From 2b9228d5c4f2e17ec9fd3b40ddb64ca0d5a9ffe8030596cf46b6b40ba56d2566 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 10 Jan 2025 13:13:12 +0000 Subject: [PATCH] fix for boo#1233997 (CVE-2024-48651) OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=104 --- .gitattributes | 23 + .gitignore | 1 + harden_proftpd.service.patch | 23 + proftpd-1.3.8b.tar.gz | 3 + proftpd-1.3.8b.tar.gz.asc | 7 + proftpd-1.3.8c.tar.gz | 3 + proftpd-1.3.8c.tar.gz.asc | 6 + proftpd-basic.conf.patch | 275 +++++++++ proftpd-dist.patch | 77 +++ proftpd-ftpasswd.patch | 62 ++ proftpd-limit.template | 6 + proftpd-no_BuildDate.patch | 103 ++++ proftpd-ssl.README | 16 + proftpd-strip.patch | 16 + proftpd-tls.template | 42 ++ proftpd.changes | 839 +++++++++++++++++++++++++++ proftpd.init | 222 +++++++ proftpd.keyring | 33 ++ proftpd.passwd | 1 + proftpd.service | 22 + proftpd.spec | 381 ++++++++++++ proftpd.tmpfile | 2 + proftpd_env-script-interpreter.patch | 40 ++ 23 files changed, 2203 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 harden_proftpd.service.patch create mode 100644 proftpd-1.3.8b.tar.gz create mode 100644 proftpd-1.3.8b.tar.gz.asc create mode 100644 proftpd-1.3.8c.tar.gz create mode 100644 proftpd-1.3.8c.tar.gz.asc create mode 100644 proftpd-basic.conf.patch create mode 100644 proftpd-dist.patch create mode 100644 proftpd-ftpasswd.patch create mode 100644 proftpd-limit.template create mode 100644 proftpd-no_BuildDate.patch create mode 100644 proftpd-ssl.README create mode 100644 proftpd-strip.patch create mode 100644 proftpd-tls.template create mode 100644 proftpd.changes create mode 100644 proftpd.init create mode 100644 proftpd.keyring create mode 100644 proftpd.passwd create mode 100644 proftpd.service create mode 100644 proftpd.spec create mode 100644 proftpd.tmpfile create mode 100644 proftpd_env-script-interpreter.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/harden_proftpd.service.patch b/harden_proftpd.service.patch new file mode 100644 index 0000000..b9f018a --- /dev/null +++ b/harden_proftpd.service.patch @@ -0,0 +1,23 @@ +Index: contrib/dist/rpm/proftpd.service +=================================================================== +--- contrib/dist/rpm/proftpd.service.orig ++++ contrib/dist/rpm/proftpd.service +@@ -4,6 +4,18 @@ Wants=network-online.target + After=network-online.target nss-lookup.target local-fs.target remote-fs.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type = simple + Environment = PROFTPD_OPTIONS= + EnvironmentFile = -/etc/sysconfig/proftpd diff --git a/proftpd-1.3.8b.tar.gz b/proftpd-1.3.8b.tar.gz new file mode 100644 index 0000000..01afd3f --- /dev/null +++ b/proftpd-1.3.8b.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:183ab7c6107de271a2959ff268f55c9b6c76b2cf0029e6584fccc019686601e0 +size 19752808 diff --git a/proftpd-1.3.8b.tar.gz.asc b/proftpd-1.3.8b.tar.gz.asc new file mode 100644 index 0000000..baa3083 --- /dev/null +++ b/proftpd-1.3.8b.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iEYEABECAAYFAmWCcGMACgkQt46JP6URl2rOOACgqd6poiniUeOej3gVoE4ZHA1Z +PKgAoKgsyi9zqoilnOtZJKfzWw4BJ546 +=GIJC +-----END PGP SIGNATURE----- diff --git a/proftpd-1.3.8c.tar.gz b/proftpd-1.3.8c.tar.gz new file mode 100644 index 0000000..147e125 --- /dev/null +++ b/proftpd-1.3.8c.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a48f2ca338456e750d2373bf671025ed799e04e0baa16c7bb8dbfd67d8734d2 +size 19751847 diff --git a/proftpd-1.3.8c.tar.gz.asc b/proftpd-1.3.8c.tar.gz.asc new file mode 100644 index 0000000..eb81939 --- /dev/null +++ b/proftpd-1.3.8c.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQRpfmhNFmjWloQoQFy3jok/pRGXagUCZ1nafgAKCRC3jok/pRGX +arsZAKDP6Vk4oWO9BB0TbMnNNe1TRZwjOwCdH+pBD7f0WDsf6cO4D9oF6iqNgvY= +=YGOJ +-----END PGP SIGNATURE----- diff --git a/proftpd-basic.conf.patch b/proftpd-basic.conf.patch new file mode 100644 index 0000000..78280d5 --- /dev/null +++ b/proftpd-basic.conf.patch @@ -0,0 +1,275 @@ +Index: sample-configurations/basic.conf +=================================================================== +--- sample-configurations/basic.conf.orig ++++ sample-configurations/basic.conf +@@ -3,19 +3,29 @@ + # and a single anonymous login. It assumes that you have a user/group + # "nobody" and "ftp" for normal operation and anon. + +-ServerName "ProFTPD Default Installation" +-ServerType standalone +-DefaultServer on ++ServerName "ProFTPD" ++ServerType standalone ++DefaultServer on + + # Port 21 is the standard FTP port. +-Port 21 ++Port 21 ++ ++# FireWall PortRange for PASV ++PassivePorts 40000 40999 ++ ++# Set DebugLevel to values between 0 and 9 ++# default is 0 ++DebugLevel 0 ++ ++# SystemLog -- Redirect syslogging to a file ++SystemLog /var/log/proftpd/proftpd.log + + # Don't use IPv6 support by default. +-UseIPv6 off ++UseIPv6 off + + # Umask 022 is a good standard umask to prevent new dirs and files + # from being group and world writable. +-Umask 022 ++Umask 022 + + # To prevent DoS attacks, set the maximum number of child processes + # to 30. If you need to allow more than 30 concurrent connections +@@ -23,43 +33,207 @@ Umask 022 + # in standalone mode, in inetd mode you should use an inetd server + # that allows you to limit maximum number of processes per service + # (such as xinetd). +-MaxInstances 30 ++MaxInstances 30 + + # Set the user and group under which the server will run. +-User nobody +-Group nogroup +- +-# To cause every FTP user to be "jailed" (chrooted) into their home +-# directory, uncomment this line. +-#DefaultRoot ~ ++User ftp ++Group ftp + +-# Normally, we want files to be overwriteable. +-AllowOverwrite on ++# Some logging formats ++LogFormat default "%h %l %u %t \"%r\" %s %b" ++LogFormat auth "%v [%P] %h %t \"%r\" %s" ++LogFormat write "%h %l %u %t \"%r\" %s %b" ++ ++# ------------------------------ ++# Global Settings ++# ------------------------------ ++ ++ ++ # ------------------------------ ++ # Login ++ # ------------------------------ ++ ++ ServerIdent on "FTP server ready" ++ DeferWelcome on ++ #DisplayConnect /etc/proftpd/msg ++ ++ ++ IdentLookups off ++ ++ UseFtpUsers off ++ RequireValidShell off ++ ++ TimeoutLogin 60 ++ MaxLoginAttempts 3 ++ #MaxClientsPerHost none ++ #MaxClientsPerUser 1 "Only one connection at a time." ++ ++ # ------------------------------ ++ # Authentication ++ # ------------------------------ ++ ++ ### PAM Authentication ++ # AuthPAM: default: on ++ AuthPAM off ++ ++ # changed AuthPAMConfig file ++ AuthPAMConfig proftpd ++ ### PAM Authentication ++ ++ AuthUserFile /etc/proftpd/auth/passwd ++ AuthGroupFile /etc/group ++ ++ ### order of auth modules ++ #AuthOrder mod_auth_unix.c mod_auth_file.c ++ AuthOrder mod_auth_file.c ++ ++ # ------------------------------ ++ # Post-Login ++ # ------------------------------ ++ ++ DisplayLogin welcome.msg ++ DisplayChdir .message ++ AllowOverride off ++ ++ TimeoutIdle 600 ++ TimeoutNoTransfer 900 ++ TimeoutStalled 300 ++ TimeoutSession 3600 ++ ++ # ------------------------------ ++ # Session ++ # ------------------------------ ++ ++ # To cause every FTP user to be "jailed" (chrooted) into their home ++ # directory, uncomment this line. ++ DefaultRoot ~ web,!users ++ ++ DenyFilter \*.*/ ++ ListOptions "-A +R" strict ++ UseGlobbing off ++ ++ ShowSymlinks on ++ TimesGMT on ++ ++ # ------------------------------ ++ # Up- & Download ++ # ------------------------------ ++ ++ # having to delete before uploading is a pain ;) ++ AllowOverwrite on ++ AllowRetrieveRestart on ++ HiddenStores on ++ DeleteAbortedStores on ++ #AllowStoreRestart off # is contrary to "DeleteAbortedStores" ++ ++ # ------------------------------ ++ # Logging ++ # ------------------------------ ++ ++ WtmpLog off ++ TransferLog /var/log/proftpd/xferlog ++ ++ # Record all logins ++ ExtendedLog /var/log/proftpd/auth.log AUTH auth ++ ++ # Logging file/dir access ++ ExtendedLog /var/log/proftpd/access.log WRITE,READ write ++ ++ # Paranoia logging level.... ++ ExtendedLog /var/log/proftpd/paranoid.log ALL default ++ ++ # SQLLogFile ++ #SQLLogFile /var/log/proftpd/SQL.log ++ + + # Bar use of SITE CHMOD by default + + DenyAll + + ++##### ++# Include other confs, e.g. tls.conf ++#Include /etc/proftpd/conf.d/*.conf ++ ++##### ++ ++# ------------------------------ ++# Anonymous Settings ++# ------------------------------ + # A basic anonymous configuration, no upload directories. If you do not + # want anonymous users, simply delete this entire section. + +- User ftp +- Group ftp +- +- # We want clients to be able to login with "anonymous" as well as "ftp" +- UserAlias anonymous ftp +- +- # Limit the maximum number of anonymous logins +- MaxClients 10 +- +- # We want 'welcome.msg' displayed at login, and '.message' displayed +- # in each newly chdired directory. +- DisplayLogin welcome.msg +- DisplayChdir .message +- +- # Limit WRITE everywhere in the anonymous chroot +- +- DenyAll +- ++ # Limit LOGIN ++ # ++ # Order Allow,Deny ++ # Allow from .examples.net,113.141.114.1 ++ # Deny from All ++ # ++ ++ ## or 'Include' a limit file with rules ++ ## include one file and use more than once ;) ++ # ++ # Order Allow,Deny ++ # Include /etc/proftpd/includes/limit.conf ++ # Deny from All ++ # ++ ++ # Limit WRITE everywhere in the anonymous chroot ++ ++ DenyAll ++ ++ ++ # DirFakeMode -- Hide real file/directory permissions ++ DirFakeMode 0640 ++ ++ # DirFakeUser -- Hide real file/directory owner ++ DirFakeUser On ++ ++ # DirFakeGroup -- Hide real file/directory group ++ DirFakeGroup On ++ ++ # We want clients to be able to login with "anonymous" as well as "ftp" ++ UserAlias anonymous ftp ++ ++ # Limit the maximum number of anonymous logins ++ MaxClients 10 ++ #MaxRetrieveFileSize 512 Mb ++ ++ # Limit Up/Downloads to 255 K/sec ++ #TransferRate APPE,RETR,STOR,STOU 255 ++ ++ # We want 'welcome.msg' displayed at login, and '.message' displayed ++ # in each newly chdired directory. ++ DisplayLogin welcome.msg ++ DisplayChdir .message ++ ++ # ++ # ++ # Order Allow,Deny ++ # Allow from .examples.net,113.141.114.1 ++ # Deny from All ++ # ++ # ++ ++ ## or 'Include' a limit file with rules ++ ## include one file and use more than once ;) ++ # ++ # ++ # Order Allow,Deny ++ # Include /etc/proftpd/includes/limit.conf ++ # Deny from All ++ # ++ # ++ ++ # An upload directory that allows storing files but not retrieving ++ # or creating directories. ++ # ++ # ++ # DenyAll ++ # ++ # ++ # AllowAll ++ # ++ # + ++ diff --git a/proftpd-dist.patch b/proftpd-dist.patch new file mode 100644 index 0000000..46122f3 --- /dev/null +++ b/proftpd-dist.patch @@ -0,0 +1,77 @@ +Index: contrib/dist/rpm/ftp.pamd +=================================================================== +--- contrib/dist/rpm/ftp.pamd.orig ++++ contrib/dist/rpm/ftp.pamd +@@ -1,6 +1,7 @@ + #%PAM-1.0 ++ + auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +-auth required pam_unix.so shadow nullok ++#auth required pam_unix.so shadow nullok + + # If this is enabled, anonymous logins will fail because the 'ftp' user does + # not have a "valid" shell, as listed in /etc/shells. +@@ -11,5 +12,9 @@ auth required pam_unix.so shadow n + # + #auth required pam_shells.so + +-account required pam_unix.so +-session required pam_unix.so ++auth required pam_unix2.so ++auth required pam_shells.so ++account required pam_unix2.so ++password required pam_unix2.so ++session required pam_unix2.so ++session optional pam_keyinit.so revoke +Index: contrib/dist/rpm/proftpd.logrotate +=================================================================== +--- contrib/dist/rpm/proftpd.logrotate.orig ++++ contrib/dist/rpm/proftpd.logrotate +@@ -1,10 +1,15 @@ +-/var/log/proftpd/*.log /var/log/xferlog { ++/var/log/proftpd/xferlog /var/log/proftpd/*.log { + compress +- missingok ++ dateext ++ maxage 365 ++ rotate 99 ++ size=+4096k + notifempty ++ missingok ++ create 640 root root + sharedscripts + postrotate +- test -f /var/lock/subsys/proftpd && /usr/bin/killall -HUP proftpd || : ++ /usr/sbin/rcproftpd reload + endscript + } + +Index: contrib/dist/rpm/xinetd +=================================================================== +--- contrib/dist/rpm/xinetd.orig ++++ contrib/dist/rpm/xinetd +@@ -2,13 +2,15 @@ + # description: The ProFTPD FTP server + service ftp + { +- flags = REUSE +- socket_type = stream +- wait = no +- user = root +- server = /usr/sbin/in.proftpd +- log_on_success += DURATION +- log_on_failure += USERID +- nice = 10 +- disable = yes ++ socket_type = stream ++ protocol = tcp ++ wait = no ++# bind = IP ++ instances = 30 ++ user = root ++ server = /usr/sbin/in.proftpd ++ log_on_success += PID HOST USERID EXIT DURATION ++ log_on_failure += HOST USERID ATTEMPT ++# nice = 10 ++ disable = yes + } diff --git a/proftpd-ftpasswd.patch b/proftpd-ftpasswd.patch new file mode 100644 index 0000000..9303550 --- /dev/null +++ b/proftpd-ftpasswd.patch @@ -0,0 +1,62 @@ +Index: contrib/ftpasswd +=================================================================== +--- contrib/ftpasswd.orig ++++ contrib/ftpasswd +@@ -32,8 +32,8 @@ use Getopt::Long; + $Getopt::Long::auto_abbrev = 0; + + my $program = basename($0); +-my $default_passwd_file = "./ftpd.passwd"; +-my $default_group_file = "./ftpd.group"; ++my $default_passwd_file = "/etc/proftpd/auth/passwd"; ++my $default_group_file = "/etc/proftpd/auth/group"; + my $shell_file = "/etc/shells"; + my $default_cracklib_dict = "/usr/lib/cracklib_dict"; + my $cracklib_dict; +@@ -1218,6 +1218,46 @@ usage: $program [--help] [--hash|--group + --version + Displays the version of $program. + ++Creating Files ++ ++The ftpasswd program can create and update files for both AuthUserFile and ++ AuthGroupFile. When it is used for the first time, the program will create ++ the necessary file. If that file already exists, ftpasswd will update it ++ with the new information. ++ ++ftpasswd must first know what type of file to create. Use either the ++ --passwd option (for handling AuthUserFiles), or the --group option ++ (for handling AuthGroupFiles); this is required. ++ ++When creating an AuthUserFile, the following options are also ++ required: --name, --uid, --home, and --shell. ++ This information is required by proftpd to authenticate a user. The optional ++ parameters for an AuthUserFile include --gid ++ (defaults to the given --uid argument when not provided) ++ and --gecos (not used by proftpd at all). For example: ++ ++ ftpasswd --passwd --name=bob --uid=1001 --home=/home/bob --shell=/bin/false ++ ++creates an account for user bob. ++ ++To create a file with a name or location other than the default ++ (which, for --passwd mode is /etc/proftpd/auth/passwd), use the --file option. ++ ++For example, to create the alternate password file in /usr/local/etc/ftpd/passwd: ++ ++ ftpasswd --passwd --file=/usr/local/etc/ftpd/passwd --name=bob --uid=1001 \ ++ --home=/home/bob --shell=/bin/false ++ ++For AuthGroupFiles, use --group: ++ ++ ftpasswd --group --name=group-name --gid=group-id --member=user-member1 \ ++ --member=user-member2 ... --member=user-memberN ++ ++The most common change to these files is made to AuthUserFiles, to change ++ a user's password. The --change-password option was provided just for this scenario: ++ ++ ftpasswd --passwd --name=user --change-password ++ + END_OF_USAGE + + exit 0; diff --git a/proftpd-limit.template b/proftpd-limit.template new file mode 100644 index 0000000..a9c283c --- /dev/null +++ b/proftpd-limit.template @@ -0,0 +1,6 @@ +### when you use spaces as separator then you can use it also with apache ;) +### just some examples + Allow from localhost 127.0.0.1 ::1 + Allow from 1.2.3.4 5.6.7.8 + Allow from .example.com .test.org + Allow from 2.3.4.5 11:22:33:44::/64 diff --git a/proftpd-no_BuildDate.patch b/proftpd-no_BuildDate.patch new file mode 100644 index 0000000..1633bd9 --- /dev/null +++ b/proftpd-no_BuildDate.patch @@ -0,0 +1,103 @@ +--- + Makefile.in | 14 ++++++-------- + contrib/mod_snmp/db.c | 2 +- + include/version.h | 2 -- + src/main.c | 6 ++---- + 4 files changed, 9 insertions(+), 15 deletions(-) + +Index: contrib/mod_snmp/db.c +=================================================================== +--- contrib/mod_snmp/db.c.orig ++++ contrib/mod_snmp/db.c +@@ -1122,7 +1122,7 @@ int snmp_db_get_value(pool *p, unsigned + return 0; + + case SNMP_DB_DAEMON_F_VERSION: +- *str_value = "ProFTPD Version " PROFTPD_VERSION_TEXT " (built at " BUILD_STAMP ")"; ++ *str_value = "ProFTPD Version " PROFTPD_VERSION_TEXT; + *str_valuelen = strlen(*str_value); + + pr_trace_msg(trace_channel, 19, +Index: src/main.c +=================================================================== +--- src/main.c.orig ++++ src/main.c +@@ -1989,8 +1989,8 @@ static void standalone_main(void) { + exit(1); + } + +- pr_log_pri(PR_LOG_NOTICE, "ProFTPD %s (built %s) standalone mode STARTUP", +- PROFTPD_VERSION_TEXT " " PR_STATUS, BUILD_STAMP); ++ pr_log_pri(PR_LOG_NOTICE, "ProFTPD %s standalone mode STARTUP", ++ PROFTPD_VERSION_TEXT " " PR_STATUS); + + daemon_loop(); + } +@@ -2145,7 +2145,6 @@ static void show_settings(void) { + + show_os_release(); + +- printf("%s", " Built: " BUILD_STAMP "\n"); + printf("%s", " Built With:\n configure " PR_BUILD_OPTS "\n\n"); + + printf("%s", " CFLAGS: " PR_BUILD_CFLAGS "\n"); +@@ -2742,7 +2741,6 @@ int main(int argc, char *argv[], char ** + if (show_version >= 2) { + printf("ProFTPD Version: %s", PROFTPD_VERSION_TEXT " " PR_STATUS "\n"); + printf(" Scoreboard Version: %08x\n", PR_SCOREBOARD_VERSION); +- printf(" Built: %s\n\n", BUILD_STAMP); + + modules_list2(NULL, PR_MODULES_LIST_FL_SHOW_VERSION); + +Index: Makefile.in +=================================================================== +--- Makefile.in.orig ++++ Makefile.in +@@ -47,17 +47,17 @@ include/buildstamp.h: + + dummy: + +-lib: include/buildstamp.h dummy ++lib: dummy + cd lib/ && $(MAKE) lib + +-src: include/buildstamp.h dummy ++src: dummy + cd src/ && $(MAKE) src + +-modules: include/buildstamp.h dummy ++modules: dummy + cd modules/ && $(MAKE) static + test -z "$(SHARED_MODULE_OBJS)" -a -z "$(SHARED_MODULE_DIRS)" || (cd modules/ && $(MAKE) shared) + +-utils: include/buildstamp.h dummy ++utils: dummy + cd utils/ && $(MAKE) utils + + clang-tidy: +@@ -66,10 +66,10 @@ clang-tidy: + -cd modules/ && $(MAKE) clang-tidy + # cd utils/ && $(MAKE) clang-tidy + +-locale: include/buildstamp.h dummy ++locale: dummy + test -z "$(ENABLE_NLS)" || (cd locale/ && $(MAKE) locale) + +-dirs: include/buildstamp.h dummy ++dirs: dummy + @dirs="$(DIRS)"; \ + for dir in $$dirs; do \ + if [ -d "$$dir" ]; then cd $$dir/ && $(MAKE); fi; \ +Index: include/version.h +=================================================================== +--- include/version.h.orig ++++ include/version.h +@@ -25,8 +25,6 @@ + #ifndef PR_VERSION_H + #define PR_VERSION_H + +-#include "buildstamp.h" +- + /* Application version (in various forms) */ + #define PROFTPD_VERSION_NUMBER 0x0001030808 + #define PROFTPD_VERSION_TEXT "1.3.8c" diff --git a/proftpd-ssl.README b/proftpd-ssl.README new file mode 100644 index 0000000..b83c7a8 --- /dev/null +++ b/proftpd-ssl.README @@ -0,0 +1,16 @@ +Place your CA.crt, crt and key file here and create sysmlinks like following ... + +ssl +├── proftpd.cacert.pem -> CA.crt +├── proftpd.cert.pem -> wildcard.example.com.crt +├── proftpd.key.pem -> wildcard.example.com.pem +├── CA.crt +├── wildcard.example.com.crt +└── wildcard.example.com.pem + +then: +copy conf.d/tls.template to conf.d/tls.conf + +finally: +uncomment '#Include /etc/proftpd/conf.d/*.conf' in proftp.conf + diff --git a/proftpd-strip.patch b/proftpd-strip.patch new file mode 100644 index 0000000..fecda7e --- /dev/null +++ b/proftpd-strip.patch @@ -0,0 +1,16 @@ +Index: ltmain.sh +=================================================================== +--- ltmain.sh.orig ++++ ltmain.sh +@@ -2056,7 +2056,10 @@ func_mode_install () + ;; + esac + if test -n "$tstripme" && test -n "$striplib"; then +- func_show_eval "$striplib $destdir/$realname" 'exit $?' ++ #func_show_eval "$striplib $destdir/$realname" 'exit $?' ++ echo "strip patch" ++ func_quote_for_expand "$striplib $destdir/$realname" ++ func_echo $func_quote_for_expand_result + fi + + if test "$#" -gt 0; then diff --git a/proftpd-tls.template b/proftpd-tls.template new file mode 100644 index 0000000..3127027 --- /dev/null +++ b/proftpd-tls.template @@ -0,0 +1,42 @@ +############################################################################### +# http://www.proftpd.org/docs/contrib/mod_tls.html +############################################################################### + + # If mod_tls was built as a shared/DSO module, load it + LoadModule mod_tls.c + + + + TLSEngine on + TLSLog /var/log/proftpd/tls.log + + # Support both SSLv3 and TLSv1, but they should not be used + # (known to be weak) + TLSProtocol TLSv1.1 TLSv1.2 + + # Are clients required to use FTP over TLS when talking to this server? + TLSRequired off + + # Server's RSA certificate + TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem + TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem + + # CA (or CA chain) to verify client certs + #TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem + + # CA (or CA chain) to verify certification path of server cert + TLSCertificateChainFile /etc/proftpd/ssl/proftpd.cacert.pem + + # Authenticate clients that want to use FTP over TLS? + TLSVerifyClient off + + # Allow SSL/TLS renegotiations when the client requests them, but + # do not force the renegotations. Some clients do not support + # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these + # clients will close the data connection, or there will be a timeout + # on an idle data connection. + TLSRenegotiate none + + # Should Server request a Clients Certificate and send valid CA list ? + TLSOptions NoSessionReuseRequired + diff --git a/proftpd.changes b/proftpd.changes new file mode 100644 index 0000000..c8c0cc1 --- /dev/null +++ b/proftpd.changes @@ -0,0 +1,839 @@ +------------------------------------------------------------------- +Thu Jan 9 17:25:19 UTC 2025 - chris@computersalat.de + +- 1.3.8c - Released 11-Dec-2024 + fix for boo#1233997 (CVE-2024-48651) + * http://proftpd.org/docs/NEWS-1.3.8c + gh#1830 - Supplemental group inheritance grants unintended access to GID 0 + due to lack of supplemental groups from mod_sql + https://github.com/proftpd/proftpd/issues/1830 +- rebase patch + * proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Thu Feb 29 14:45:47 UTC 2024 - Dominique Leuenberger + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + %patchN. + +------------------------------------------------------------------- +Wed Jan 3 14:44:02 UTC 2024 - chris@computersalat.de + +- Update changes file + * add missing boo#1218144 (CVE-2023-48795) info + * add missing CVE-2023-51713 info + +------------------------------------------------------------------- +Wed Dec 27 21:52:11 UTC 2023 - chris@computersalat.de + +- 1.3.8b - Released 19-Dec-2023 + fix for boo#1218144 (CVE-2023-48795) + * http://proftpd.org/docs/NEWS-1.3.8b + * Implemented mitigations for "Terrapin" SSH attack (CVE-2023-48795). +- rebase patch + * proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Thu Nov 2 16:24:34 UTC 2023 - chris@computersalat.de + +- 1.3.8a - Released 08-Oct-2023 + fix for boo#1218344 (CVE-2023-51713): + gh#1683 - Out-of-bounds buffer read when handling FTP commands. + https://github.com/proftpd/proftpd/issues/1683 + * http://proftpd.org/docs/NEWS-1.3.8a + * Fixed builds when using OpenSSL 3.x + +------------------------------------------------------------------- +Wed Jan 25 21:05:11 UTC 2023 - chris@computersalat.de + +- 1.3.7f - Released 04-Dec-2022 + * Issue 1533 - mod_tls module unexpectedly allows TLS handshake after + authentication in some configurations. + * Bug 4491 - unable to verify signed data: signature type 'rsa-sha2-512' does + not match publickey algorithm 'ssh-rsa'. + +------------------------------------------------------------------- +Mon Jan 16 10:43:46 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Thu Sep 1 19:28:50 UTC 2022 - chris@computersalat.de + +- Update proftpd-basic.conf.patch + * remove obsolete config option, LoginPasswordPrompt +- rework proftpd-dist.patch + +------------------------------------------------------------------- +Tue Aug 9 16:37:52 UTC 2022 - chris@computersalat.de + +- 1.3.7e - Released 23-Jul-2022 + * Issue 1448 - Ensure that mod_sftp algorithms work properly with OpenSSL 3.x. +- 1.3.7d - Released 23-Apr-2022 + * Issue 1321 - Crash with long lines in AuthGroupFile due to large realloc(3). + * Issue 1325 - NLST does not behave consistently for relative paths. + * Issue 1346 - Implement AllowForeignAddress class matching for passive data + transfers. + * Bug 4467 - DeleteAbortedStores removes successfully transferred files + unexpectedly. + * Issue 1401 - Keepalive socket options should be set using IPPROTO_TCP, not + SOL_SOCKET. + * Issue 1402 - TCP keepalive SocketOptions should apply to control as well as + data connection. + * Issue 1396 - ProFTPD always uses the same PassivePorts port for first + transfer. + * Issue 1369 - Name-based virtual hosts not working as expected after upgrade + from 1.3.7a to 1.3.7b. +- rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Sun Mar 27 13:17:21 UTC 2022 - chris@computersalat.de + +- fix deps for SLES + +------------------------------------------------------------------- +Sat Mar 26 16:41:02 UTC 2022 - chris@computersalat.de + +- remove configure --disable-static + +------------------------------------------------------------------- +Tue Mar 1 18:37:02 UTC 2022 - chris@computersalat.de + +- Update to version 1.3.7c: + * http://proftpd.org/docs/NEWS-1.3.7c + * http://proftpd.org/docs/RELEASE_NOTES-1.3.7c +- Update patches + * harden_proftpd.service.patch + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch + * proftpd.spec + * proftpd_env-script-interpreter.patch + +------------------------------------------------------------------- +Wed Oct 20 13:16:36 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_proftpd.service.patch + Modified: + * proftpd.service + +------------------------------------------------------------------- +Thu Nov 19 14:16:47 UTC 2020 - Dominique Leuenberger + +- Update to version 1.3.6e: + + Invalid SCP command leads to null pointer dereference. +- Do not limit to openSSL < 1.1: proftpd has had support for + openSSL 1.1 sice version 1.3.6a. +- Rebase proftpd-no_BuildDate.patch. + +------------------------------------------------------------------- +Fri Jun 5 11:02:29 UTC 2020 - chris@computersalat.de + +- update to 1.3.6d + * Issue 857 - Fixed regression in the handling of `%{env:...}` configuration + variables when the environment variable is not present. + * Issue 940 - Second LIST of the same symlink shows different results. + * Issue 959 - FTPS uploads using TLSv1.3 are likely to fail unexpectedly. + * Issue 980 - mod_sftp sends broken response when CREATETIME attribute is + requested. + * Bug 4398 - Handle zero-length SFTP WRITE requests without error. + * Issue 1018 - PidFile should not be world-writable. + * Issue 1014 - TLSv1.3 handshake fails due to missing session ticket key on + some systems. + * Issue 1023 - Lowercased FTP commands not properly identified. +- rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Mon Feb 24 17:06:07 UTC 2020 - chris@computersalat.de + +- fix for boo#1164572 (CVE-2020-9272, gh#902) +- fix for boo#1164574 (CVE-2020-9273, gh#903) +- update to 1.3.6c + * Fixed regression in directory listing latency (Issue #863). + * Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for + converting them to supported format. + * Fixed use-after-free vulnerability during data transfers (Issue #903). + * Fixed out-of-bounds read in mod_cap by updating the bundled libcap + (Issue #902). +- remove obsolete proftpd-tls-crls-issue859.patch +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch + * proftpd_env-script-interpreter.patch + +------------------------------------------------------------------- +Sat Feb 1 17:25:05 UTC 2020 - chris@computersalat.de + +- cleanup tls.template + * remove deprecated NoCertRequest from TLSOptions + +------------------------------------------------------------------- +Sat Dec 28 20:45:30 UTC 2019 - chris@computersalat.de + +- fix changes file + * add missing info about boo#1155834 + * add missing info about boo#1154600 +- fix for boo#1156210 + * GeoIP has been discontinued by Maxmind + * remove module build for geoip + see https://support.maxmind.com/geolite-legacy-discontinuation-notice/ +- fix for boo#1157803 (CVE-2019-19269), boo#1157798 (CVE-2019-19270) + * add upstream patch proftpd-tls-crls-issue859.patch + +------------------------------------------------------------------- +Sun Nov 3 22:25:28 UTC 2019 - chris@computersalat.de + +- fix for boo#1154600 (CVE-2019-18217, gh#846) +- update to 1.3.6b + * Fixed pre-authentication remote denial-of-service issue (Issue #846). + * Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824). +- update to 1.3.6a + * Fixed symlink navigation (Bug#4332). + * Fixed building of mod_sftp using OpenSSL 1.1.x releases (Issue#674). + * Fixed SITE COPY honoring of restrictions (Bug#4372). + * Fixed segfault on login when using mod_sftp + mod_sftp_pam (Issue#656). + * Fixed restarts when using mod_facl as a static module +- remove obsolete proftpd-CVE-2019-12815.patch + * included in 1.3.6a (Bug#4372) +- add proftpd_env-script-interpreter.patch + * RPMLINT fix for env-script-interpreter (Badness: 9) + +------------------------------------------------------------------- +Sat Nov 2 18:12:51 UTC 2019 - Martin Hauke + +- fix for boo#1155834 + * Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed + * Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed + +------------------------------------------------------------------- +Wed Oct 2 15:01:11 UTC 2019 - Bernhard Wiedemann + +- Update proftpd-dist.patch to use pam_keyinit.so (boo#1144056) + +------------------------------------------------------------------- +Fri Aug 2 14:52:48 UTC 2019 - chris@computersalat.de + +- fix for boo#1142281 (CVE-2019-12815, bpo#4372) + arbitrary file copy in mod_copy allows for remote code execution + and information disclosure without authentication +- add patch + * proftpd-CVE-2019-12815.patch + taken from: + - http://bugs.proftpd.org/show_bug.cgi?id=4372 + - https://github.com/proftpd/proftpd/commit/a73dbfe3b61459e7c2806d5162b12f0957990cb3 + +------------------------------------------------------------------- +Mon Jul 1 13:50:01 UTC 2019 - chris@computersalat.de + +- update changes file + * add missing info about bugzilla 1113041 + +------------------------------------------------------------------- +Tue Mar 26 11:35:53 UTC 2019 - Jan Engelhardt + +- Fix the Factory build: select the appropriate OpenSSL version + to build with. (fix for boo#1113041) + +------------------------------------------------------------------- +Wed Mar 20 18:46:47 UTC 2019 - Jan Engelhardt + +- Reduce hard dependency on systemd to only that which is + necessary for building and installation. +- Modernize RPM macro use (%make_install, %tmpfiles_create). +- Strip emphasis from description and trim other platform mentions. + +------------------------------------------------------------------- +Wed Jul 11 08:05:29 UTC 2018 - chris@computersalat.de + +- update to 1.3.6 + * Support for using Redis for caching, logging; see the doc/howto/Redis.html + documentation. + * Fixed mod_sql_postgres SSL support (Issue #415). + * Support building against LibreSSL instead of OpenSSL (Issue #361). + * Better support on AIX for login restraictions (Bug #4285). + * TimeoutLogin (and other timeouts) were not working properly for SFTP + connections (Bug#4299). + * Handling of the SIGILL and SIGINT signals, by the daemon process, now causes + the child processes to be terminated as well (Issue #461). + * RPM .spec file naming changed to conform to Fedora guidelines. + * Fix for "AllowChrootSymlinks off" checking each component for symlinks + (CVE-2017-7418). + -New Modules: + * mod_redis, mod_tls_redis, mod_wrap2_redis + With Redis now supported as a caching mechanism, similar to Memcache, + there are now Redis-using modules: mod_redis (for configuring the Redis + connection information), mod_tls_redis (for caching SSL sessions and + OCSP information using Redis), and mod_wrap2_redis (for using ACLs stored + in Redis). + -Changed Modules: + * mod_ban + The mod_ban module's BanCache directive can now use Redis-based caching; + see doc/contrib/mod_ban.html#BanCache. + -New Configuration Directives + * SQLPasswordArgon2, SQLPasswordScrypt + The key lengths for Argon2 and Scrypt-based passwords are now configurable + via these new directives; previously, the key length had been hardcoded + to be 32 bytes, which is not interoperable with all other implementations + (Issue #454). + -Changed Configuration Directives + * AllowChrootSymlinks + When "AllowChrootSymlinks off" was used, only the last portion of the + DefaultRoot path would be checked to see if it was a symlink. Now, + each component of the DefaultRoot path will be checked to see if it is + a symlink when "AllowChrootSymlinks off" is used. + * Include + The Include directive can now be used within a section, e.g.: + + Include /path/to/allowed.txt + DenyAll + + -API Changes + * A new JSON API has been added, for use by third-party modules. +- remove obsolete proftpd_include-in-limit-section.patch +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Tue Jul 10 11:57:58 UTC 2018 - chris@computersalat.de + +- update to 1.3.5e + * Fixed SFTP issue with umac-64@openssh.com digest/MAC. + * Fixed regression with mod_sftp rekeying. + * Backported fix for "AllowChrootSymlinks off" checking each component + for symlinks (CVE-2017-7418). +- remove obsolete patch + * proftpd-AllowChrootSymlinks.patch (now included) +- rebase patches + * proftpd-dist.patch + * proftpd-no_BuildDate.patch + * proftpd_include-in-limit-section.patch + +------------------------------------------------------------------- +Fri Jul 21 04:43:44 UTC 2017 - bwiedemann@suse.com + +- Sort SHARED_MODS list to fix build compare (boo#1041090) + +------------------------------------------------------------------- +Fri Jun 16 08:28:42 UTC 2017 - nmoudra@suse.com + +- Removed xinetd service + +------------------------------------------------------------------- +Fri Apr 7 20:49:37 UTC 2017 - chris@computersalat.de + +- fix for boo#1032443 (CVE-2017-7418) + * AllowChrootSymlinks not enforced by replacing a path component + with a symbolic link + * add upstream commit (ecff21e0d0e84f35c299ef91d7fda088e516d4ed) + as proftpd-AllowChrootSymlinks.patch +- fix proftpd-tls.template + * reduce TLS protocols to TLSv1.1 and TLSv1.2 + * disable TLSCACertificateFile + * add TLSCertificateChainFile + +------------------------------------------------------------------- +Thu Mar 23 15:05:22 UTC 2017 - jengelh@inai.de + +- Remove --with-pic, there are no static libs. +- Replace %__-type macro indirections. +- Replace old $RPM shell vars by macros. + +------------------------------------------------------------------- +Mon Mar 6 22:32:07 UTC 2017 - chris@computersalat.de + +- fix and update proftpd-basic.conf.patch +- add some sample config and templates for tls + * proftpd-tls.template + * proftpd-limit.conf + * proftpd-ssl.README + +------------------------------------------------------------------- +Sun Feb 5 20:03:18 UTC 2017 - chris@computersalat.de + +- backport upstream feature + * include-in-limit-section (gh#410) + * add proftpd_include-in-limit-section.patch + +------------------------------------------------------------------- +Tue Jan 17 19:53:55 UTC 2017 - chris@computersalat.de + +- update to 1.3.5d + * gh#4283 - All FTP logins treated as anonymous logins again. This is a + regression of gh#3307. + +------------------------------------------------------------------- +Sun Jan 15 21:01:43 UTC 2017 - chris@computersalat.de + +- update to 1.3.5c + * SSH rekey during authentication can cause issues with clients. + * Recursive SCP uploads of multiple directories not handled properly. + * LIST returns different results for file, depending on path syntax. + * "AuthAliasOnly on" in server config breaks anonymous logins. + * CapabilitiesEngine directive not honored for / + sections. + * Support OpenSSL 1.1.x API. + * Memory leak when mod_facl is used. +-rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Sat Aug 27 22:42:48 UTC 2016 - chris@computersalat.de + +- fix systemd vs SysVinit + +------------------------------------------------------------------- +Sun May 8 22:05:07 UTC 2016 - jengelh@inai.de + +- Remove redundant spec sections +- Ensure systemd-tmpfiles is called for the provied config file + +------------------------------------------------------------------- +Sun May 8 19:25:45 UTC 2016 - chris@computersalat.de + +- fix for boo#970890 (CVE-2016-3125) +- update to 1.3.5b: + http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b + * SSH RSA hostkeys smaller than 2048 bits now work properly. + * MLSD response lines are now properly CRLF terminated. + * Fixed selection of DH groups from TLSDHParamFile. +- rebase proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Sun May 31 18:54:45 UTC 2015 - chris@computersalat.de + +- fix for boo#927290 (CVE-2015-3306) +- update to 1.3.5a: + See http://www.proftpd.org/docs/NEWS-1.3.5a +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch +- remove gpg-offline dependency +- fix permissions on passwd file + * unable to use world-readable AuthUserFile '.../passwd' (perms 0644): + * 0644 -> 0440 + +------------------------------------------------------------------- +Mon Sep 1 22:04:02 UTC 2014 - andreas.stieger@gmx.de + +- ProFTPD 1.3.5 + * Added support for SHA-256, SHA-512 password hashes to the ftpasswd tool + * New Modules + mod_geoip, mod_log_forensic, mod_rlimit, mod_snmp, mod_dnsbl + * mod_sftp now supports ECC, ECDSA, ECDH + * Improved FIPS support in mod_sftp. + * mod_sftp module now honors the MaxStoreFileSize directive. + * Many new and changed configuration directives +- update proftpd-no_BuildDate.patch + +------------------------------------------------------------------- +Mon Sep 1 19:00:57 UTC 2014 - andreas.stieger@gmx.de + +- proftpd 1.3.4e: + Multiple other backported fix from the 1.3.5 branch. + See http://www.proftpd.org/docs/NEWS-1.3.4e +- The fix for the mod_sftp/mod_sftp_pam memory allocation + (CVE-2013-4359) contained in this release was previously patched + into the package. +- adjust proftpd-no_BuildDate.patch for context changes +- remove proftpd-sftp-kbdint-max-responses-bug3973.patch, upstream + +------------------------------------------------------------------- +Tue Mar 25 19:56:04 UTC 2014 - crrodriguez@opensuse.org + +- Remove tcpd-devel from buildRequires and mod_wrap. + support for tcp_wrappers style /etc/hosts.* is provided + by mod_wrap2_file instead, the latter does not require tcpd. + +------------------------------------------------------------------- +Mon Mar 17 18:38:53 UTC 2014 - chris@computersalat.de + +- fix for bnc#844183 + * proftpd fails to start due to missing /run/proftpd +- add own tmpfiles.d file + * proftpd.tmpfile + +------------------------------------------------------------------- +Thu Oct 3 20:48:44 UTC 2013 - chris@computersalat.de + +- update to 1.3.4d + * Fixed broken build when using --disable-ipv6 configure option + * Fixed mod_sql "SQLAuthType Backend" MySQL issues +- fix for bnc#843444 (CVE-2013-4359) + * http://bugs.proftpd.org/show_bug.cgi?id=3973 + * add proftpd-sftp-kbdint-max-responses-bug3973.patch + +------------------------------------------------------------------- +Mon Jul 29 01:12:53 UTC 2013 - crrodriguez@opensuse.org + +- Improve systemd service file +- use upstream tmpfiles.d file. related to [bnc#811793] +- Use /run instead of /var/run + +------------------------------------------------------------------- +Wed May 1 20:35:19 UTC 2013 - chris@computersalat.de + +- update to 1.3.4c + * Added Spanish translation. + * Fixed several mod_sftp issues, including SFTPPassPhraseProvider, + handling of symlinks for REALPATH requests, and response code logging. + * Fixed symlink race for creating directories when UserOwner is in effect. + * Increased performance of FTP directory listings. +- rebase and rename patches (remove version string) + * proftpd-1.3.4a-dist.patch -> proftpd-dist.patch + * proftpd-1.3.4a-ftpasswd.patch -> proftpd-ftpasswd.patch + * proftpd-1.3.4a-strip.patch -> proftpd-strip.patch + +------------------------------------------------------------------- +Fri Feb 8 00:19:19 UTC 2013 - chris@computersalat.de + +- fix proftpd.conf (rebase basic.conf patch) + * IdentLookups is now a seperate module + IdentLookups on/off + is needed and module is not built cause crrodriguez disabled it. + +------------------------------------------------------------------- +Thu Nov 29 19:03:00 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Nov 2 15:15:25 UTC 2012 - chris@computersalat.de + +- fix for bnc#787884 + (https://bugzilla.novell.com/show_bug.cgi?id=787884) + * added extra Source proftpd.conf.tmpfile + +------------------------------------------------------------------- +Thu Aug 30 17:33:30 UTC 2012 - crrodriguez@opensuse.org + +- Disable ident lookups, this protocol is totally obsolete + and dangerous. (add --disable-ident) +- Fix debug info generation ( add --disable-strip) + +------------------------------------------------------------------- +Wed Aug 29 21:51:49 UTC 2012 - crrodriguez@opensuse.org + +- Add systemd unit + +------------------------------------------------------------------- +Tue Aug 14 11:11:28 UTC 2012 - chris@computersalat.de + +- update to 1.3.4b + + Fixed mod_ldap segfault on login when LDAPUsers with no filters used. + + Fixed sporadic SFTP upload issues for large files. + + Fixed SSH2 handling for some clients (e.g. OpenVMS). + + New FactsOptions directive; see doc/modules/mod_facts.html#FactsOptions + + Fixed build errors on Tru64, AIX, Cygwin. +- add Source Signatuire (.asc) file +- add noBuildDate patch +- add lang pkg + * --enable-nls +- add configure option + * --enable-openssl, --with-lastlog + +------------------------------------------------------------------- +Mon Dec 12 15:00:18 UTC 2011 - chris@computersalat.de + +- update to 1.3.4a + + Fixed mod_load/mod_wrap2 build issues. +- 1.3.4 + + New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation + for details. + + Improved configure script for cross-compiling. + + Reworked the proftpd.spec RPM file + + Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD. + + New "IgnoreSFTPSetTimes" SFTPOption added; see the SFTPOptions + documentation for details. + + Fixed response pool use-after-free issue. +- for more info please see the RELEASE_NOTES file +- reworked patches + * now p0 patches + +------------------------------------------------------------------- +Fri Nov 18 14:56:41 UTC 2011 - chris@computersalat.de + +- fix for bnc#731347 + * no (hostname -s) in post section + * reworked basic conf patch + +------------------------------------------------------------------- +Fri Nov 11 13:13:57 UTC 2011 - chris@computersalat.de + +- fix changelog + * RELEASE_NOTES-1.3.3g is lacking of important info +- fix for CVE-2011-4130 (bnc#729830) + * https://bugzilla.novell.com/show_bug.cgi?id=729830 + (upstream) http://bugs.proftpd.org/show_bug.cgi?id=3711 + => fixed with version 1.3.3g + +------------------------------------------------------------------- +Thu Nov 10 09:39:36 UTC 2011 - chris@computersalat.de + +- update to 1.3.3g + (http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3g) + + New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation + for details. + + Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD. + (http://www.proftpd.org/docs/NEWS-1.3.3g) + - Bug 3702 - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD. + - Bug 3704 - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks. + To disable this countermeasure, which may cause interoperability issues + with some clients, use the NoEmptyFragments TLSOption. + - Bug 3711 - Response pool use-after-free memory corruption error. + +------------------------------------------------------------------- +Tue Oct 4 22:03:10 UTC 2011 - chris@computersalat.de + +- update to 1.3.3f + + Fixes segfault if mod_sql_mysql and "SQLAuthenticate groupsetfast" + configuration used. + + Fixes mod_wrap syslog level (regression from Bug#3317). + + Fixes mod_ifsession segfault if regular expression patterns used in + a section. + +------------------------------------------------------------------- +Fri Apr 29 11:18:55 UTC 2011 - chris@computersalat.de + +- push to Factory + o fix changelog (not in sequence) + o fix license (GPL -> GPLv2+) + o remove Author from description + o remove obsolete extra source proftpd.conf + +------------------------------------------------------------------- +Fri Apr 8 22:08:55 UTC 2011 - chris@computersalat.de + +- update to 1.3.3e + + Display messages work properly again. + + Fixes plaintext command injection vulnerability in FTPS implementation + (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for + details. + + Fixes CVE-2011-1137 (badly formed SSH messages cause DoS). See + http://bugs.proftpd.org/show_bug.cgi?id=3586 for details. + + Performance improvements, especially during server startup/restarts. + +------------------------------------------------------------------- +Sun Jan 30 20:40:10 UTC 2011 - chris@computersalat.de + +- update to 1.3.3d + + Fixed sql_prepare_where() buffer overflow (Bug#3536) + + Fixed CPU spike when handling .ftpaccess files. + + Fixed handling of SFTP uploads when compression is used. + +------------------------------------------------------------------- +Fri Oct 22 23:26:10 UTC 2010 - mseben@gmail.com + +- update to 1.3.3c + + Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) + + Fixed directory traversal bug in mod_site_misc + + Fixed SQLite authentications using "SQLAuthType Backend" + +------------------------------------------------------------------- +Fri Oct 22 17:49:06 UTC 2010 - chris@computersalat.de + +- clenaup spec +- fix doc pkg + o should not provide pkgconfig + +------------------------------------------------------------------- +Fri Oct 15 14:13:43 UTC 2010 - chris@computersalat.de + +- update to 1.3.3b + + Fixed SFTP directory listing bug + + Avoid corrupting utmpx databases on FreeBSD + + Avoid null pointer dereferences during data transfers + + Fixed "AuthAliasOnly on" anonymous logins +- rpmlint: no-pkg-config-provides + o add BuildReq pkg-config +- removed changes from spec + +------------------------------------------------------------------- +Wed Jul 7 14:17:45 UTC 2010 - chris@computersalat.de + +- update to 1.3.3a + + Added Japanese translation + + Many mod_sftp bugfixes + + Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + + Fixed handling of utmp/utmpx format changes on FreeBSD +- rpmlint: self-obsoletion + +------------------------------------------------------------------- +Wed May 5 14:01:02 UTC 2010 - mseben@novell.com + +- fix build : dir-or-file-in-var-run badness : /var/run/proftpd dir + is marked as ghost and it is created in init script now + +------------------------------------------------------------------- +Fri Apr 9 15:44:32 UTC 2010 - mseben@novell.com + +- added ncurses-devel to buildrequires to fix ftptop message : "no + curses or ncurses library on this system" + +------------------------------------------------------------------- +Fri Feb 26 16:01:47 UTC 2010 - chris@computersalat.de + +- added info for "STABLE" versions only + +------------------------------------------------------------------- +Thu Feb 25 00:14:20 UTC 2010 - chris@computersalat.de + +- update to 1.3.3 + o Fixed mod_ban whitelisting using mod_ifsession. + o Fixed per-user/group/class "HideFiles none" configurations. + - 1.3.3rc4 + o Fixed mod_tls compilation using OpenSSL installations older + than 0.9.7. + o Fixed mod_sftp compilation on AIX. + o Fixed RADIUS authentication on 64-bit platforms + o Fixed memory leak in SCP downloads. + o New configuration directives + SQLPasswordUserSalt + The SQLPasswordUserSalt directive can be used to configure + per-user salt data to be added to the encrypted password + for a user. The salt can be the user name, or it can be + the result of a SQL query. More information can be found in + doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt. + +------------------------------------------------------------------- +Wed Feb 10 16:10:32 CET 2010 - diego.ercolani@gmail.com + +- update to 1.3.3rc3 +- try to be compatible with osc :-) + +------------------------------------------------------------------- +Sun Dec 20 19:39:10 UTC 2009 - chris@computersalat.de + +- update to 1.3.2c + o Bug and regression fixes. +- removed obsolete CVE patch + +------------------------------------------------------------------- +Mon Oct 26 12:35:29 UTC 2009 - mseben@novell.com + +- fixed CVE-2009-3639 : mod_tls security issue (bnc#549740) + +------------------------------------------------------------------- +Wed Sep 16 18:17:04 UTC 2009 - alexandre@exatati.com.br + +- Update tarball to its upstream version without + bzipped patch; +- Removed blank spaces at enf of lines on spec file; +- Replaced tab characters on spec file. + +------------------------------------------------------------------- +Wed Sep 16 11:20:20 UTC 2009 - chris@computersalat.de + +- update to 1.3.2 (1.3.2a) + o many bugfixes, read ChangeLog or NEWS + o include 1.3.2a upstream patch + o removed old patches + * proftpd-1.3.1-umode_t.patch + * proftpd-1.3.1-O_CREAT.patch + * proftpd-1.3.1-libcap.patch + * proftpd-1.3.1-CVE-2009-0542.patch + * proftpd-1.3.1-CVE-2009-0543.patch + o reworked basic.conf.patch +- spec mods + o removed ^#----- + o removed {rel} + o clean + * rm -rf RPM_BUILD_ROOT + o added sub sqlite +- fixed deps + o BuildRequires: sqlite3-devel unixODBC-devel +- rpmlint + o description-shorter-than-summary + o source-or-patch-not-bzipped proftpd-1.3.2a.patch + +------------------------------------------------------------------- +Tue Jul 7 22:21:50 CEST 2009 - chris@computersalat.de + +- added proftpd.passwd + o it is an initial passwd for virtuser and + anonymous login works well with it :) + +------------------------------------------------------------------- +Mon Jul 6 22:16:46 CEST 2009 - chris@computersalat.de + +- added ftpasswd.patch +- rework of basic.conf patch +- removed README.AIX + +------------------------------------------------------------------- +Thu Apr 16 01:54:23 CEST 2009 - chris@computersalat.de + +- added basic.conf patch +- added dist.patch + o fix for xinetd, logrotate, pam +- some more subpackages + o ldap, mysql, pgsql, radius +- added ftpasswd for simple virtuser support +- added auth DIR /etc/proftpd/auth + o passwd for virtuser +- added conf.d DIR /etc/proftpd/conf.d + o configs for inclusion +- added log DIR /var/log/proftpd +- beautify init file +- beautify spec file + +------------------------------------------------------------------- +Wed Feb 18 10:40:55 CET 2009 - mseben@suse.cz + +- added proftpd.conf with uploads section + +------------------------------------------------------------------- +Fri Feb 13 16:55:01 CET 2009 - mseben@suse.cz + +- fixed sql injection vulnerability which allows remote attackers + to execute arbitrary SQL commands via a "%" character + CVE-2009-0542.patch (bnc#475316) +- fixed vulnerability which allows remote attackers to bypass SQL + injection protection mechanisms via invalid, encoded multibyte + characters CVE-2009-0543.patch (bnc#475316) + +------------------------------------------------------------------- +Mon Jan 26 14:19:45 CET 2009 - mseben@suse.cz + +- splitted HTML doc to proftpd-doc +- added %post and %postun macro to spec + +------------------------------------------------------------------- +Thu Jan 22 13:58:33 CET 2009 - mseben@suse.cz + +- fixed missing third argument in open function (*-O_CREAT.patch) +- disabled striping libraries (*-no_strip.patch) +- fixed configure script (*-umode_t.patch) +- added -DLDAP_DEPRECATED to CFLAGS because of deprecated ldap_init + function +- disabled contrib scripts for now +- fixed handling _LINUX_CAPABILITY_VERSION on newer linux kernel. + (proftpd-*-libcap.patch) + +------------------------------------------------------------------- +Wed Aug 20 12:43:56 CEST 2008 - mrueckert@suse.de + +- disabled debugging stuff for now + +------------------------------------------------------------------- +Fri Oct 19 11:58:42 CEST 2007 - mrueckert@suse.de + +- enabled missing modules (mod_ban,mod_wrap2*,mod_quota_radius) + and replaced the hardcoded value for --with-shared with a + dynamically generated list + +------------------------------------------------------------------- +Sat Oct 6 03:42:39 CEST 2007 - mrueckert@suse.de + +- update to 1.3.1: + Many bugfixes and new features like dynamic blacklisting of + clients, improved SQL handling, and quotas. +- added --enable-devel=coredump,nodaemon,nofork +- added devel subpackage for the headers + +------------------------------------------------------------------- +Wed Nov 29 04:11:44 CET 2006 - mrueckert@suse.de + +- update to 1.3.0a: + fixes a remote code execution. CVE-2006-5815 + (http://bugs.proftpd.org/show_bug.cgi?id=2858) + diff --git a/proftpd.init b/proftpd.init new file mode 100644 index 0000000..70a1f79 --- /dev/null +++ b/proftpd.init @@ -0,0 +1,222 @@ +#! /bin/sh +# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany. +# All rights reserved. +# +# Author: Kurt Garloff +# Please send feedback to http://www.suse.de/feedback/ +# +# /etc/init.d/proftpd +# and its symbolic link +# /(usr/)sbin/rcproftpd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +### BEGIN INIT INFO +# Provides: proftpd +# Required-Start: $syslog $remote_fs +# Should-Start: $time ypbind sendmail +# Required-Stop: $syslog $remote_fs +# Should-Stop: $time ypbind sendmail +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: ProFTPD daemon +# Description: Start ProFTPD to allow XY and provide YZ +### END INIT INFO +# +# Note on runlevels: +# 0 - halt/poweroff 6 - reboot +# 1 - single user 2 - multiuser without network exported +# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) +# +# Note on script names: +# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html +# A registry has been set up to manage the init script namespace. +# http://www.lanana.org/ +# Please use the names already registered or register one or use a +# vendor prefix. + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +PROFTPD_BIN=/usr/sbin/proftpd +test -x $PROFTPD_BIN || { echo "$PROFTPD_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +PROFTPD_RUNDIR=/var/run/proftpd +# Check for existence of needed config file and read it +#PROFTPD_CONFIG=/etc/sysconfig/proftpd +#test -r $PROFTPD_CONFIG || { echo "$PROFTPD_CONFIG not existing"; +# if [ "$1" = "stop" ]; then exit 0; +# else exit 6; fi; } +# +# Read config +#. $PROFTPD_CONFIG + +# Source LSB init functions +# providing start_daemon, killproc, pidofproc, +# log_success_msg, log_failure_msg and log_warning_msg. +# This is currently not used by UnitedLinux based distributions and +# not needed for init scripts for UnitedLinux only. If it is used, +# the functions from rc.status should not be sourced or used. +#. /lib/lsb/init-functions + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks +. /etc/rc.status + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +case "$1" in + start) + if [ ! -d $PROFTPD_RUNDIR ]; then + mkdir -p $PROFTPD_RUNDIR + fi + echo -n "Starting proftpd " + ## Start daemon with startproc(8). If this fails + ## the return value is set appropriately by startproc. + /sbin/startproc $PROFTPD_BIN + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down proftpd " + ## Stop daemon with killproc(8) and if this fails + ## killproc sets the return value according to LSB. + /sbin/killproc -TERM $PROFTPD_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + echo -n "Reload service proftpd " + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart the service if it + ## is running. + # if it supports it: + /sbin/killproc -HUP $PROFTPD_BIN + #touch /var/run/proftpd.pid + + # Remember status and be verbose + rc_status -v + + ## Otherwise: + #$0 try-restart + #rc_status + ;; + reload) + echo -n "Reload service proftpd " + ## Like force-reload, but if daemon does not support + ## signaling, do nothing (!) + # If it supports signaling: + /sbin/killproc -HUP $PROFTPD_BIN + #touch /var/run/proftpd.pid + + # Remember status and be verbose + rc_status -v + + ## Otherwise if it does not support reload: + #rc_failed 3 + #rc_status -v + ;; + status) + echo -n "Checking for service proftpd " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + # NOTE: checkproc returns LSB compliant status values. + /sbin/checkproc $PROFTPD_BIN + # NOTE: rc_status knows that we called this init script with + # "status" option and adapts its messages accordingly. + + # Remember status and be verbose + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, print out the + ## argument to this init script which is required for a reload. + ## Note: probe is not (yet) part of LSB (as of 1.9) + + test /etc/proftpd/proftpd.conf -nt $PROFTPD_RUNDIR/proftpd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/proftpd.keyring b/proftpd.keyring new file mode 100644 index 0000000..265962c --- /dev/null +++ b/proftpd.keyring @@ -0,0 +1,33 @@ +pub 1024D/A511976A 2002-05-12 +uid TJ Saunders +sub 2048g/8C26F9DE 2002-05-12 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQGiBDze4PkRBADtl8nbLuIgZkIdl6fUj9/LOBXGrtP5B8cTgDjBlURronHtLzkQ +oHqNS8zmh5gmg8F6EMnCy6tqTGlQ3OylhY2u8fBUFJZk0RpaGYka0SI+hkNn/Hmu +GLXs4+5RKIuL1lp1DFv2L2S+Qp3xFs0vYJsrdi7nRhM1/LqN9S0pr2/i9QCg/5bD +AMS9qiVZvd7E0464cWWUXDsD/2z7fwPUFD23bHGSpifSl8jOqUuOWf5lhJqXLpHZ +TnSsO+rOi5dXdB1fPwgvwFnv7akFStTpXaRq1XdB33/QTwWNO3DBXKe8VkBivXTY +nWHLiktQwoY06Ws6r2cYxfgRhoHBSQFR/e1OhURaV8d0nSZsISrUyOREAYFUZT0L +s0jHBADcNSLHoehRf69mBEh3SMk+hiNse8r0VTcE6aJ5AISE6famDQw9cQh8gdmf +R5LrN/QbF4qQ2jWrfzhkVB6oslyghk3KCncFMnmT/4QpPVfSeTon3yM0Sz9Gtr2Q +YRp6Qhy7RgnoJ35bMaleww18WKOJtS840PRikboy5XFXt14gvbQeVEogU2F1bmRl +cnMgPHRqQGNhc3RhZ2xpYS5vcmc+iFYEEBECAA4FAjze4PkECwMBAgIZAQASCRC3 +jok/pRGXagdlR1BHAAEB4EMAoL0MfmR26WnBxfQAUFD1bMnSO95EAKC1jnqqe9Xq +TPTsGWOZwNGc13nTmLkCDQQ83uD7EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bx +brlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJP +PT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrU +GvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVb +GI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcp +esqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf+ORAr +y8LE18PVKiJk9/bpZ+LzSQ/kgNKDjqRsqT8HOFjToIpbbY1lOBErEr7OedJGK3ra +g1q8vD+kNK4MZdNcEeIcaMG7TnArOJ4zNZzKBQQzZp8hdv8heirfhJtb5MdFO2MI +N2+I9OoeUXNX1GVxYQJkuHpvsbqbZ6P2bRYwPUmnSAy6y2yy3ZmTZDD6ItaUaTIA +JbT8myTljeO4vz80nWldpUZfVtwkCRczjL7GYvwGbg1DZ45ND1pq9Kp5jqybevYw +d2a/7es+PgWQxy6qRFW3j95lm9Dd7ha29trziinxZ5GevUgyPIcs5SCQUG+cb5Yb +VUpLxGrHLKoW/mdBCYhOBBgRAgAGBQI83uD7ABIJELeOiT+lEZdqB2VHUEcAAQE1 +CwCdGzQx8HHoe2O+tc3ymntAdNl7kLYAoNN0gN75bS/ZWBrKrLR0ne6JAdkO +=X5Db +-----END PGP PUBLIC KEY BLOCK----- diff --git a/proftpd.passwd b/proftpd.passwd new file mode 100644 index 0000000..62e7dd6 --- /dev/null +++ b/proftpd.passwd @@ -0,0 +1 @@ +ftp:$1$Qirpijna$Z9ocX/jIH/kpBppMFyI451:49:49::/srv/ftp:/bin/false diff --git a/proftpd.service b/proftpd.service new file mode 100644 index 0000000..64bf1ac --- /dev/null +++ b/proftpd.service @@ -0,0 +1,22 @@ +[Unit] +Description=ProFTPd FTP server +After=systemd-user-sessions.service network.target nss-lookup.target local-fs.target remote-fs.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +ExecStart=/usr/sbin/proftpd --nodaemon +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/proftpd.spec b/proftpd.spec new file mode 100644 index 0000000..2bb6052 --- /dev/null +++ b/proftpd.spec @@ -0,0 +1,381 @@ +# +# spec file for package proftpd +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define with_redis 1 +%define with_sodium 1 + +%if 0%{?suse_version} == 1315 || 0%{?suse_version} == 1500 +%define with_redis 0 +%endif + +%if 0%{?suse_version} == 1315 +%define with_sodium 0 +%endif + +Name: proftpd +Summary: Configurable GPL-licensed FTP server software +# Please save your time and do not update to "rc" versions. +# We only accept updates for "STABLE" Versions +License: GPL-2.0-or-later +Group: Productivity/Networking/Ftp/Servers +Version: 1.3.8c +Release: 0 +URL: http://www.proftpd.org/ +Source0: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz +Source1: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz.asc +Source11: %{name}.init +Source12: %{name}.passwd +Source13: %{name}.service +Source14: %{name}.tmpfile +Source15: %{name}.keyring +Source16: %{name}-tls.template +Source17: %{name}-limit.template +Source18: %{name}-ssl.README +#PATCH-FIX-openSUSE: pam, logrotate, xinet +Patch100: %{name}-dist.patch +#PATCH-FIX-openSUSE: provide a useful default config +Patch101: %{name}-basic.conf.patch +#PATCH-FIX: provide more info on usage ;) +Patch102: %{name}-ftpasswd.patch +#PATCH-FIX: fix strip +Patch103: %{name}-strip.patch +#PATCH-FIX-openSUSE: file-contains-date-and-time +Patch104: %{name}-no_BuildDate.patch +#RPMLINT-FIX-openSUSE: env-script-interpreter +Patch105: %{name}_env-script-interpreter.patch +#openSUSE:Security_Features#Systemd_hardening_effort +Patch106: harden_proftpd.service.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build +#BuildRequires: gpg-offline +BuildRequires: cyrus-sasl-devel +BuildRequires: fdupes +BuildRequires: gcc-c++ +%if 0%{?with_redis} +BuildRequires: hiredis-devel +%endif +BuildRequires: krb5-devel +BuildRequires: libacl-devel +BuildRequires: libattr-devel +BuildRequires: libmemcached-devel +#BuildRequires: libGeoIP-devel +BuildRequires: libmysqld-devel +%if 0%{?with_sodium} +BuildRequires: libsodium-devel +%endif +BuildRequires: ncurses-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pcre-devel +BuildRequires: pkg-config +BuildRequires: postgresql-devel +BuildRequires: sqlite3-devel +BuildRequires: unixODBC-devel +BuildRequires: pkgconfig(libssl) +Requires: logrotate +%if 0%{?lang_package:1} > 0 +Recommends: %{name}-lang +%endif + +%if 0%{?suse_version} >= 1210 +BuildRequires: systemd-rpm-macros +%{?systemd_ordering} +%define has_systemd 1 +%else +Requires(pre): %insserv_prereq +%endif +%if 0%{?suse_version} >= 1330 +Requires(pre): group(ftp) +Requires(pre): user(ftp) +%endif + +%description +ProFTPD is a configurable FTP daemon for Unix and Unix-like +operating systems. + +%{?lang_package} + +%package devel +Summary: Development files for ProFTPD +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} + +%description devel +This package contains Development files for ProFTPD + +%package ldap +Summary: LDAP Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description ldap +This is the LDAP Module for ProFTPD + +%package mysql +Summary: MySQL Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description mysql +This is the MySQL Module for ProFTPD + +%package pgsql +Summary: PostgreSQL Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description pgsql +This is the PostgreSQL Module for ProFTPD + +%package radius +Summary: Radius Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description radius +This is the Radius Module for ProFTPD + +%package sqlite +Summary: SQLite Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description sqlite +This is the SQLite Module for ProFTPD + +%package doc +Summary: Documentation for ProFTPD +Group: Documentation/HTML +Requires: %{name} = %{version} + +%description doc +Here are Documentation for ProFTPD + +%prep +%autosetup -p0 + +rm README.AIX README.cygwin README.FreeBSD README.Solaris2.5x README.Unixware + +%build +rm contrib/mod_wrap.c +rm contrib/mod_geoip.c +PROFTPD_SHARED_MODS="$(for spec_mod in $(find contrib -name mod_\*.c|sort); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')" +export CFLAGS="%{optflags} -D_GNU_SOURCE -DLDAP_DEPRECATED" +export CXXFLAGS="$CFLAGS" +%configure \ + --bindir=%{_sbindir} \ + --libexecdir=%{_libdir}/%{name} \ + --sysconfdir=%{_sysconfdir}/%{name} \ +%if 0%{?has_systemd} + --localstatedir=/run/%{name} \ +%else + --localstatedir=%{_localstatedir}/run/%{name} \ +%endif + --enable-sendfile \ + --enable-ctrls \ + --enable-dso \ + --enable-facl \ + --enable-ipv6 \ + --enable-memcache \ + --enable-nls \ + --enable-openssl \ + --enable-pcre \ +%if 0%{?with_redis} + --enable-redis \ +%endif + --enable-shadow \ + --with-lastlog \ + --with-includes="%{_includedir}/mysql:%{_includedir}/pgsql" \ + --with-shared="${PROFTPD_SHARED_MODS}" \ + --disable-ident \ + --disable-strip + +# --enable-memcache \ +# --enable-pcre \ +# --enable-redis \ +# --enable-shadow \ +make %{?_smp_mflags} + +%install +%make_install INSTALL_USER=`id -un` INSTALL_GROUP=`id -gn` +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_pam_vendordir} +install -D -m 0644 contrib/dist/rpm/ftp.pamd %{buildroot}/%{_pam_vendordir}/%{name} +%else +install -D -m 0644 contrib/dist/rpm/ftp.pamd %{buildroot}/%{_sysconfdir}/pam.d/%{name} +%endif +install -D -m 0644 contrib/dist/rpm/%{name}.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} +# +rm -fv %{buildroot}/%{_libdir}/%{name}/*.{a,la} + +# install ftpasswd +install -D -m 0755 contrib/ftpasswd %{buildroot}/%{_sbindir}/ + +# some needed dirs +install -D -m 0440 %{S:12} %{buildroot}/%{_sysconfdir}/%{name}/auth/passwd +install -D -m 0644 %{S:16} %{buildroot}/%{_sysconfdir}/%{name}/conf.d/tls.template +install -D -m 0644 %{S:18} %{buildroot}/%{_sysconfdir}/%{name}/conf.d/README +install -D -m 0644 %{S:17} %{buildroot}/%{_sysconfdir}/%{name}/includes/limit.template +install -D -m 0644 %{S:18} %{buildroot}/%{_sysconfdir}/%{name}/ssl/README +install -d -m 0750 %{buildroot}/var/log/%{name} + +# systemd vs SysVinit +%if 0%{?has_systemd} +install -D -m 0644 %{S:13} %{buildroot}%{_unitdir}/%{name}.service +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rc%{name} +# systemd need to create a tmp dir: /run/proftpd +install -D -m 0644 %{S:14} %{buildroot}%{_tmpfilesdir}/%{name}.conf +%else #SysVinit +install -D -m 0755 %{S:11} %{buildroot}/%{_sysconfdir}/init.d/%{name} +ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}/%{_sbindir}/rc%{name} +%endif + +%fdupes -s %{buildroot}%{_sysconfdir}/%{name} + +%find_lang %{name} + +%pre +%if 0%{?has_systemd} +%service_add_pre %{name}.service +%endif +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/lib; save any old .rpmsave +for i in pam.d/proftpd ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done + +%posttrans +# Migration to /usr/lib, restore just created .rpmsave +for i in pam.d/proftpd ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%preun +%if 0%{?has_systemd} +%service_del_preun %{name}.service +%else +%stop_on_removal %{name} +%endif + +%post +%if 0%{?has_systemd} +%service_add_post %{name}.service +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%else +%{fillup_and_insserv -f proftpd} +install -d %{_localstatedir}/run/%{name} +%endif + +%postun +%if 0%{?has_systemd} +%service_del_postun %{name}.service +%else +%restart_on_update %{name} +%{insserv_cleanup} +%endif + +%if 0%{?lang_package:1} > 0 +%files lang -f %{name}.lang +%if 0%{?sles_version} == 11 +%defattr(-,root,root) +%dir %{_datadir}/locale/bg_BG +%dir %{_datadir}/locale/bg_BG/LC_MESSAGES +%dir %{_datadir}/locale/ja_JP +%dir %{_datadir}/locale/ja_JP/LC_MESSAGES +%dir %{_datadir}/locale/ko_KR +%dir %{_datadir}/locale/ko_KR/LC_MESSAGES +%endif + +%files +%else + +%files -f %{name}.lang +%endif +%defattr(-,root,root) +%license COPYING +%doc CREDITS NEWS README* RELEASE_NOTES +%doc contrib/README.* +%doc sample-configurations/*.conf +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/ +%dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/ +%config(noreplace) %attr(0440,root,ftp) %{_sysconfdir}/%{name}/auth/passwd +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d/ +%config %{_sysconfdir}/%{name}/conf.d/tls.template +%config %{_sysconfdir}/%{name}/conf.d/README +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/includes/ +%config %{_sysconfdir}/%{name}/includes/limit.template +%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf +%config %{_sysconfdir}/%{name}/PROFTPD-MIB.txt +%dir %attr(0700,ftp,ftp) %{_sysconfdir}/%{name}/ssl/ +%config %{_sysconfdir}/%{name}/ssl/README +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%if 0%{?suse_version} > 1500 +%{_pam_vendordir}/%{name} +%else +%config(noreplace) %{_sysconfdir}/pam.d/%{name} +%endif +%config(noreplace) %{_sysconfdir}/%{name}/blacklist.dat +%config(noreplace) %{_sysconfdir}/%{name}/dhparams.pem +%dir %attr(0750,root,root) %{_localstatedir}/log/%{name} +%{_sbindir}/* +%{_mandir}/man?/* +%dir %attr(0755,root,root) %{_libdir}/%{name}/ +%{_libdir}/%{name}/*.so +%exclude %{_libdir}/%{name}/mod_ldap.so +%exclude %{_libdir}/%{name}/mod_sql_mysql.so +%exclude %{_libdir}/%{name}/mod_sql_postgres.so +%exclude %{_libdir}/%{name}/mod_radius.so +%exclude %{_libdir}/%{name}/mod_sql_sqlite.so +%if 0%{?has_systemd} +%{_unitdir}/%{name}.service +%{_tmpfilesdir}/%{name}.conf +%ghost %dir /run/%{name} +%else +%{_sysconfdir}/init.d/%{name} +%endif + +%files devel +%defattr(-,root,root) +%{_includedir}/%{name} +%{_libdir}/pkgconfig/%{name}.pc + +%files ldap +%defattr(-,root,root) +%{_libdir}/%{name}/mod_ldap.so + +%files mysql +%defattr(-,root,root) +%{_libdir}/%{name}/mod_sql_mysql.so + +%files pgsql +%defattr(-,root,root) +%{_libdir}/%{name}/mod_sql_postgres.so + +%files radius +%defattr(-,root,root) +%{_libdir}/%{name}/mod_radius.so + +%files sqlite +%defattr(-,root,root) +%{_libdir}/%{name}/mod_sql_sqlite.so + +%files doc +%defattr(-,root,root) +%doc doc/*.html doc/contrib doc/howto doc/modules + +%changelog diff --git a/proftpd.tmpfile b/proftpd.tmpfile new file mode 100644 index 0000000..6d4dba0 --- /dev/null +++ b/proftpd.tmpfile @@ -0,0 +1,2 @@ +# proFTPD needs a DIR +d /run/proftpd 0755 root root - diff --git a/proftpd_env-script-interpreter.patch b/proftpd_env-script-interpreter.patch new file mode 100644 index 0000000..82d5112 --- /dev/null +++ b/proftpd_env-script-interpreter.patch @@ -0,0 +1,40 @@ +Index: contrib/ftpasswd +=================================================================== +--- contrib/ftpasswd.orig ++++ contrib/ftpasswd +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2000-2021 TJ Saunders + # +Index: contrib/ftpmail +=================================================================== +--- contrib/ftpmail.orig ++++ contrib/ftpmail +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2017 TJ Saunders + # +Index: contrib/ftpquota +=================================================================== +--- contrib/ftpquota.orig ++++ contrib/ftpquota +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # ------------------------------------------------------------------------- + # Copyright (C) 2000-2017 TJ Saunders + # +Index: src/prxs.in +=================================================================== +--- src/prxs.in.orig ++++ src/prxs.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2020 TJ Saunders