diff --git a/proftpd-AllowChrootSymlinks.patch b/proftpd-AllowChrootSymlinks.patch
new file mode 100644
index 0000000..de583a2
--- /dev/null
+++ b/proftpd-AllowChrootSymlinks.patch
@@ -0,0 +1,125 @@
+commit ecff21e0d0e84f35c299ef91d7fda088e516d4ed
+Author: TJ Saunders <tj@castaglia.org>
+Date:   Mon Mar 6 08:31:29 2017 -0800
+
+    Backporting recursive handling of DefaultRoot path, when AllowChrootSymlinks
+    is off, to 1.3.5 branch. (CVE-2017-7418)
+
+diff --git a/modules/mod_auth.c b/modules/mod_auth.c
+index 386576162..410215979 100644
+--- a/modules/mod_auth.c
++++ b/modules/mod_auth.c
+@@ -2,7 +2,7 @@
+  * ProFTPD - FTP server daemon
+  * Copyright (c) 1997, 1998 Public Flood Software
+  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
+- * Copyright (c) 2001-2016 The ProFTPD Project team
++ * Copyright (c) 2001-2017 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p, xaset_t *conf) {
+   return dir;
+ }
+ 
+-/* Determine if the user (non-anon) needs a default root dir other than /.
+- */
++static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
++  int res, xerrno = 0;
++  struct stat st;
++  char *ptr;
++
++  if (pathlen == 0) {
++    return 0;
++  }
++
++  pr_fs_clear_cache();
++  res = pr_fsio_lstat(path, &st);
++  if (res < 0) {
++    xerrno = errno;
++
++    pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
++      strerror(xerrno));
++
++    errno = xerrno;
++    return -1;
++  }
+ 
++  if (S_ISLNK(st.st_mode)) {
++    errno = EPERM;
++    return -1;
++  }
++
++  /* To handle the case where a component further up the path might be a
++   * symlink (which lstat(2) will NOT handle), we walk the path backwards,
++   * calling ourselves recursively.
++   */
++
++  ptr = strrchr(path, '/');
++  if (ptr != NULL) {
++    char *new_path;
++    size_t new_pathlen;
++
++    pr_signals_handle();
++
++    new_pathlen = ptr - path;
++
++    /* Make sure our pointer actually changed position. */
++    if (new_pathlen == pathlen) {
++      return 0;
++    }
++
++    new_path = pstrndup(p, path, new_pathlen);
++
++    pr_log_debug(DEBUG10,
++      "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
++      new_path);
++    res = is_symlink_path(p, new_path, new_pathlen);
++    if (res < 0) {
++      return -1;
++    }
++  }
++
++  return 0;
++}
++
++/* Determine if the user (non-anon) needs a default root dir other than /. */
+ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+   config_rec *c = NULL;
+   char *dir = NULL;
+@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+ 
+       if (allow_symlinks == FALSE) {
+         char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
+-        struct stat st;
+         size_t pathlen;
+ 
+         /* First, deal with any possible interpolation.  dir_realpath() will
+@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+           path[pathlen-1] = '\0';
+         }
+ 
+-        pr_fs_clear_cache();
+-        res = pr_fsio_lstat(path, &st);
++        res = is_symlink_path(p, path, pathlen);
+         if (res < 0) {
+-          xerrno = errno;
+-
+-          pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+-            strerror(xerrno));
+-
+-          errno = xerrno;
+-          return -1;
+-        }
++          if (errno == EPERM) {
++            pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
++              "(denied by AllowChrootSymlinks config)", path);
++          }
+ 
+-        if (S_ISLNK(st.st_mode)) {
+-          pr_log_pri(PR_LOG_WARNING,
+-            "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
+-            "config)", path);
+           errno = EPERM;
+           return -1;
+         }
diff --git a/proftpd-tls.template b/proftpd-tls.template
index 6e2cff2..1b58afd 100644
--- a/proftpd-tls.template
+++ b/proftpd-tls.template
@@ -10,8 +10,9 @@
     TLSEngine                  on
     TLSLog                     /var/log/proftpd/tls.log
 
-    # Support both SSLv3 and TLSv1
-    TLSProtocol                TLSv1 TLSv1.1 TLSv1.2
+    # Support both SSLv3 and TLSv1, but they should not be used
+    #  (known to be weak)
+    TLSProtocol                TLSv1.1 TLSv1.2
 
     # Are clients required to use FTP over TLS when talking to this server?
     TLSRequired                off
@@ -20,8 +21,11 @@
     TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
     TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
 
-    # CA (or CA chain) the server trusts
-    TLSCACertificateFile        /etc/proftpd/ssl/proftpd.cacert.pem
+    # CA (or CA chain) to verify client certs 
+    #TLSCACertificateFile        /etc/proftpd/ssl/proftpd.cacert.pem
+
+    # CA (or CA chain) to verify certification path of server cert
+    TLSCertificateChainFile     /etc/proftpd/ssl/proftpd.cacert.pem
 
     # Authenticate clients that want to use FTP over TLS?
     TLSVerifyClient            off
diff --git a/proftpd.changes b/proftpd.changes
index a802346..1bc4ffb 100644
--- a/proftpd.changes
+++ b/proftpd.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Apr  7 20:49:37 UTC 2017 - chris@computersalat.de
+
+- fix for boo#1032443 (CVE-2017-7418)
+  * AllowChrootSymlinks not enforced by replacing a path component
+    with a symbolic link
+  * add upstream commit (ecff21e0d0e84f35c299ef91d7fda088e516d4ed)
+    as proftpd-AllowChrootSymlinks.patch
+- fix proftpd-tls.template
+  * reduce TLS protocols to TLSv1.1 and TLSv1.2
+  * disable TLSCACertificateFile
+  * add TLSCertificateChainFile
+
 -------------------------------------------------------------------
 Thu Mar 23 15:05:22 UTC 2017 - jengelh@inai.de
 
diff --git a/proftpd.spec b/proftpd.spec
index 9f4a8db..ef9b6c0 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -18,10 +18,10 @@
 
 Name:           proftpd
 Summary:        Highly configurable GPL-licensed FTP server software
-# Please save your time and do not update to "rc" versions.
-# We only accept updates for "STABLE" Versions
 License:        GPL-2.0+
 Group:          Productivity/Networking/Ftp/Servers
+# Please save your time and do not update to "rc" versions.
+# We only accept updates for "STABLE" Versions
 Version:        1.3.5d
 Release:        0
 Url:            http://www.proftpd.org/
@@ -35,6 +35,10 @@ Source15:       %{name}.keyring
 Source16:       %{name}-tls.template
 Source17:       %{name}-limit.template
 Source18:       %{name}-ssl.README
+#PATCH-FIX-UPSTREAM (CVE-2017-7418):
+# AllowChrootSymlinks not enforced by replacing a path component with a symbolic link
+### github commit: ecff21e0d0e84f35c299ef91d7fda088e516d4ed
+Patch0:         %{name}-AllowChrootSymlinks.patch
 #PATCH-FIX-openSUSE: pam, logrotate, xinet
 Patch100:       %{name}-dist.patch
 #PATCH-FIX-openSUSE: provide a useful default config
@@ -144,6 +148,8 @@ Here are Documentation for ProFTPD
 #gpg_verify %{S:1}
 %setup -q
 rm README.AIX
+%patch0 -p1
+#
 %patch100
 %patch101
 %patch102