commit d1373698e23aee47f81ccc9aea7477879719d1a26704f256428a06ee3ff95d9b Author: Pavol Rusnak Date: Tue Apr 26 13:09:12 2011 +0000 Accepting request 66590 from openSUSE:Factory:Contrib OBS-URL: https://build.opensuse.org/request/show/66590 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/proftpd-1.3.1-ftpasswd.patch b/proftpd-1.3.1-ftpasswd.patch new file mode 100644 index 0000000..29c0225 --- /dev/null +++ b/proftpd-1.3.1-ftpasswd.patch @@ -0,0 +1,61 @@ +diff -ruN proftpd-1.3.1-orig/contrib/ftpasswd proftpd-1.3.1/contrib/ftpasswd +--- proftpd-1.3.1-orig/contrib/ftpasswd 2004-10-07 21:17:58.000000000 +0000 ++++ proftpd-1.3.1/contrib/ftpasswd 2008-11-03 14:11:33.159343152 +0000 +@@ -34,8 +34,8 @@ + $Getopt::Long::auto_abbrev = 0; + + my $program = basename($0); +-my $default_passwd_file = "./ftpd.passwd"; +-my $default_group_file = "./ftpd.group"; ++my $default_passwd_file = "/etc/proftpd/auth/passwd"; ++my $default_group_file = "/etc/proftpd/auth/group"; + my $shell_file = "/etc/shells"; + my $default_cracklib_dict = "/usr/lib/cracklib_dict"; + my $cracklib_dict; +@@ -882,6 +882,46 @@ + --version + Displays the version of $program. + ++Creating Files ++ ++The ftpasswd program can create and update files for both AuthUserFile and ++ AuthGroupFile. When it is used for the first time, the program will create ++ the necessary file. If that file already exists, ftpasswd will update it ++ with the new information. ++ ++ftpasswd must first know what type of file to create. Use either the ++ --passwd option (for handling AuthUserFiles), or the --group option ++ (for handling AuthGroupFiles); this is required. ++ ++When creating an AuthUserFile, the following options are also ++ required: --name, --uid, --home, and --shell. ++ This information is required by proftpd to authenticate a user. The optional ++ parameters for an AuthUserFile include --gid ++ (defaults to the given --uid argument when not provided) ++ and --gecos (not used by proftpd at all). For example: ++ ++ ftpasswd --passwd --name=bob --uid=1001 --home=/home/bob --shell=/bin/false ++ ++creates an account for user bob. ++ ++To create a file with a name or location other than the default ++ (which, for --passwd mode is /etc/proftpd/auth/passwd), use the --file option. ++ ++For example, to create the alternate password file in /usr/local/etc/ftpd/passwd: ++ ++ ftpasswd --passwd --file=/usr/local/etc/ftpd/passwd --name=bob --uid=1001 \ ++ --home=/home/bob --shell=/bin/false ++ ++For AuthGroupFiles, use --group: ++ ++ ftpasswd --group --name=group-name --gid=group-id --member=user-member1 \ ++ --member=user-member2 ... --member=user-memberN ++ ++The most common change to these files is made to AuthUserFiles, to change ++ a user's password. The --change-password option was provided just for this scenario: ++ ++ ftpasswd --passwd --name=user --change-password ++ + END_OF_USAGE + + exit 0; diff --git a/proftpd-1.3.2a-basic.conf.patch b/proftpd-1.3.2a-basic.conf.patch new file mode 100644 index 0000000..2040530 --- /dev/null +++ b/proftpd-1.3.2a-basic.conf.patch @@ -0,0 +1,257 @@ +diff -ruN proftpd-1.3.2a-orig/sample-configurations/basic.conf proftpd-1.3.2a/sample-configurations/basic.conf +--- proftpd-1.3.2a-orig/sample-configurations/basic.conf 2008-01-21 18:44:06.000000000 +0100 ++++ proftpd-1.3.2a/sample-configurations/basic.conf 2009-09-16 13:39:34.000000000 +0200 +@@ -3,19 +3,29 @@ + # and a single anonymous login. It assumes that you have a user/group + # "nobody" and "ftp" for normal operation and anon. + +-ServerName "ProFTPD Default Installation" +-ServerType standalone +-DefaultServer on ++ServerName "ProFTPD on @HOST@" ++ServerType standalone ++DefaultServer on + + # Port 21 is the standard FTP port. +-Port 21 ++Port 21 ++ ++# FireWall PortRange for PASV ++PassivePorts 40000 40999 ++ ++# Set DebugLevel to values between 0 and 9 ++# default is 0 ++DebugLevel 0 ++ ++# SystemLog -- Redirect syslogging to a file ++SystemLog /var/log/proftpd/proftpd.log + + # Don't use IPv6 support by default. +-UseIPv6 off ++UseIPv6 off + + # Umask 022 is a good standard umask to prevent new dirs and files + # from being group and world writable. +-Umask 022 ++Umask 022 + + # To prevent DoS attacks, set the maximum number of child processes + # to 30. If you need to allow more than 30 concurrent connections +@@ -23,43 +33,190 @@ + # in standalone mode, in inetd mode you should use an inetd server + # that allows you to limit maximum number of processes per service + # (such as xinetd). +-MaxInstances 30 ++MaxInstances 30 + + # Set the user and group under which the server will run. +-User nobody +-Group nogroup +- +-# To cause every FTP user to be "jailed" (chrooted) into their home +-# directory, uncomment this line. +-#DefaultRoot ~ ++User ftp ++Group ftp + +-# Normally, we want files to be overwriteable. +-AllowOverwrite on ++# Some logging formats ++LogFormat default "%h %l %u %t \"%r\" %s %b" ++LogFormat auth "%v [%P] %h %t \"%r\" %s" ++LogFormat write "%h %l %u %t \"%r\" %s %b" ++ ++# ------------------------------ ++# Global Settings ++# ------------------------------ ++ ++ ++ # ------------------------------ ++ # Login ++ # ------------------------------ ++ ++ ServerIdent on "FTP server ready" ++ DeferWelcome on ++ #DisplayConnect /etc/proftpd/msg ++ ++ IdentLookups off ++ UseFtpUsers off ++ RequireValidShell off ++ ++ TimeoutLogin 60 ++ MaxLoginAttempts 3 ++ #MaxClientsPerHost none ++ #MaxClientsPerUser 1 "Only one connection at a time." ++ ++ # ------------------------------ ++ # Authentication ++ # ------------------------------ ++ ++ ### PAM Authentication ++ # AuthPAM: default: on ++ AuthPAM off ++ ++ # changed AuthPAMConfig file ++ AuthPAMConfig proftpd ++ ### PAM Authentication ++ ++ AuthUserFile /etc/proftpd/auth/passwd ++ AuthGroupFile /etc/group ++ ++ ### order of auth modules ++ #AuthOrder mod_auth_unix.c mod_auth_file.c ++ AuthOrder mod_auth_file.c ++ ++ # ------------------------------ ++ # Post-Login ++ # ------------------------------ ++ ++ DisplayLogin welcome.msg ++ DisplayChdir .message ++ AllowOverride off ++ ++ TimeoutIdle 600 ++ TimeoutNoTransfer 900 ++ TimeoutStalled 300 ++ TimeoutSession 3600 ++ ++ # ------------------------------ ++ # Session ++ # ------------------------------ ++ ++ # To cause every FTP user to be "jailed" (chrooted) into their home ++ # directory, uncomment this line. ++ DefaultRoot ~ web,!users ++ ++ DenyFilter \*.*/ ++ ListOptions "-A +R" strict ++ UseGlobbing off ++ ++ ShowSymlinks on ++ TimesGMT on ++ ++ # ------------------------------ ++ # Up- & Download ++ # ------------------------------ ++ ++ # having to delete before uploading is a pain ;) ++ AllowOverwrite on ++ AllowRetrieveRestart on ++ HiddenStores on ++ DeleteAbortedStores on ++ #AllowStoreRestart off # is contrary to "DeleteAbortedStores" ++ ++ # ------------------------------ ++ # Logging ++ # ------------------------------ ++ ++ WtmpLog off ++ TransferLog /var/log/proftpd/xferlog ++ ++ # Record all logins ++ ExtendedLog /var/log/proftpd/auth.log AUTH auth ++ ++ # Logging file/dir access ++ ExtendedLog /var/log/proftpd/access.log WRITE,READ write ++ ++ # Paranoia logging level.... ++ ExtendedLog /var/log/proftpd/paranoid.log ALL default ++ ++ # SQLLogFile ++ #SQLLogFile /var/log/proftpd/SQL.log ++ + + # Bar use of SITE CHMOD by default + + DenyAll + + ++##### ++# Include other confs ++#Include /etc/proftpd/conf.d/*.conf ++ ++##### ++ ++# ------------------------------ ++# Anonymous Settings ++# ------------------------------ + # A basic anonymous configuration, no upload directories. If you do not + # want anonymous users, simply delete this entire section. + +- User ftp +- Group ftp +- +- # We want clients to be able to login with "anonymous" as well as "ftp" +- UserAlias anonymous ftp +- +- # Limit the maximum number of anonymous logins +- MaxClients 10 +- +- # We want 'welcome.msg' displayed at login, and '.message' displayed +- # in each newly chdired directory. +- DisplayLogin welcome.msg +- DisplayChdir .message +- +- # Limit WRITE everywhere in the anonymous chroot +- +- DenyAll +- ++ # Limit LOGIN ++ # ++ # Order Allow,Deny ++ # Allow from .examples.net,113.141.114.1 ++ # Deny from All ++ # ++ ++ # Limit WRITE everywhere in the anonymous chroot ++ ++ DenyAll ++ ++ ++ # LoginPasswordPrompt -- Configure to display the passwort prompt or not ++ LoginPasswordPrompt off ++ ++ # DirFakeMode -- Hide real file/directory permissions ++ DirFakeMode 0640 ++ ++ # DirFakeUser -- Hide real file/directory owner ++ DirFakeUser On ++ ++ # DirFakeGroup -- Hide real file/directory group ++ DirFakeGroup On ++ ++ # We want clients to be able to login with "anonymous" as well as "ftp" ++ UserAlias anonymous ftp ++ ++ # Limit the maximum number of anonymous logins ++ MaxClients 10 ++ #MaxRetrieveFileSize 512 Mb ++ ++ # Limit Up/Downloads to 255 K/sec ++ #TransferRate APPE,RETR,STOR,STOU 255 ++ ++ # We want 'welcome.msg' displayed at login, and '.message' displayed ++ # in each newly chdired directory. ++ DisplayLogin welcome.msg ++ DisplayChdir .message ++ ++ # ++ # ++ # Order Allow,Deny ++ # Allow from .examples.net,113.141.114.1 ++ # Deny from All ++ # ++ # ++ ++ # An upload directory that allows storing files but not retrieving ++ # or creating directories. ++ # ++ # ++ DenyAll ++ # ++ # ++ AllowAll ++ # ++ # + ++ diff --git a/proftpd-1.3.3-dist.patch b/proftpd-1.3.3-dist.patch new file mode 100644 index 0000000..ebda64c --- /dev/null +++ b/proftpd-1.3.3-dist.patch @@ -0,0 +1,88 @@ +diff -Nur proftpd-1.3.3rc3.orig/contrib/dist/rpm/ftp.pamd proftpd-1.3.3rc3/contrib/dist/rpm/ftp.pamd +--- proftpd-1.3.3rc3.orig/contrib/dist/rpm/ftp.pamd 2007-10-04 04:25:03.000000000 +0200 ++++ proftpd-1.3.3rc3/contrib/dist/rpm/ftp.pamd 2010-02-09 14:40:29.198747815 +0100 +@@ -1,6 +1,7 @@ + #%PAM-1.0 ++ + auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +-auth required pam_unix.so shadow nullok ++#auth required pam_unix.so shadow nullok + + # If this is enabled, anonymous logins will fail because the 'ftp' user does + # not have a "valid" shell, as listed in /etc/shells. +@@ -11,5 +12,8 @@ + # + #auth required pam_shells.so + +-account required pam_unix.so +-session required pam_unix.so ++auth required pam_unix2.so ++auth required pam_shells.so ++account required pam_unix2.so ++password required pam_unix2.so ++session required pam_unix2.so +diff -Nur proftpd-1.3.3rc3.orig/contrib/dist/rpm/proftpd.logrotate proftpd-1.3.3rc3/contrib/dist/rpm/proftpd.logrotate +--- proftpd-1.3.3rc3.orig/contrib/dist/rpm/proftpd.logrotate 2009-05-27 18:14:24.000000000 +0200 ++++ proftpd-1.3.3rc3/contrib/dist/rpm/proftpd.logrotate 2010-02-09 14:41:59.734217959 +0100 +@@ -1,7 +1,31 @@ +-/var/log/xferlog { +- missingok +- notifempty +- postrotate +- kill -HUP `cat /var/run/proftpd.pid 2>/dev/null` 2>/dev/null || true +- endscript +-} ++/var/log/proftpd/xferlog /var/log/proftpd/proftpd.log { ++ compress ++ dateext ++ maxage 365 ++ rotate 99 ++ size=+4096k ++ notifempty ++ missingok ++ create 640 root root ++ sharedscripts ++ postrotate ++ /etc/init.d/proftpd reload ++ #/etc/init.d/xinetd reload ++ endscript ++ } ++ ++#/var/log/proftpd/access.log /var/log/proftpd/auth.log /var/log/proftpd/paranoid.log { ++# compress ++# dateext ++# maxage 365 ++# rotate 99 ++# size=+4096k ++# notifempty ++# missingok ++# create 640 root root ++# sharedscripts ++# postrotate ++# /etc/init.d/proftpd reload ++# #/etc/init.d/xinetd reload ++# endscript ++#} +diff -Nur proftpd-1.3.3rc3.orig/contrib/dist/rpm/xinetd proftpd-1.3.3rc3/contrib/dist/rpm/xinetd +--- proftpd-1.3.3rc3.orig/contrib/dist/rpm/xinetd 2003-08-28 02:33:27.000000000 +0200 ++++ proftpd-1.3.3rc3/contrib/dist/rpm/xinetd 2010-02-09 14:40:29.198747815 +0100 +@@ -2,11 +2,15 @@ + # description: The ProFTPD FTP server + service ftp + { +- flags = REUSE + socket_type = stream ++ protocol = tcp + wait = no ++# bind = IP ++ instances = 30 + user = root + server = /usr/sbin/proftpd +- log_on_failure += USERID +- disable = no ++ log_on_success += PID HOST USERID EXIT DURATION ++ log_on_failure += HOST USERID ATTEMPT ++# nice = 10 ++ disable = yes + } +I file proftpd-1.3.3rc3.orig/.ltmain.sh.rej.swp e proftpd-1.3.3rc3/.ltmain.sh.rej.swp sono diversi diff --git a/proftpd-1.3.3-strip.patch b/proftpd-1.3.3-strip.patch new file mode 100644 index 0000000..6964812 --- /dev/null +++ b/proftpd-1.3.3-strip.patch @@ -0,0 +1,15 @@ +diff -Nur proftpd-1.3.3rc3.orig/ltmain.sh proftpd-1.3.3rc3/ltmain.sh +--- proftpd-1.3.3rc3.orig/ltmain.sh 2009-11-17 19:26:43.000000000 +0100 ++++ proftpd-1.3.3rc3/ltmain.sh 2010-02-11 13:37:15.000000000 +0100 +@@ -2056,7 +2056,10 @@ + ;; + esac + if test -n "$tstripme" && test -n "$striplib"; then +- func_show_eval "$striplib $destdir/$realname" 'exit $?' ++ #func_show_eval "$striplib $destdir/$realname" 'exit $?' ++ echo "strip patch" ++ func_quote_for_expand "$striplib $destdir/$realname" ++ func_echo $func_quote_for_expand_result + fi + + if test "$#" -gt 0; then diff --git a/proftpd-1.3.3e.tar.bz2 b/proftpd-1.3.3e.tar.bz2 new file mode 100644 index 0000000..b119ac2 --- /dev/null +++ b/proftpd-1.3.3e.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f6c65fe9fea6577ac309f4e9e36c80def271fa5c91c4053fb0758824506127b6 +size 4180369 diff --git a/proftpd.changes b/proftpd.changes new file mode 100644 index 0000000..15d4a2a --- /dev/null +++ b/proftpd.changes @@ -0,0 +1,237 @@ +------------------------------------------------------------------- +Fri Apr 8 22:08:55 UTC 2011 - chris@computersalat.de + +- update to 1.3.3e + + Display messages work properly again. + + Fixes plaintext command injection vulnerability in FTPS implementation + (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for + details. + + Fixes CVE-2011-1137 (badly formed SSH messages cause DoS). See + http://bugs.proftpd.org/show_bug.cgi?id=3586 for details. + + Performance improvements, especially during server startup/restarts. + +------------------------------------------------------------------- +Sun Jan 30 20:40:10 UTC 2011 - chris@computersalat.de + +- update to 1.3.3d + + Fixed sql_prepare_where() buffer overflow (Bug#3536) + + Fixed CPU spike when handling .ftpaccess files. + + Fixed handling of SFTP uploads when compression is used. + +------------------------------------------------------------------- +Fri Oct 22 03:26:10 UTC 2010 - mseben@gmail.com + +- update to 1.3.3c + + Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) + + Fixed directory traversal bug in mod_site_misc + + Fixed SQLite authentications using "SQLAuthType Backend" + +------------------------------------------------------------------- +Fri Oct 22 17:49:06 UTC 2010 - chris@computersalat.de + +- clenaup spec +- fix doc pkg + o should not provide pkgconfig + +------------------------------------------------------------------- +Fri Oct 15 14:13:43 UTC 2010 - chris@computersalat.de + +- update to 1.3.3b + + Fixed SFTP directory listing bug + + Avoid corrupting utmpx databases on FreeBSD + + Avoid null pointer dereferences during data transfers + + Fixed "AuthAliasOnly on" anonymous logins +- rpmlint: no-pkg-config-provides + o add BuildReq pkg-config +- removed changes from spec + +------------------------------------------------------------------- +Wed Jul 7 14:17:45 UTC 2010 - chris@computersalat.de + +- update to 1.3.3a + + Added Japanese translation + + Many mod_sftp bugfixes + + Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + + Fixed handling of utmp/utmpx format changes on FreeBSD +- rpmlint: self-obsoletion + +------------------------------------------------------------------- +Wed May 5 14:01:02 UTC 2010 - mseben@novell.com + +- fix build : dir-or-file-in-var-run badness : /var/run/proftpd dir + is marked as ghost and it is created in init script now + +------------------------------------------------------------------- +Fri Apr 9 15:44:32 UTC 2010 - mseben@novell.com + +- added ncurses-devel to buildrequires to fix ftptop message : "no + curses or ncurses library on this system" + +------------------------------------------------------------------- +Fri Feb 26 16:01:47 UTC 2010 - chris@computersalat.de + +- added info for "STABLE" versions only + +------------------------------------------------------------------- +Thu Feb 25 00:14:20 UTC 2010 - chris@computersalat.de + +- update to 1.3.3 + o Fixed mod_ban whitelisting using mod_ifsession. + o Fixed per-user/group/class "HideFiles none" configurations. + - 1.3.3rc4 + o Fixed mod_tls compilation using OpenSSL installations older + than 0.9.7. + o Fixed mod_sftp compilation on AIX. + o Fixed RADIUS authentication on 64-bit platforms + o Fixed memory leak in SCP downloads. + o New configuration directives + SQLPasswordUserSalt + The SQLPasswordUserSalt directive can be used to configure + per-user salt data to be added to the encrypted password + for a user. The salt can be the user name, or it can be + the result of a SQL query. More information can be found in + doc/contrib/mod_sql_passwd.html#SQLPasswordUserSalt. + +------------------------------------------------------------------- +Wed Feb 10 16:10:32 CET 2010 - diego.ercolani@gmail.com + +- update to 1.3.3rc3 +- try to be compatible with osc :-) + +------------------------------------------------------------------- +Sun Dec 20 19:39:10 UTC 2009 - chris@computersalat.de + +- update to 1.3.2c + o Bug and regression fixes. +- removed obsolete CVE patch + +------------------------------------------------------------------- +Mon Oct 26 12:35:29 UTC 2009 - mseben@novell.com + +- fixed CVE-2009-3639 : mod_tls security issue (bnc#549740) + +------------------------------------------------------------------- +Wed Sep 16 18:17:04 UTC 2009 - alexandre@exatati.com.br + +- Update tarball to its upstream version without + bzipped patch; +- Removed blank spaces at enf of lines on spec file; +- Replaced tab characters on spec file. + +------------------------------------------------------------------- +Wed Sep 16 11:20:20 UTC 2009 - chris@computersalat.de + +- update to 1.3.2 (1.3.2a) + o many bugfixes, read ChangeLog or NEWS + o include 1.3.2a upstream patch + o removed old patches + * proftpd-1.3.1-umode_t.patch + * proftpd-1.3.1-O_CREAT.patch + * proftpd-1.3.1-libcap.patch + * proftpd-1.3.1-CVE-2009-0542.patch + * proftpd-1.3.1-CVE-2009-0543.patch + o reworked basic.conf.patch +- spec mods + o removed ^#----- + o removed {rel} + o clean + * rm -rf RPM_BUILD_ROOT + o added sub sqlite +- fixed deps + o BuildRequires: sqlite3-devel unixODBC-devel +- rpmlint + o description-shorter-than-summary + o source-or-patch-not-bzipped proftpd-1.3.2a.patch + +------------------------------------------------------------------- +Tue Jul 7 22:21:50 CEST 2009 - chris@computersalat.de + +- added proftpd.passwd + o it is an initial passwd for virtuser and + anonymous login works well with it :) + +------------------------------------------------------------------- +Mon Jul 6 22:16:46 CEST 2009 - chris@computersalat.de + +- added ftpasswd.patch +- rework of basic.conf patch +- removed README.AIX + +------------------------------------------------------------------- +Thu Apr 16 01:54:23 CEST 2009 - chris@computersalat.de + +- added basic.conf patch +- added dist.patch + o fix for xinetd, logrotate, pam +- some more subpackages + o ldap, mysql, pgsql, radius +- added ftpasswd for simple virtuser support +- added auth DIR /etc/proftpd/auth + o passwd for virtuser +- added conf.d DIR /etc/proftpd/conf.d + o configs for inclusion +- added log DIR /var/log/proftpd +- beautify init file +- beautify spec file + +------------------------------------------------------------------- +Wed Feb 18 10:40:55 CET 2009 - mseben@suse.cz + +- added proftpd.conf with uploads section + +------------------------------------------------------------------- +Fri Feb 13 16:55:01 CET 2009 - mseben@suse.cz + +- fixed sql injection vulnerability which allows remote attackers + to execute arbitrary SQL commands via a "%" character + CVE-2009-0542.patch (bnc#475316) +- fixed vulnerability which allows remote attackers to bypass SQL + injection protection mechanisms via invalid, encoded multibyte + characters CVE-2009-0543.patch (bnc#475316) + +------------------------------------------------------------------- +Mon Jan 26 14:19:45 CET 2009 - mseben@suse.cz + +- splitted HTML doc to proftpd-doc +- added %post and %postun macro to spec + +------------------------------------------------------------------- +Thu Jan 22 13:58:33 CET 2009 - mseben@suse.cz + +- fixed missing third argument in open function (*-O_CREAT.patch) +- disabled striping libraries (*-no_strip.patch) +- fixed configure script (*-umode_t.patch) +- added -DLDAP_DEPRECATED to CFLAGS because of deprecated ldap_init + function +- disabled contrib scripts for now +- fixed handling _LINUX_CAPABILITY_VERSION on newer linux kernel. + (proftpd-*-libcap.patch) + +------------------------------------------------------------------- +Wed Aug 20 12:43:56 CEST 2008 - mrueckert@suse.de + +- disabled debugging stuff for now + +------------------------------------------------------------------- +Fri Oct 19 11:58:42 CEST 2007 - mrueckert@suse.de + +- enabled missing modules (mod_ban,mod_wrap2*,mod_quota_radius) + and replaced the hardcoded value for --with-shared with a + dynamically generated list + +------------------------------------------------------------------- +Sat Oct 6 03:42:39 CEST 2007 - mrueckert@suse.de + +- update to 1.3.1: + Many bugfixes and new features like dynamic blacklisting of + clients, improved SQL handling, and quotas. +- added --enable-devel=coredump,nodaemon,nofork +- added devel subpackage for the headers + +------------------------------------------------------------------- +Wed Nov 29 04:11:44 CET 2006 - mrueckert@suse.de + +- update to 1.3.0a: + fixes a remote code execution. CVE-2006-5815 + (http://bugs.proftpd.org/show_bug.cgi?id=2858) + diff --git a/proftpd.conf b/proftpd.conf new file mode 100644 index 0000000..0ae93d3 --- /dev/null +++ b/proftpd.conf @@ -0,0 +1,71 @@ +# This sample configuration file illustrates configuring two +# anonymous directories, and a guest (same thing as anonymous but +# requires a valid password to login) + +ServerName "ProFTPD Anonymous Server" +ServerType standalone +DefaultServer on + +# Port 21 is the standard FTP port. +Port 21 + +# If you don't want normal users logging in at all, uncomment this +# next section +# +# DenyAll +# + +# Set the user and group that the server normally runs at. +User nobody +Group nogroup + +# To prevent DoS attacks, set the maximum number of child processes +# to 30. If you need to allow more than 30 concurrent connections +# at once, simply increase this value. Note that this ONLY works +# in standalone mode, in inetd mode you should use an inetd server +# that allows you to limit maximum number of processes per service +# (such as xinetd) +MaxInstances 30 + +# Set the maximum number of seconds a data connection is allowed +# to "stall" before being aborted. +TimeoutStalled 300 + +# We want 'welcome.msg' displayed at login, and '.message' displayed +# in each newly chdired directory. +DisplayLogin welcome.msg +DisplayChdir .message + +# Our "basic" anonymous configuration + + + # Allow logins if they are disabled above. + + AllowAll + + + # Maximum clients with message + MaxClients 5 "Sorry, max %m users -- try again later" + + User ftp + Group ftp + # We want clients to be able to login with "anonymous" as well as "ftp" + UserAlias anonymous ftp + + # Limit WRITE everywhere in the anonymous chroot + + DenyAll + + + # An upload directory that allows storing files but not retrieving + # or creating directories. + # + # + # DenyAll + # + # + # + # AllowAll + # + # + diff --git a/proftpd.init b/proftpd.init new file mode 100644 index 0000000..70a1f79 --- /dev/null +++ b/proftpd.init @@ -0,0 +1,222 @@ +#! /bin/sh +# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany. +# All rights reserved. +# +# Author: Kurt Garloff +# Please send feedback to http://www.suse.de/feedback/ +# +# /etc/init.d/proftpd +# and its symbolic link +# /(usr/)sbin/rcproftpd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +### BEGIN INIT INFO +# Provides: proftpd +# Required-Start: $syslog $remote_fs +# Should-Start: $time ypbind sendmail +# Required-Stop: $syslog $remote_fs +# Should-Stop: $time ypbind sendmail +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: ProFTPD daemon +# Description: Start ProFTPD to allow XY and provide YZ +### END INIT INFO +# +# Note on runlevels: +# 0 - halt/poweroff 6 - reboot +# 1 - single user 2 - multiuser without network exported +# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) +# +# Note on script names: +# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html +# A registry has been set up to manage the init script namespace. +# http://www.lanana.org/ +# Please use the names already registered or register one or use a +# vendor prefix. + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +PROFTPD_BIN=/usr/sbin/proftpd +test -x $PROFTPD_BIN || { echo "$PROFTPD_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +PROFTPD_RUNDIR=/var/run/proftpd +# Check for existence of needed config file and read it +#PROFTPD_CONFIG=/etc/sysconfig/proftpd +#test -r $PROFTPD_CONFIG || { echo "$PROFTPD_CONFIG not existing"; +# if [ "$1" = "stop" ]; then exit 0; +# else exit 6; fi; } +# +# Read config +#. $PROFTPD_CONFIG + +# Source LSB init functions +# providing start_daemon, killproc, pidofproc, +# log_success_msg, log_failure_msg and log_warning_msg. +# This is currently not used by UnitedLinux based distributions and +# not needed for init scripts for UnitedLinux only. If it is used, +# the functions from rc.status should not be sourced or used. +#. /lib/lsb/init-functions + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks +. /etc/rc.status + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +case "$1" in + start) + if [ ! -d $PROFTPD_RUNDIR ]; then + mkdir -p $PROFTPD_RUNDIR + fi + echo -n "Starting proftpd " + ## Start daemon with startproc(8). If this fails + ## the return value is set appropriately by startproc. + /sbin/startproc $PROFTPD_BIN + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down proftpd " + ## Stop daemon with killproc(8) and if this fails + ## killproc sets the return value according to LSB. + /sbin/killproc -TERM $PROFTPD_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + echo -n "Reload service proftpd " + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart the service if it + ## is running. + # if it supports it: + /sbin/killproc -HUP $PROFTPD_BIN + #touch /var/run/proftpd.pid + + # Remember status and be verbose + rc_status -v + + ## Otherwise: + #$0 try-restart + #rc_status + ;; + reload) + echo -n "Reload service proftpd " + ## Like force-reload, but if daemon does not support + ## signaling, do nothing (!) + # If it supports signaling: + /sbin/killproc -HUP $PROFTPD_BIN + #touch /var/run/proftpd.pid + + # Remember status and be verbose + rc_status -v + + ## Otherwise if it does not support reload: + #rc_failed 3 + #rc_status -v + ;; + status) + echo -n "Checking for service proftpd " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + # NOTE: checkproc returns LSB compliant status values. + /sbin/checkproc $PROFTPD_BIN + # NOTE: rc_status knows that we called this init script with + # "status" option and adapts its messages accordingly. + + # Remember status and be verbose + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, print out the + ## argument to this init script which is required for a reload. + ## Note: probe is not (yet) part of LSB (as of 1.9) + + test /etc/proftpd/proftpd.conf -nt $PROFTPD_RUNDIR/proftpd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/proftpd.passwd b/proftpd.passwd new file mode 100644 index 0000000..62e7dd6 --- /dev/null +++ b/proftpd.passwd @@ -0,0 +1 @@ +ftp:$1$Qirpijna$Z9ocX/jIH/kpBppMFyI451:49:49::/srv/ftp:/bin/false diff --git a/proftpd.spec b/proftpd.spec new file mode 100644 index 0000000..9c34c73 --- /dev/null +++ b/proftpd.spec @@ -0,0 +1,267 @@ +# +# spec file for package proftpd +# +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + + +Name: proftpd +Summary: Highly configurable GPL-licensed FTP server software +# Please save your time and do not update to "rc" versions. +# We only accept updates for "STABLE" Versions +Version: 1.3.3e +Release: 1 +License: GPL +Group: Productivity/Networking/Ftp/Servers +Autoreqprov: on +Url: http://www.proftpd.org/ +Source: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.bz2 +Source1: %{name}.init +Source2: %{name}.passwd +#PATCH-FIX-UPSTREAM CVE-2009-3639 fix mod_tls security issue (bnc#549740) +Patch100: %{name}-1.3.3-dist.patch +Patch101: %{name}-1.3.2a-basic.conf.patch +Patch102: %{name}-1.3.1-ftpasswd.patch +Patch103: %{name}-1.3.3-strip.patch +# +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: pkg-config +BuildRequires: krb5-devel libacl-devel libattr-devel mysql-devel +BuildRequires: openldap2-devel openssl-devel pam-devel postgresql-devel +BuildRequires: sqlite3-devel unixODBC-devel +BuildRequires: tcpd-devel ncurses-devel +Requires: logrotate + + +%description +ProFTPD is a highly configurable FTP daemon for Unix and Unix-like +operating systems. See the README.ports file for more details about +the platforms on which ProFTPD in known or thought to build and run. + + Authors: + Jesse Sipprell + Original proftpd author and former project co-maintainer + Habeeb J. Dihu + Original mod_pam author and former project co-maintainer + Mark Lowes + Head documentation hacker and webmaster + TJ Saunders + ProFTPD developer, current maintainer + John Morrissey + ProFTPD developer + Charles Seeger + ProFTPD developer + Daniel Roesen + RPM packaging maintainer + Andrew Houghton + SQL support maintainer + +%package ldap +Summary: LDAP Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description ldap +This is the LDAP Module for ProFTPD + + +%package mysql +Summary: MySQL Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description mysql +This is the MySQL Module for ProFTPD + + +%package pgsql +Summary: PostgreSQL Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description pgsql +This is the PostgreSQL Module for ProFTPD + + +%package radius +Summary: Radius Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description radius +This is the Radius Module for ProFTPD + + +%package sqlite +Summary: SQLite Module for ProFTPD +Group: Productivity/Networking/Ftp/Servers +Requires: %{name} = %{version} + +%description sqlite +This is the SQLite Module for ProFTPD + + +%package devel +Summary: Development files for ProFTPD +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} + +%description devel +This package contains Development files for ProFTPD + + +%package doc +Summary: Documentation for ProFTPD +Group: Documentation/HTML +Requires: %{name} = %{version} + +%description doc +Here are Documentation for ProFTPD + + +%prep +%setup -q +%{__rm} README.AIX +%patch100 -p1 +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 + +%build +PROFTPD_SHARED_MODS="$(for spec_mod in mod_load $(find contrib -name mod_\*.c); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')" +export CFLAGS="$RPM_OPT_FLAGS -DLDAP_DEPRECATED" +export CXXFLAGS="$CFLAGS" +%configure \ + --bindir=%{_sbindir} \ + --libexecdir=%{_libdir}/%{name} \ + --sysconfdir=%{_sysconfdir}/%{name} \ + --localstatedir=%{_localstatedir}/run/%{name} \ + --enable-sendfile \ + --enable-ipv6 \ + --enable-ctrls \ + --enable-facl \ + --enable-dso \ + --with-includes="%{_includedir}/mysql:%{_includedir}/pgsql" \ + --with-shared="${PROFTPD_SHARED_MODS}" + +%{__make} %{?_smp_mflags} + +%install +%makeinstall INSTALL_USER=`id -un` INSTALL_GROUP=`id -gn` +%{__install} -D -m 0644 contrib/dist/rpm/ftp.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/%{name} +%{__install} -D -m 0644 contrib/dist/rpm/xinetd $RPM_BUILD_ROOT%{_sysconfdir}/xinetd.d/%{name} +%{__install} -D -m 0644 contrib/dist/rpm/%{name}.logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/%{name} +%{__install} -D -m 0755 %{S:1} $RPM_BUILD_ROOT%{_sysconfdir}/init.d/%{name} +%{__ln_s} -f %{_sysconfdir}/init.d/%{name} $RPM_BUILD_ROOT%{_sbindir}/rc%{name} +# +%{__rm} -fv $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la} + +# install ftpasswd +%{__install} -D -m 0755 contrib/ftpasswd $RPM_BUILD_ROOT%{_sbindir}/ + +# some needed dirs +%{__install} -d $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/{conf.d,auth} +%{__install} -m 0644 %{S:2} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd +%{__install} -d -m 0750 $RPM_BUILD_ROOT/var/log/%{name} + + +%pre +# on `rpm -ivh` PARAM is 1 +# on `rpm -Uvh` PARAM is 2 +#if [ "$1" = "1" ]; then + +%preun +# on `rpm -e` PARAM is 0 +%stop_on_removal proftpd + +%post +# on `rpm -ivh` PARAM is 1 +# on `rpm -Uvh` PARAM is 2 +if [ "$1" = "1" ]; then + #%{__sed} -i "s,\(.*disable.*=\ \)no,\1yes," %{_sysconfdir}/xinetd.d/%{name} + %{__sed} -i -e "s/@HOST@/$(hostname -s)/" %{_sysconfdir}/%{name}/%{name}.conf +fi +%{fillup_and_insserv -f proftpd} + +%postun +# on `rpm -e` PARAM is 0 +if [ "$1" = "0" ]; then + %{insserv_cleanup} +fi +%restart_on_update proftpd + +%clean +%{__rm} -rf %{buildroot} + +%files +%defattr(-,root,root,-) +%doc COPYING CREDITS ChangeLog INSTALL NEWS README* RELEASE_NOTES +%doc contrib/README.* +#%doc contrib/xferstats.holger-preiss* +#%doc contrib/ftpasswd contrib/ftpquota +%doc sample-configurations/*.conf +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/ +%dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/ +%config(noreplace) %attr(0644,root,ftp) %{_sysconfdir}/%{name}/auth/passwd +%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d +%config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%config(noreplace) %{_sysconfdir}/pam.d/%{name} +%config(noreplace) %{_sysconfdir}/xinetd.d/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/blacklist.dat +%config(noreplace) %{_sysconfdir}/%{name}/dhparams.pem +%{_sysconfdir}/init.d/%{name} +%dir %attr(0750,ftp,ftp) %{_localstatedir}/log/%{name} +%ghost %{_localstatedir}/run/%{name} +%{_sbindir}/* +%{_mandir}/man?/* +%dir %attr(0755,root,root) %{_libdir}/%{name}/ +%{_libdir}/%{name}/*.so +%exclude %{_libdir}/%{name}/mod_ldap.so +%exclude %{_libdir}/%{name}/mod_sql_mysql.so +%exclude %{_libdir}/%{name}/mod_sql_postgres.so +%exclude %{_libdir}/%{name}/mod_radius.so +%exclude %{_libdir}/%{name}/mod_sql_sqlite.so + +%files ldap +%defattr(-,root,root,-) +%{_libdir}/%{name}/mod_ldap.so + +%files mysql +%defattr(-,root,root,-) +%{_libdir}/%{name}/mod_sql_mysql.so + +%files pgsql +%defattr(-,root,root,-) +%{_libdir}/%{name}/mod_sql_postgres.so + +%files radius +%defattr(-,root,root,-) +%{_libdir}/%{name}/mod_radius.so + +%files sqlite +%defattr(-,root,root,-) +%{_libdir}/%{name}/mod_sql_sqlite.so + +%files devel +%defattr(-,root,root,-) +%{_includedir}/%{name} +%{_libdir}/pkgconfig/%{name}.pc + +%files doc +%defattr(-,root,root,-) +%doc doc/*.html doc/contrib doc/howto doc/modules + +%changelog