /var/log/proftpd/tls.log + + # Support both SSLv3 and TLSv1, but they should not be used + # (known to be weak) + TLSProtocol TLSv1.1 TLSv1.2 + + # Are clients required to use FTP over TLS when talking to this server? + TLSRequired off + + # Server's RSA certificate + TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem + TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem + + # CA (or CA chain) to verify client certs + #TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem + + # CA (or CA chain) to verify certification path of server cert + TLSCertificateChainFile /etc/proftpd/ssl/proftpd.cacert.pem + + # Authenticate clients that want to use FTP over TLS? + TLSVerifyClient off + + # Allow SSL/TLS renegotiations when the client requests them, but + # do not force the renegotations. Some clients do not support + # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these + # clients will close the data connection, or there will be a timeout + # on an idle data connection. + TLSRenegotiate none + + # Should Server request a Clients Certificate and send valid CA list ? + TLSOptions NoSessionReuseRequired + diff --git a/proftpd.changes b/proftpd.changes new file mode 100644 index 0000000..c8c0cc1 --- /dev/null +++ b/proftpd.changes @@ -0,0 +1,839 @@ +------------------------------------------------------------------- +Thu Jan 9 17:25:19 UTC 2025 - chris@computersalat.de + +- 1.3.8c - Released 11-Dec-2024 + fix for boo#1233997 (CVE-2024-48651) + * http://proftpd.org/docs/NEWS-1.3.8c + gh#1830 - Supplemental group inheritance grants unintended access to GID 0 + due to lack of supplemental groups from mod_sql + https://github.com/proftpd/proftpd/issues/1830 +- rebase patch + * proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Thu Feb 29 14:45:47 UTC 2024 - Dominique Leuenberger + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + %patchN. + +------------------------------------------------------------------- +Wed Jan 3 14:44:02 UTC 2024 - chris@computersalat.de + +- Update changes file + * add missing boo#1218144 (CVE-2023-48795) info + * add missing CVE-2023-51713 info + +------------------------------------------------------------------- +Wed Dec 27 21:52:11 UTC 2023 - chris@computersalat.de + +- 1.3.8b - Released 19-Dec-2023 + fix for boo#1218144 (CVE-2023-48795) + * http://proftpd.org/docs/NEWS-1.3.8b + * Implemented mitigations for "Terrapin" SSH attack (CVE-2023-48795). +- rebase patch + * proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Thu Nov 2 16:24:34 UTC 2023 - chris@computersalat.de + +- 1.3.8a - Released 08-Oct-2023 + fix for boo#1218344 (CVE-2023-51713): + gh#1683 - Out-of-bounds buffer read when handling FTP commands. + https://github.com/proftpd/proftpd/issues/1683 + * http://proftpd.org/docs/NEWS-1.3.8a + * Fixed builds when using OpenSSL 3.x + +------------------------------------------------------------------- +Wed Jan 25 21:05:11 UTC 2023 - chris@computersalat.de + +- 1.3.7f - Released 04-Dec-2022 + * Issue 1533 - mod_tls module unexpectedly allows TLS handshake after + authentication in some configurations. + * Bug 4491 - unable to verify signed data: signature type 'rsa-sha2-512' does + not match publickey algorithm 'ssh-rsa'. + +------------------------------------------------------------------- +Mon Jan 16 10:43:46 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Thu Sep 1 19:28:50 UTC 2022 - chris@computersalat.de + +- Update proftpd-basic.conf.patch + * remove obsolete config option, LoginPasswordPrompt +- rework proftpd-dist.patch + +------------------------------------------------------------------- +Tue Aug 9 16:37:52 UTC 2022 - chris@computersalat.de + +- 1.3.7e - Released 23-Jul-2022 + * Issue 1448 - Ensure that mod_sftp algorithms work properly with OpenSSL 3.x. +- 1.3.7d - Released 23-Apr-2022 + * Issue 1321 - Crash with long lines in AuthGroupFile due to large realloc(3). + * Issue 1325 - NLST does not behave consistently for relative paths. + * Issue 1346 - Implement AllowForeignAddress class matching for passive data + transfers. + * Bug 4467 - DeleteAbortedStores removes successfully transferred files + unexpectedly. + * Issue 1401 - Keepalive socket options should be set using IPPROTO_TCP, not + SOL_SOCKET. + * Issue 1402 - TCP keepalive SocketOptions should apply to control as well as + data connection. + * Issue 1396 - ProFTPD always uses the same PassivePorts port for first + transfer. + * Issue 1369 - Name-based virtual hosts not working as expected after upgrade + from 1.3.7a to 1.3.7b. +- rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Sun Mar 27 13:17:21 UTC 2022 - chris@computersalat.de + +- fix deps for SLES + +------------------------------------------------------------------- +Sat Mar 26 16:41:02 UTC 2022 - chris@computersalat.de + +- remove configure --disable-static + +------------------------------------------------------------------- +Tue Mar 1 18:37:02 UTC 2022 - chris@computersalat.de + +- Update to version 1.3.7c: + * http://proftpd.org/docs/NEWS-1.3.7c + * http://proftpd.org/docs/RELEASE_NOTES-1.3.7c +- Update patches + * harden_proftpd.service.patch + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch + * proftpd.spec + * proftpd_env-script-interpreter.patch + +------------------------------------------------------------------- +Wed Oct 20 13:16:36 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_proftpd.service.patch + Modified: + * proftpd.service + +------------------------------------------------------------------- +Thu Nov 19 14:16:47 UTC 2020 - Dominique Leuenberger + +- Update to version 1.3.6e: + + Invalid SCP command leads to null pointer dereference. +- Do not limit to openSSL < 1.1: proftpd has had support for + openSSL 1.1 sice version 1.3.6a. +- Rebase proftpd-no_BuildDate.patch. + +------------------------------------------------------------------- +Fri Jun 5 11:02:29 UTC 2020 - chris@computersalat.de + +- update to 1.3.6d + * Issue 857 - Fixed regression in the handling of `%{env:...}` configuration + variables when the environment variable is not present. + * Issue 940 - Second LIST of the same symlink shows different results. + * Issue 959 - FTPS uploads using TLSv1.3 are likely to fail unexpectedly. + * Issue 980 - mod_sftp sends broken response when CREATETIME attribute is + requested. + * Bug 4398 - Handle zero-length SFTP WRITE requests without error. + * Issue 1018 - PidFile should not be world-writable. + * Issue 1014 - TLSv1.3 handshake fails due to missing session ticket key on + some systems. + * Issue 1023 - Lowercased FTP commands not properly identified. +- rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Mon Feb 24 17:06:07 UTC 2020 - chris@computersalat.de + +- fix for boo#1164572 (CVE-2020-9272, gh#902) +- fix for boo#1164574 (CVE-2020-9273, gh#903) +- update to 1.3.6c + * Fixed regression in directory listing latency (Issue #863). + * Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for + converting them to supported format. + * Fixed use-after-free vulnerability during data transfers (Issue #903). + * Fixed out-of-bounds read in mod_cap by updating the bundled libcap + (Issue #902). +- remove obsolete proftpd-tls-crls-issue859.patch +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch + * proftpd_env-script-interpreter.patch + +------------------------------------------------------------------- +Sat Feb 1 17:25:05 UTC 2020 - chris@computersalat.de + +- cleanup tls.template + * remove deprecated NoCertRequest from TLSOptions + +------------------------------------------------------------------- +Sat Dec 28 20:45:30 UTC 2019 - chris@computersalat.de + +- fix changes file + * add missing info about boo#1155834 + * add missing info about boo#1154600 +- fix for boo#1156210 + * GeoIP has been discontinued by Maxmind + * remove module build for geoip + see https://support.maxmind.com/geolite-legacy-discontinuation-notice/ +- fix for boo#1157803 (CVE-2019-19269), boo#1157798 (CVE-2019-19270) + * add upstream patch proftpd-tls-crls-issue859.patch + +------------------------------------------------------------------- +Sun Nov 3 22:25:28 UTC 2019 - chris@computersalat.de + +- fix for boo#1154600 (CVE-2019-18217, gh#846) +- update to 1.3.6b + * Fixed pre-authentication remote denial-of-service issue (Issue #846). + * Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824). +- update to 1.3.6a + * Fixed symlink navigation (Bug#4332). + * Fixed building of mod_sftp using OpenSSL 1.1.x releases (Issue#674). + * Fixed SITE COPY honoring of restrictions (Bug#4372). + * Fixed segfault on login when using mod_sftp + mod_sftp_pam (Issue#656). + * Fixed restarts when using mod_facl as a static module +- remove obsolete proftpd-CVE-2019-12815.patch + * included in 1.3.6a (Bug#4372) +- add proftpd_env-script-interpreter.patch + * RPMLINT fix for env-script-interpreter (Badness: 9) + +------------------------------------------------------------------- +Sat Nov 2 18:12:51 UTC 2019 - Martin Hauke + +- fix for boo#1155834 + * Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed + * Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed + +------------------------------------------------------------------- +Wed Oct 2 15:01:11 UTC 2019 - Bernhard Wiedemann + +- Update proftpd-dist.patch to use pam_keyinit.so (boo#1144056) + +------------------------------------------------------------------- +Fri Aug 2 14:52:48 UTC 2019 - chris@computersalat.de + +- fix for boo#1142281 (CVE-2019-12815, bpo#4372) + arbitrary file copy in mod_copy allows for remote code execution + and information disclosure without authentication +- add patch + * proftpd-CVE-2019-12815.patch + taken from: + - http://bugs.proftpd.org/show_bug.cgi?id=4372 + - https://github.com/proftpd/proftpd/commit/a73dbfe3b61459e7c2806d5162b12f0957990cb3 + +------------------------------------------------------------------- +Mon Jul 1 13:50:01 UTC 2019 - chris@computersalat.de + +- update changes file + * add missing info about bugzilla 1113041 + +------------------------------------------------------------------- +Tue Mar 26 11:35:53 UTC 2019 - Jan Engelhardt + +- Fix the Factory build: select the appropriate OpenSSL version + to build with. (fix for boo#1113041) + +------------------------------------------------------------------- +Wed Mar 20 18:46:47 UTC 2019 - Jan Engelhardt + +- Reduce hard dependency on systemd to only that which is + necessary for building and installation. +- Modernize RPM macro use (%make_install, %tmpfiles_create). +- Strip emphasis from description and trim other platform mentions. + +------------------------------------------------------------------- +Wed Jul 11 08:05:29 UTC 2018 - chris@computersalat.de + +- update to 1.3.6 + * Support for using Redis for caching, logging; see the doc/howto/Redis.html + documentation. + * Fixed mod_sql_postgres SSL support (Issue #415). + * Support building against LibreSSL instead of OpenSSL (Issue #361). + * Better support on AIX for login restraictions (Bug #4285). + * TimeoutLogin (and other timeouts) were not working properly for SFTP + connections (Bug#4299). + * Handling of the SIGILL and SIGINT signals, by the daemon process, now causes + the child processes to be terminated as well (Issue #461). + * RPM .spec file naming changed to conform to Fedora guidelines. + * Fix for "AllowChrootSymlinks off" checking each component for symlinks + (CVE-2017-7418). + -New Modules: + * mod_redis, mod_tls_redis, mod_wrap2_redis + With Redis now supported as a caching mechanism, similar to Memcache, + there are now Redis-using modules: mod_redis (for configuring the Redis + connection information), mod_tls_redis (for caching SSL sessions and + OCSP information using Redis), and mod_wrap2_redis (for using ACLs stored + in Redis). + -Changed Modules: + * mod_ban + The mod_ban module's BanCache directive can now use Redis-based caching; + see doc/contrib/mod_ban.html#BanCache. + -New Configuration Directives + * SQLPasswordArgon2, SQLPasswordScrypt + The key lengths for Argon2 and Scrypt-based passwords are now configurable + via these new directives; previously, the key length had been hardcoded + to be 32 bytes, which is not interoperable with all other implementations + (Issue #454). + -Changed Configuration Directives + * AllowChrootSymlinks + When "AllowChrootSymlinks off" was used, only the last portion of the + DefaultRoot path would be checked to see if it was a symlink. Now, + each component of the DefaultRoot path will be checked to see if it is + a symlink when "AllowChrootSymlinks off" is used. + * Include + The Include directive can now be used within a section, e.g.: + + Include /path/to/allowed.txt + DenyAll + + -API Changes + * A new JSON API has been added, for use by third-party modules. +- remove obsolete proftpd_include-in-limit-section.patch +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Tue Jul 10 11:57:58 UTC 2018 - chris@computersalat.de + +- update to 1.3.5e + * Fixed SFTP issue with umac-64@openssh.com digest/MAC. + * Fixed regression with mod_sftp rekeying. + * Backported fix for "AllowChrootSymlinks off" checking each component + for symlinks (CVE-2017-7418). +- remove obsolete patch + * proftpd-AllowChrootSymlinks.patch (now included) +- rebase patches + * proftpd-dist.patch + * proftpd-no_BuildDate.patch + * proftpd_include-in-limit-section.patch + +------------------------------------------------------------------- +Fri Jul 21 04:43:44 UTC 2017 - bwiedemann@suse.com + +- Sort SHARED_MODS list to fix build compare (boo#1041090) + +------------------------------------------------------------------- +Fri Jun 16 08:28:42 UTC 2017 - nmoudra@suse.com + +- Removed xinetd service + +------------------------------------------------------------------- +Fri Apr 7 20:49:37 UTC 2017 - chris@computersalat.de + +- fix for boo#1032443 (CVE-2017-7418) + * AllowChrootSymlinks not enforced by replacing a path component + with a symbolic link + * add upstream commit (ecff21e0d0e84f35c299ef91d7fda088e516d4ed) + as proftpd-AllowChrootSymlinks.patch +- fix proftpd-tls.template + * reduce TLS protocols to TLSv1.1 and TLSv1.2 + * disable TLSCACertificateFile + * add TLSCertificateChainFile + +------------------------------------------------------------------- +Thu Mar 23 15:05:22 UTC 2017 - jengelh@inai.de + +- Remove --with-pic, there are no static libs. +- Replace %__-type macro indirections. +- Replace old $RPM shell vars by macros. + +------------------------------------------------------------------- +Mon Mar 6 22:32:07 UTC 2017 - chris@computersalat.de + +- fix and update proftpd-basic.conf.patch +- add some sample config and templates for tls + * proftpd-tls.template + * proftpd-limit.conf + * proftpd-ssl.README + +------------------------------------------------------------------- +Sun Feb 5 20:03:18 UTC 2017 - chris@computersalat.de + +- backport upstream feature + * include-in-limit-section (gh#410) + * add proftpd_include-in-limit-section.patch + +------------------------------------------------------------------- +Tue Jan 17 19:53:55 UTC 2017 - chris@computersalat.de + +- update to 1.3.5d + * gh#4283 - All FTP logins treated as anonymous logins again. This is a + regression of gh#3307. + +------------------------------------------------------------------- +Sun Jan 15 21:01:43 UTC 2017 - chris@computersalat.de + +- update to 1.3.5c + * SSH rekey during authentication can cause issues with clients. + * Recursive SCP uploads of multiple directories not handled properly. + * LIST returns different results for file, depending on path syntax. + * "AuthAliasOnly on" in server config breaks anonymous logins. + * CapabilitiesEngine directive not honored for / + sections. + * Support OpenSSL 1.1.x API. + * Memory leak when mod_facl is used. +-rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Sat Aug 27 22:42:48 UTC 2016 - chris@computersalat.de + +- fix systemd vs SysVinit + +------------------------------------------------------------------- +Sun May 8 22:05:07 UTC 2016 - jengelh@inai.de + +- Remove redundant spec sections +- Ensure systemd-tmpfiles is called for the provied config file + +------------------------------------------------------------------- +Sun May 8 19:25:45 UTC 2016 - chris@computersalat.de + +- fix for boo#970890 (CVE-2016-3125) +- update to 1.3.5b: + http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b + * SSH RSA hostkeys smaller than 2048 bits now work properly. + * MLSD response lines are now properly CRLF terminated. + * Fixed selection of DH groups from TLSDHParamFile. +- rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Sun May 31 18:54:45 UTC 2015 - chris@computersalat.de + +- fix for boo#927290 (CVE-2015-3306) +- update to 1.3.5a: + See http://www.proftpd.org/docs/NEWS-1.3.5a +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch +- remove gpg-offline dependency +- fix permissions on passwd file + * unable to use world-readable AuthUserFile '.../passwd' (perms 0644): + * 0644 -> 0440 + +------------------------------------------------------------------- +Mon Sep 1 22:04:02 UTC 2014 - andreas.stieger@gmx.de + +- ProFTPD 1.3.5 + * Added support for SHA-256, SHA-512 password hashes to the ftpasswd tool + * New Modules + mod_geoip, mod_log_forensic, mod_rlimit, mod_snmp, mod_dnsbl + * mod_sftp now supports ECC, ECDSA, ECDH + * Improved FIPS support in mod_sftp. + * mod_sftp module now honors the MaxStoreFileSize directive. + * Many new and changed configuration directives +- update proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Mon Sep 1 19:00:57 UTC 2014 - andreas.stieger@gmx.de + +- proftpd 1.3.4e: + Multiple other backported fix from the 1.3.5 branch. + See http://www.proftpd.org/docs/NEWS-1.3.4e +- The fix for the mod_sftp/mod_sftp_pam memory allocation + (CVE-2013-4359) contained in this release was previously patched + into the package. +- adjust proftpd-no_BuildDate.patch for context changes +- remove proftpd-sftp-kbdint-max-responses-bug3973.patch, upstream + +------------------------------------------------------------------- +Tue Mar 25 19:56:04 UTC 2014 - crrodriguez@opensuse.org + +- Remove tcpd-devel from buildRequires and mod_wrap. + support for tcp_wrappers style /etc/hosts.* is provided + by mod_wrap2_file instead, the latter does not require tcpd. + +------------------------------------------------------------------- +Mon Mar 17 18:38:53 UTC 2014 - chris@computersalat.de + +- fix for bnc#844183 + * proftpd fails to start due to missing /run/proftpd +- add own tmpfiles.d file + * proftpd.tmpfile + +------------------------------------------------------------------- +Thu Oct 3 20:48:44 UTC 2013 - chris@computersalat.de + +- update to 1.3.4d + * Fixed broken build when using --disable-ipv6 configure option + * Fixed mod_sql "SQLAuthType Backend" MySQL issues +- fix for bnc#843444 (CVE-2013-4359) + * http://bugs.proftpd.org/show_bug.cgi?id=3973 + * add proftpd-sftp-kbdint-max-responses-bug3973.patch + +------------------------------------------------------------------- +Mon Jul 29 01:12:53 UTC 2013 - crrodriguez@opensuse.org + +- Improve systemd service file +- use upstream tmpfiles.d file. related to [bnc#811793] +- Use /run instead of /var/run + +------------------------------------------------------------------- +Wed May 1 20:35:19 UTC 2013 - chris@computersalat.de + +- update to 1.3.4c + * Added Spanish translation. + * Fixed several mod_sftp issues, including SFTPPassPhraseProvider, + handling of symlinks for REALPATH requests, and response code logging. + * Fixed symlink race for creating directories when UserOwner is in effect. + * Increased performance of FTP directory listings. +- rebase and rename patches (remove version string) + * proftpd-1.3.4a-dist.patch -> proftpd-dist.patch + * proftpd-1.3.4a-ftpasswd.patch -> proftpd-ftpasswd.patch + * proftpd-1.3.4a-strip.patch -> proftpd-strip.patch + +------------------------------------------------------------------- +Fri Feb 8 00:19:19 UTC 2013 - chris@computersalat.de + +- fix proftpd.conf (rebase basic.conf patch) + * IdentLookups is now a seperate module + IdentLookups on/off + is needed and module is not built cause crrodriguez disabled it. + +------------------------------------------------------------------- +Thu Nov 29 19:03:00 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Nov 2 15:15:25 UTC 2012 - chris@computersalat.de + +- fix for bnc#787884 + (https://bugzilla.novell.com/show_bug.cgi?id=787884) + * added extra Source proftpd.conf.tmpfile + +------------------------------------------------------------------- +Thu Aug 30 17:33:30 UTC 2012 - crrodriguez@opensuse.org + +- Disable ident lookups, this protocol is totally obsolete + and dangerous. (add --disable-ident) +- Fix debug info generation ( add --disable-strip) + +------------------------------------------------------------------- +Wed Aug 29 21:51:49 UTC 2012 - crrodriguez@opensuse.org + +- Add systemd unit + +------------------------------------------------------------------- +Tue Aug 14 11:11:28 UTC 2012 - chris@computersalat.de + +- update to 1.3.4b + + Fixed mod_ldap segfault on login when LDAPUsers with no filters used. + + Fixed sporadic SFTP upload issues for large files. + + Fixed SSH2 handling for some clients (e.g. OpenVMS). + + New FactsOptions directive; see doc/modules/mod_facts.html#FactsOptions + + Fixed build errors on Tru64, AIX, Cygwin. +- add Source Signatuire (.asc) file +- add noBuildDate patch +- add lang pkg + * --enable-nls +- add configure option + * --enable-openssl, --with-lastlog + +------------------------------------------------------------------- +Mon Dec 12 15:00:18 UTC 2011 - chris@computersalat.de + +- update to 1.3.4a + + Fixed mod_load/mod_wrap2 build issues. +- 1.3.4 + + New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation + for details. + + Improved configure script for cross-compiling. + + Reworked the proftpd.spec RPM file + + Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD. + + New "IgnoreSFTPSetTimes" SFTPOption added; see the SFTPOptions + documentation for details. + + Fixed response pool use-after-free issue. +- for more info please see the RELEASE_NOTES file +- reworked patches + * now p0 patches + +------------------------------------------------------------------- +Fri Nov 18 14:56:41 UTC 2011 - chris@computersalat.de + +- fix for bnc#731347 + * no (hostname -s) in post section + * reworked basic conf patch + +------------------------------------------------------------------- +Fri Nov 11 13:13:57 UTC 2011 - chris@computersalat.de + +- fix changelog + * RELEASE_NOTES-1.3.3g is lacking of important info +- fix for CVE-2011-4130 (bnc#729830) + * https://bugzilla.novell.com/show_bug.cgi?id=729830 + (upstream) http://bugs.proftpd.org/show_bug.cgi?id=3711 + => fixed with version 1.3.3g + +------------------------------------------------------------------- +Thu Nov 10 09:39:36 UTC 2011 - chris@computersalat.de + +- update to 1.3.3g + (http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3g) + + New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation + for details. + + Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD. + (http://www.proftpd.org/docs/NEWS-1.3.3g) + - Bug 3702 - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD. + - Bug 3704 - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks. + To disable this countermeasure, which may cause interoperability issues + with some clients, use the NoEmptyFragments TLSOption. + - Bug 3711 - Response pool use-after-free memory corruption error. + +------------------------------------------------------------------- +Tue Oct 4 22:03:10 UTC 2011 - chris@computersalat.de + +- update to 1.3.3f + + Fixes segfault if mod_sql_mysql and "SQLAuthenticate groupsetfast" + configuration used. + + Fixes mod_wrap syslog level (regression from Bug#3317). + + Fixes mod_ifsession segfault if regular expression patterns used in + a section. + +------------------------------------------------------------------- +Fri Apr 29 11:18:55 UTC 2011 - chris@computersalat.de + +- push to Factory + o fix changelog (not in sequence) + o fix license (GPL -> GPLv2+) + o remove Author from description + o remove obsolete extra source proftpd.conf + +------------------------------------------------------------------- +Fri Apr 8 22:08:55 UTC 2011 - chris@computersalat.de + +- update to 1.3.3e + + Display messages work properly again. + + Fixes plaintext command injection vulnerability in FTPS implementation + (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for + details. + + Fixes CVE-2011-1137 (badly formed SSH messages cause DoS). See + http://bugs.proftpd.org/show_bug.cgi?id=3586 for details. + + Performance improvements, especially during server startup/restarts. + +------------------------------------------------------------------- +Sun Jan 30 20:40:10 UTC 2011 - chris@computersalat.de + +- update to 1.3.3d + + Fixed sql_prepare_where() buffer overflow (Bug#3536) + + Fixed CPU spike when handling .ftpaccess files. + + Fixed handling of SFTP uploads when compression is used. + +------------------------------------------------------------------- +Fri Oct 22 23:26:10 UTC 2010 - mseben@gmail.com + +- update to 1.3.3c + + Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) + + Fixed directory traversal bug in mod_site_misc + + Fixed SQLite authentications using "SQLAuthType Backend" + +------------------------------------------------------------------- +Fri Oct 22 17:49:06 UTC 2010 - chris@computersalat.de + +- clenaup spec +- fix doc pkg + o should not provide pkgconfig + +------------------------------------------------------------------- +Fri Oct 15 14:13:43 UTC 2010 - chris@computersalat.de + +- update to 1.3.3b + + Fixed SFTP directory listing bug + + Avoid corrupting utmpx databases on FreeBSD + + Avoid null pointer dereferences during data transfers + + Fixed "AuthAliasOnly on" anonymous logins +- rpmlint: no-pkg-config-provides + o add BuildReq pkg-config +- removed changes from spec + +------------------------------------------------------------------- +Wed Jul 7 14:17:45 UTC 2010 - chris@computersalat.de + +- update to 1.3.3a + + Added Japanese translation + + Many mod_sftp bugfixes + + Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + + Fixed handling of utmp/utmpx format changes on FreeBSD +- rpmlint: self-obsoletion + +------------------------------------------------------------------- +Wed May 5 14:01:02 UTC 2010 - mseben@novell.com + +- fix build : dir-or-file-in-var-run badness : /var/run/proftpd dir + is marked as ghost and it is created in init script now + +------------------------------------------------------------------- +Fri Apr 9 15:44:32 UTC 2010 - mseben@novell.com + +- added ncurses-devel to buildrequires to fix ftptop message : "no + curses or ncurses library on this system" + +------------------------------------------------------------------- +Fri Feb 26 16:01:47 UTC 2010 - chris@computersalat.de + +- added info for "STABLE" versions only + +------------------------------------------------------------------- +Thu Feb 25 00:14:20 UTC 2010 - chris@computersalat.de + +- update to 1.3.3 + o Fixed mod_ban whitelisting using mod_ifsession. + o Fixed per-user/group/class "HideFiles none" configurations. + - 1.3.3rc4 + o Fixed mod_tls compilation using OpenSSL installations older + than 0.9.7. + o Fixed mod_sftp compilation on AIX. + o Fixed RADIUS authentication on 64-bit platforms + o Fixed memory leak in SCP downloads. + o New configuration directives + SQLPasswordUserSalt + The SQLPasswordUserSalt directive can be used to configure + per-user salt data to be added to the encrypted password + for a user. The salt can be the user name, or it can be + the result of a SQL query. More information can be found in + doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt. + +------------------------------------------------------------------- +Wed Feb 10 16:10:32 CET 2010 - diego.ercolani@gmail.com + +- update to 1.3.3rc3 +- try to be compatible with osc :-) + +------------------------------------------------------------------- +Sun Dec 20 19:39:10 UTC 2009 - chris@computersalat.de + +- update to 1.3.2c + o Bug and regression fixes. +- removed obsolete CVE patch + +------------------------------------------------------------------- +Mon Oct 26 12:35:29 UTC 2009 - mseben@novell.com + +- fixed CVE-2009-3639 : mod_tls security issue (bnc#549740) + +------------------------------------------------------------------- +Wed Sep 16 18:17:04 UTC 2009 - alexandre@exatati.com.br + +- Update tarball to its upstream version without + bzipped patch; +- Removed blank spaces at enf of lines on spec file; +- Replaced tab characters on spec file. + +------------------------------------------------------------------- +Wed Sep 16 11:20:20 UTC 2009 - chris@computersalat.de + +- update to 1.3.2 (1.3.2a) + o many bugfixes, read ChangeLog or NEWS + o include 1.3.2a upstream patch + o removed old patches + * proftpd-1.3.1-umode_t.patch + * proftpd-1.3.1-O_CREAT.patch + * proftpd-1.3.1-libcap.patch + * proftpd-1.3.1-CVE-2009-0542.patch + * proftpd-1.3.1-CVE-2009-0543.patch + o reworked basic.conf.patch +- spec mods + o removed ^#----- + o removed {rel} + o clean + * rm -rf RPM_BUILD_ROOT + o added sub sqlite +- fixed deps + o BuildRequires: sqlite3-devel unixODBC-devel +- rpmlint + o description-shorter-than-summary + o source-or-patch-not-bzipped proftpd-1.3.2a.patch + +------------------------------------------------------------------- +Tue Jul 7 22:21:50 CEST 2009 - chris@computersalat.de + +- added proftpd.passwd + o it is an initial passwd for virtuser and + anonymous login works well with it :) + +------------------------------------------------------------------- +Mon Jul 6 22:16:46 CEST 2009 - chris@computersalat.de + +- added ftpasswd.patch +- rework of basic.conf patch +- removed README.AIX + +------------------------------------------------------------------- +Thu Apr 16 01:54:23 CEST 2009 - chris@computersalat.de + +- added basic.conf patch +- added dist.patch + o fix for xinetd, logrotate, pam +- some more subpackages + o ldap, mysql, pgsql, radius +- added ftpasswd for simple virtuser support +- added auth DIR /etc/proftpd/auth + o passwd for virtuser +- added conf.d DIR /etc/proftpd/conf.d + o configs for inclusion +- added log DIR /var/log/proftpd +- beautify init file +- beautify spec file + +------------------------------------------------------------------- +Wed Feb 18 10:40:55 CET 2009 - mseben@suse.cz + +- added proftpd.conf with uploads section + +------------------------------------------------------------------- +Fri Feb 13 16:55:01 CET 2009 - mseben@suse.cz + +- fixed sql injection vulnerability which allows remote attackers + to execute arbitrary SQL commands via a "%" character + CVE-2009-0542.patch (bnc#475316) +- fixed vulnerability which allows remote attackers to bypass SQL + injection protection mechanisms via invalid, encoded multibyte + characters CVE-2009-0543.patch (bnc#475316) + +------------------------------------------------------------------- +Mon Jan 26 14:19:45 CET 2009 - mseben@suse.cz + +- splitted HTML doc to proftpd-doc +- added %post and %postun macro to spec + +------------------------------------------------------------------- +Thu Jan 22 13:58:33 CET 2009 - mseben@suse.cz + +- fixed missing third argument in open function (*-O_CREAT.patch) +- disabled striping libraries (*-no_strip.patch) +- fixed configure script (*-umode_t.patch) +- added -DLDAP_DEPRECATED to CFLAGS because of deprecated ldap_init + function +- disabled contrib scripts for now +- fixed handling _LINUX_CAPABILITY_VERSION on newer linux kernel. + (proftpd-*-libcap.patch) + +------------------------------------------------------------------- +Wed Aug 20 12:43:56 CEST 2008 - mrueckert@suse.de + +- disabled debugging stuff for now + +------------------------------------------------------------------- +Fri Oct 19 11:58:42 CEST 2007 - mrueckert@suse.de + +- enabled missing modules (mod_ban,mod_wrap2*,mod_quota_radius) + and replaced the hardcoded value for --with-shared with a + dynamically generated list + +------------------------------------------------------------------- +Sat Oct 6 03:42:39 CEST 2007 - mrueckert@suse.de + +- update to 1.3.1: + Many bugfixes and new features like dynamic blacklisting of + clients, improved SQL handling, and quotas. +- added --enable-devel=coredump,nodaemon,nofork +- added devel subpackage for the headers + +------------------------------------------------------------------- +Wed Nov 29 04:11:44 CET 2006 - mrueckert@suse.de + +- update to 1.3.0a: + fixes a remote code execution. CVE-2006-5815 + (http://bugs.proftpd.org/show_bug.cgi?id=2858) + diff --git a/proftpd.init b/proftpd.init new file mode 100644 index 0000000..70a1f79 --- /dev/null +++ b/proftpd.init @@ -0,0 +1,222 @@ +#! /bin/sh +# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany. +# All rights reserved. +# +# Author: Kurt Garloff +# Please send feedback to http://www.suse.de/feedback/ +# +# /etc/init.d/proftpd +# and its symbolic link +# /(usr/)sbin/rcproftpd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +### BEGIN INIT INFO +# Provides: proftpd +# Required-Start: $syslog $remote_fs +# Should-Start: $time ypbind sendmail +# Required-Stop: $syslog $remote_fs +# Should-Stop: $time ypbind sendmail +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: ProFTPD daemon +# Description: Start ProFTPD to allow XY and provide YZ +### END INIT INFO +# +# Note on runlevels: +# 0 - halt/poweroff 6 - reboot +# 1 - single user 2 - multiuser without network exported +# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) +# +# Note on script names: +# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html +# A registry has been set up to manage the init script namespace. +# http://www.lanana.org/ +# Please use the names already registered or register one or use a +# vendor prefix. + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +PROFTPD_BIN=/usr/sbin/proftpd +test -x $PROFTPD_BIN || { echo "$PROFTPD_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +PROFTPD_RUNDIR=/var/run/proftpd +# Check for existence of needed config file and read it +#PROFTPD_CONFIG=/etc/sysconfig/proftpd +#test -r $PROFTPD_CONFIG || { echo "$PROFTPD_CONFIG not existing"; +# if [ "$1" = "stop" ]; then exit 0; +# else exit 6; fi; } +# +# Read config +#. $PROFTPD_CONFIG + +# Source LSB init functions +# providing start_daemon, killproc, pidofproc, +# log_success_msg, log_failure_msg and log_warning_msg. +# This is currently not used by UnitedLinux based distributions and +# not needed for init scripts for UnitedLinux only. If it is used, +# the functions from rc.status should not be sourced or used. +#. /lib/lsb/init-functions + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks +. /etc/rc.status + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +case "$1" in + start) + if [ ! -d $PROFTPD_RUNDIR ]; then + mkdir -p $PROFTPD_RUNDIR + fi + echo -n "Starting proftpd " + ## Start daemon with startproc(8). If this fails + ## the return value is set appropriately by startproc. + /sbin/startproc $PROFTPD_BIN + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down proftpd " + ## Stop daemon with killproc(8) and if this fails + ## killproc sets the return value according to LSB. + /sbin/killproc -TERM $PROFTPD_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + echo -n "Reload service proftpd " + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart the service if it + ## is running. + # if it supports it: + /sbin/killproc -HUP $PROFTPD_BIN + #touch /var/run/proftpd.pid + + # Remember status and be verbose + rc_status -v + + ## Otherwise: + #$0 try-restart + #rc_status + ;; + reload) + echo -n "Reload service proftpd " + ## Like force-reload, but if daemon does not support + ## signaling, do nothing (!) + # If it supports signaling: + /sbin/killproc -HUP $PROFTPD_BIN + #touch /var/run/proftpd.pid + + # Remember status and be verbose + rc_status -v + + ## Otherwise if it does not support reload: + #rc_failed 3 + #rc_status -v + ;; + status) + echo -n "Checking for service proftpd " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + # NOTE: checkproc returns LSB compliant status values. + /sbin/checkproc $PROFTPD_BIN + # NOTE: rc_status knows that we called this init script with + # "status" option and adapts its messages accordingly. + + # Remember status and be verbose + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, print out the + ## argument to this init script which is required for a reload. + ## Note: probe is not (yet) part of LSB (as of 1.9) + + test /etc/proftpd/proftpd.conf -nt $PROFTPD_RUNDIR/proftpd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/proftpd.keyring b/proftpd.keyring new file mode 100644 index 0000000..265962c --- /dev/null +++ b/proftpd.keyring @@ -0,0 +1,33 @@ +pub 1024D/A511976A 2002-05-12 +uid TJ Saunders +sub 2048g/8C26F9DE 2002-05-12 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQGiBDze4PkRBADtl8nbLuIgZkIdl6fUj9/LOBXGrtP5B8cTgDjBlURronHtLzkQ +oHqNS8zmh5gmg8F6EMnCy6tqTGlQ3OylhY2u8fBUFJZk0RpaGYka0SI+hkNn/Hmu +GLXs4+5RKIuL1lp1DFv2L2S+Qp3xFs0vYJsrdi7nRhM1/LqN9S0pr2/i9QCg/5bD +AMS9qiVZvd7E0464cWWUXDsD/2z7fwPUFD23bHGSpifSl8jOqUuOWf5lhJqXLpHZ +TnSsO+rOi5dXdB1fPwgvwFnv7akFStTpXaRq1XdB33/QTwWNO3DBXKe8VkBivXTY +nWHLiktQwoY06Ws6r2cYxfgRhoHBSQFR/e1OhURaV8d0nSZsISrUyOREAYFUZT0L +s0jHBADcNSLHoehRf69mBEh3SMk+hiNse8r0VTcE6aJ5AISE6famDQw9cQh8gdmf +R5LrN/QbF4qQ2jWrfzhkVB6oslyghk3KCncFMnmT/4QpPVfSeTon3yM0Sz9Gtr2Q +YRp6Qhy7RgnoJ35bMaleww18WKOJtS840PRikboy5XFXt14gvbQeVEogU2F1bmRl +cnMgPHRqQGNhc3RhZ2xpYS5vcmc+iFYEEBECAA4FAjze4PkECwMBAgIZAQASCRC3 +jok/pRGXagdlR1BHAAEB4EMAoL0MfmR26WnBxfQAUFD1bMnSO95EAKC1jnqqe9Xq +TPTsGWOZwNGc13nTmLkCDQQ83uD7EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bx +brlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJP +PT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrU +GvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVb +GI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcp +esqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+ORAr +y8LE18PVKiJk9/bpZ+LzSQ/kgNKDjqRsqT8HOFjToIpbbY1lOBErEr7OedJGK3ra +g1q8vD+kNK4MZdNcEeIcaMG7TnArOJ4zNZzKBQQzZp8hdv8heirfhJtb5MdFO2MI +N2+I9OoeUXNX1GVxYQJkuHpvsbqbZ6P2bRYwPUmnSAy6y2yy3ZmTZDD6ItaUaTIA +JbT8myTljeO4vz80nWldpUZfVtwkCRczjL7GYvwGbg1DZ45ND1pq9Kp5jqybevYw +d2a/7es+PgWQxy6qRFW3j95lm9Dd7ha29trziinxZ5GevUgyPIcs5SCQUG+cb5Yb +VUpLxGrHLKoW/mdBCYhOBBgRAgAGBQI83uD7ABIJELeOiT+lEZdqB2VHUEcAAQE1 +CwCdGzQx8HHoe2O+tc3ymntAdNl7kLYAoNN0gN75bS/ZWBrKrLR0ne6JAdkO +=X5Db +-----END PGP PUBLIC KEY BLOCK----- diff --git a/proftpd.passwd b/proftpd.passwd new file mode 100644 index 0000000..62e7dd6 --- /dev/null +++ b/proftpd.passwd @@ -0,0 +1 @@ +ftp:$1$Qirpijna$Z9ocX/jIH/kpBppMFyI451:49:49::/srv/ftp:/bin/false diff --git a/proftpd.service b/proftpd.service new file mode 100644 index 0000000..64bf1ac --- /dev/null +++ b/proftpd.service @@ -0,0 +1,22 @@ +[Unit] +Description=ProFTPd FTP server +After=systemd-user-sessions.service network.target nss-lookup.target local-fs.target remote-fs.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +ExecStart=/usr/sbin/proftpd --nodaemon +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/proftpd.spec b/proftpd.spec new file mode 100644 index 0000000..2bb6052 --- /dev/null +++ b/proftpd.spec @@ -0,0 +1,381 @@ +# +# spec file for package proftpd +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define with_redis 1 +%define with_sodium 1 + +%if 0%{?suse_version} == 1315 || 0%{?suse_version} == 1500 +%define with_redis 0 +%endif + +%if 0%{?suse_version} == 1315 +%define with_sodium 0 +%endif + +Name: proftpd +Summary: Configurable GPL-licensed FTP server software +# Please save your time and do not update to "rc" versions. +# We only accept updates for "STABLE" Versions +License: GPL-2.0-or-later +Group: Productivity/Networking/Ftp/Servers +Version: 1.3.8c +Release: 0 +URL: http://www.proftpd.org/ +Source0: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz +Source1: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz.asc +Source11: %{name}.init +Source12: %{name}.passwd +Source13: %{name}.service +Source14: %{name}.tmpfile +Source15: %{name}.keyring +Source16: %{name}-tls.template +Source17: %{name}-limit.template +Source18: %{name}-ssl.README +#PATCH-FIX-openSUSE: pam, logrotate, xinet +Patch100: %{name}-dist.patch +#PATCH-FIX-openSUSE: provide a useful default config +Patch101: %{name}-basic.conf.patch +#PATCH-FIX: provide more info on usage ;) +Patch102: %{name}-ftpasswd.patch +#PATCH-FIX: fix strip +Patch103: %{name}-strip.patch +#PATCH-FIX-openSUSE: file-contains-date-and-time +Patch104: %{name}-no_BuildDate.patch +#RPMLINT-FIX-openSUSE: env-script-interpreter +Patch105: %{name}_env-script-interpreter.patch +#openSUSE:Security_Features#Systemd_hardening_effort +Patch106: harden_proftpd.service.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build +#BuildRequires: gpg-offline +BuildRequires: cyrus-sasl-devel +BuildRequires: fdupes +BuildRequires: gcc-c++ +%if 0%{?with_redis} +BuildRequires: hiredis-devel +%endif +BuildRequires: krb5-devel +BuildRequires: libacl-devel +BuildRequires: libattr-devel +BuildRequires: libmemcached-devel +#BuildRequires: libGeoIP-devel +BuildRequires: libmysqld-devel +%if 0%{?with_sodium} +BuildRequires: libsodium-devel +%endif +BuildRequires: ncurses-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pcre-devel +BuildRequires: pkg-config +BuildRequires: postgresql-devel +BuildRequires: sqlite3-devel +BuildRequires: unixODBC-devel +BuildRequires: pkgconfig(libssl) +Requires: logrotate +%if 0%{?lang_package:1} > 0 +Recommends: %{name}-lang +%endif + +%if 0%{?suse_version} >= 1210 +BuildRequires: systemd-rpm-macros +%{?systemd_ordering} +%define has_systemd 1 +%else +Requires(pre): %insserv_prereq +%endif +%if 0%{?suse_version} >= 1330 +Requires(pre): group(ftp) +Requires(pre): user(ftp) +%endif + +%description +ProFTPD is a configurable FTP daemon for Unix and Unix-like +operating systems. + +%{?lang_package} + +%package devel +Summary: Development files for ProFTPD +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} + +%description devel +This package contains Development files for ProFTPD + +%package ldap +Summary: LDAP Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description ldap +This is the LDAP Module for ProFTPD + +%package mysql +Summary: MySQL Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description mysql +This is the MySQL Module for ProFTPD + +%package pgsql +Summary: PostgreSQL Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description pgsql +This is the PostgreSQL Module for ProFTPD + +%package radius +Summary: Radius Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description radius +This is the Radius Module for ProFTPD + +%package sqlite +Summary: SQLite Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description sqlite +This is the SQLite Module for ProFTPD + +%package doc +Summary: Documentation for ProFTPD +Group: Documentation/HTML +Requires: %{name} = %{version} + +%description doc +Here are Documentation for ProFTPD + +%prep +%autosetup -p0 + +rm README.AIX README.cygwin README.FreeBSD README.Solaris2.5x README.Unixware + +%build +rm contrib/mod_wrap.c +rm contrib/mod_geoip.c +PROFTPD_SHARED_MODS="$(for spec_mod in $(find contrib -name mod_\*.c|sort); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')" +export CFLAGS="%{optflags} -D_GNU_SOURCE -DLDAP_DEPRECATED" +export CXXFLAGS="$CFLAGS" +%configure \ + --bindir=%{_sbindir} \ + --libexecdir=%{_libdir}/%{name} \ + --sysconfdir=%{_sysconfdir}/%{name} \ +%if 0%{?has_systemd} + --localstatedir=/run/%{name} \ +%else + --localstatedir=%{_localstatedir}/run/%{name} \ +%endif + --enable-sendfile \ + --enable-ctrls \ + --enable-dso \ + --enable-facl \ + --enable-ipv6 \ + --enable-memcache \ + --enable-nls \ + --enable-openssl \ + --enable-pcre \ +%if 0%{?with_redis} + --enable-redis \ +%endif + --enable-shadow \ + --with-lastlog \ + --with-includes="%{_includedir}/mysql:%{_includedir}/pgsql" \ + --with-shared="${PROFTPD_SHARED_MODS}" \ + --disable-ident \ + --disable-strip + +# --enable-memcache \ +# --enable-pcre \ +# --enable-redis \ +# --enable-shadow \ +make %{?_smp_mflags} + +%install +%make_install INSTALL_USER=`id -un` INSTALL_GROUP=`id -gn` +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_pam_vendordir} +install -D -m 0644 contrib/dist/rpm/ftp.pamd %{buildroot}/%{_pam_vendordir}/%{name} +%else +install -D -m 0644 contrib/dist/rpm/ftp.pamd %{buildroot}/%{_sysconfdir}/pam.d/%{name} +%endif +install -D -m 0644 contrib/dist/rpm/%{name}.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} +# +rm -fv %{buildroot}/%{_libdir}/%{name}/*.{a,la} + +# install ftpasswd +install -D -m 0755 contrib/ftpasswd %{buildroot}/%{_sbindir}/ + +# some needed dirs +install -D -m 0440 %{S:12} %{buildroot}/%{_sysconfdir}/%{name}/auth/passwd +install -D -m 0644 %{S:16} %{buildroot}/%{_sysconfdir}/%{name}/conf.d/tls.template +install -D -m 0644 %{S:18} %{buildroot}/%{_sysconfdir}/%{name}/conf.d/README +install -D -m 0644 %{S:17} %{buildroot}/%{_sysconfdir}/%{name}/includes/limit.template +install -D -m 0644 %{S:18} %{buildroot}/%{_sysconfdir}/%{name}/ssl/README +install -d -m 0750 %{buildroot}/var/log/%{name} + +# systemd vs SysVinit +%if 0%{?has_systemd} +install -D -m 0644 %{S:13} %{buildroot}%{_unitdir}/%{name}.service +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rc%{name} +# systemd need to create a tmp dir: /run/proftpd +install -D -m 0644 %{S:14} %{buildroot}%{_tmpfilesdir}/%{name}.conf +%else #SysVinit +install -D -m 0755 %{S:11} %{buildroot}/%{_sysconfdir}/init.d/%{name} +ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}/%{_sbindir}/rc%{name} +%endif + +%fdupes -s %{buildroot}%{_sysconfdir}/%{name} + +%find_lang %{name} + +%pre +%if 0%{?has_systemd} +%service_add_pre %{name}.service +%endif +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/lib; save any old .rpmsave +for i in pam.d/proftpd ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done + +%posttrans +# Migration to /usr/lib, restore just created .rpmsave +for i in pam.d/proftpd ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%preun +%if 0%{?has_systemd} +%service_del_preun %{name}.service +%else +%stop_on_removal %{name} +%endif + +%post +%if 0%{?has_systemd} +%service_add_post %{name}.service +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%else +%{fillup_and_insserv -f proftpd} +install -d %{_localstatedir}/run/%{name} +%endif + +%postun +%if 0%{?has_systemd} +%service_del_postun %{name}.service +%else +%restart_on_update %{name} +%{insserv_cleanup} +%endif + +%if 0%{?lang_package:1} > 0 +%files lang -f %{name}.lang +%if 0%{?sles_version} == 11 +%defattr(-,root,root) +%dir %{_datadir}/locale/bg_BG +%dir %{_datadir}/locale/bg_BG/LC_MESSAGES +%dir %{_datadir}/locale/ja_JP +%dir %{_datadir}/locale/ja_JP/LC_MESSAGES +%dir %{_datadir}/locale/ko_KR +%dir %{_datadir}/locale/ko_KR/LC_MESSAGES +%endif + +%files +%else + +%files -f %{name}.lang +%endif +%defattr(-,root,root) +%license COPYING +%doc CREDITS NEWS README* RELEASE_NOTES +%doc contrib/README.* +%doc sample-configurations/*.conf +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/ +%dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/ +%config(noreplace) %attr(0440,root,ftp) %{_sysconfdir}/%{name}/auth/passwd +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d/ +%config %{_sysconfdir}/%{name}/conf.d/tls.template +%config %{_sysconfdir}/%{name}/conf.d/README +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/includes/ +%config %{_sysconfdir}/%{name}/includes/limit.template +%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf +%config %{_sysconfdir}/%{name}/PROFTPD-MIB.txt +%dir %attr(0700,ftp,ftp) %{_sysconfdir}/%{name}/ssl/ +%config %{_sysconfdir}/%{name}/ssl/README +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%if 0%{?suse_version} > 1500 +%{_pam_vendordir}/%{name} +%else +%config(noreplace) %{_sysconfdir}/pam.d/%{name} +%endif +%config(noreplace) %{_sysconfdir}/%{name}/blacklist.dat +%config(noreplace) %{_sysconfdir}/%{name}/dhparams.pem +%dir %attr(0750,root,root) %{_localstatedir}/log/%{name} +%{_sbindir}/* +%{_mandir}/man?/* +%dir %attr(0755,root,root) %{_libdir}/%{name}/ +%{_libdir}/%{name}/*.so +%exclude %{_libdir}/%{name}/mod_ldap.so +%exclude %{_libdir}/%{name}/mod_sql_mysql.so +%exclude %{_libdir}/%{name}/mod_sql_postgres.so +%exclude %{_libdir}/%{name}/mod_radius.so +%exclude %{_libdir}/%{name}/mod_sql_sqlite.so +%if 0%{?has_systemd} +%{_unitdir}/%{name}.service +%{_tmpfilesdir}/%{name}.conf +%ghost %dir /run/%{name} +%else +%{_sysconfdir}/init.d/%{name} +%endif + +%files devel +%defattr(-,root,root) +%{_includedir}/%{name} +%{_libdir}/pkgconfig/%{name}.pc + +%files ldap +%defattr(-,root,root) +%{_libdir}/%{name}/mod_ldap.so + +%files mysql +%defattr(-,root,root) +%{_libdir}/%{name}/mod_sql_mysql.so + +%files pgsql +%defattr(-,root,root) +%{_libdir}/%{name}/mod_sql_postgres.so + +%files radius +%defattr(-,root,root) +%{_libdir}/%{name}/mod_radius.so + +%files sqlite +%defattr(-,root,root) +%{_libdir}/%{name}/mod_sql_sqlite.so + +%files doc +%defattr(-,root,root) +%doc doc/*.html doc/contrib doc/howto doc/modules + +%changelog diff --git a/proftpd.tmpfile b/proftpd.tmpfile new file mode 100644 index 0000000..6d4dba0 --- /dev/null +++ b/proftpd.tmpfile @@ -0,0 +1,2 @@ +# proFTPD needs a DIR +d /run/proftpd 0755 root root - diff --git a/proftpd_env-script-interpreter.patch b/proftpd_env-script-interpreter.patch new file mode 100644 index 0000000..82d5112 --- /dev/null +++ b/proftpd_env-script-interpreter.patch @@ -0,0 +1,40 @@ +Index: contrib/ftpasswd +=================================================================== +--- contrib/ftpasswd.orig ++++ contrib/ftpasswd +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2000-2021 TJ Saunders + # +Index: contrib/ftpmail +=================================================================== +--- contrib/ftpmail.orig ++++ contrib/ftpmail +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2017 TJ Saunders + # +Index: contrib/ftpquota +=================================================================== +--- contrib/ftpquota.orig ++++ contrib/ftpquota +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # ------------------------------------------------------------------------- + # Copyright (C) 2000-2017 TJ Saunders + # +Index: src/prxs.in +=================================================================== +--- src/prxs.in.orig ++++ src/prxs.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2020 TJ Saunders