Your message dated Sun, 12 Jan 2020 15:17:36 +0000
with message-id <[email protected]>
and subject line Bug#946345: fixed in proftpd-dfsg 1.3.5b-4+deb9u3
has caused the Debian Bug report #946345,
regarding proftpd-dfsg: CVE-2019-19269
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946345
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: proftpd-dfsg
Version: 1.3.6b-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/proftpd/proftpd/issues/861
Control: found -1 1.3.6-4+deb10u2
Control: found -1 1.3.5b-4+deb9u2
Control: found -1 1.3.5b-4+deb9u1
Hi,
The following vulnerability was published for proftpd-dfsg.
CVE-2019-19269[0]:
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A
| dereference of a NULL pointer may occur. This pointer is returned by
| the OpenSSL sk_X509_REVOKED_value() function when encountering an
| empty CRL installed by a system administrator. The dereference occurs
| when validating the certificate of a client connecting to the server
| in a TLS client/server mutual-authentication setup.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19269
[1] https://github.com/proftpd/proftpd/issues/861
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.5b-4+deb9u3
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preusse <[email protected]> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 31 Dec 2019 11:06:16 +0100
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql
proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
proftpd-mod-geoip
Architecture: source
Version: 1.3.5b-4+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: ProFTPD Maintainance Team
<[email protected]>
Changed-By: Hilmar Preusse <[email protected]>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 946345
Changes:
proftpd-dfsg (1.3.5b-4+deb9u3) stretch; urgency=medium
.
* Cherry pick patch from upstream:
- for upstream bug #861 (CVE-2019-19269) (Closes: #946345)
Patch named upstream_pull_861_CVE-2019-19269
Checksums-Sha1:
d85e2935352bae4f2b31db855750c9d426a9301e 2913 proftpd-dfsg_1.3.5b-4+deb9u3.dsc
e1b77c58453eef879864471e2067149f3683edfa 76448
proftpd-dfsg_1.3.5b-4+deb9u3.debian.tar.xz
2ed43db2618f51161e670c55f4b89207b7e5da00 10291
proftpd-dfsg_1.3.5b-4+deb9u3_amd64.buildinfo
Checksums-Sha256:
a2f5fde339beb9f8b09b4e92d2c5bff32dcc1e0befe3487713af9487408fb4a6 2913
proftpd-dfsg_1.3.5b-4+deb9u3.dsc
c80b6cd4fec1a3f016c4a418e7fd3d183c8b8919ebb148f16fd8f3a13cd8ea69 76448
proftpd-dfsg_1.3.5b-4+deb9u3.debian.tar.xz
fc4cb8c301f15bcc90975730e44dd65fc9cd54b8089592aace17a14c3faada56 10291
proftpd-dfsg_1.3.5b-4+deb9u3_amd64.buildinfo
Files:
17c77a758e17138bea9f35d84af8859a 2913 net optional
proftpd-dfsg_1.3.5b-4+deb9u3.dsc
1e02023dea5ff8cda1d88bfa97280635 76448 net optional
proftpd-dfsg_1.3.5b-4+deb9u3.debian.tar.xz
dbb433825cd27e5ad77753df273b039b 10291 net optional
proftpd-dfsg_1.3.5b-4+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAl4LKnRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIvIBRAAkAll1zliY9EAK6p+z6UjUCZdlCXRmly0lQ6RHm3kVocdoTTV0vSUxVaq
y/u11d3jwh+3m6Ld2wBADD6ov9YvmEGEIARKMtaBf6N8TzUXdmKqjBCBamYU73+u
P0rsYUO8h2dFSaK0QfCw7pn2tewKs93FlpP0QU/XY6N0YchFXyqht+v6F56uFvHI
4XR4bYGj6Ny/Y8+RXGl6EMwGJLF/xClFp5TWui8RuMx27JOLsz+V0knCVoUAM3+S
D0xEeNnQyOROpm/q/e1JOWqQD8RrSQ52XUJs7srRl2Vg+FPqFXXtHB6k5B4yVHL2
NSkjvLz8+X0bap5EKVbAfRfat4g2vWY0tKvTTiES+SNZoWIXm1xuukgrDwA70MDq
RSRGMhO72JYPiJkwJ9mSyXs+mBgmJW3fizDt/uIAak59as5onvz312nwrk/Nh6QF
plWBbsX1MjhJGMcPlwaWWm9a8oBqUrTxiT79R7AANTwcdiSNLUZk4EYSdLRA7eBA
OJIm/+R6aeCAx/lPYhn22i5V9MX5zdgoQt2wYDgGv8ZkSx0My58MhAzIzbejg6Xm
kX6IHDzelgHt8YNw+OHCM11tRhqYULwkslYN1f5Qw+y7UYF/6jOVQWHOhDfJcWSn
BMwn0x6cJug9sfCFa6+dUcNE1k0AG/1bXHXTeACwZbwPXwMqt1M=
=fGe9
-----END PGP SIGNATURE-----
--- End Message ---
