Source: pure-ftpd Version: 1.0.36-3.2 Severity: normal Dear Maintainer,
I was performing verification of pure-ftpd cipher suites configuration and discovered it was using DHE with with very low dhparam value of 1024. It's security issue that needs to be addressed, but it seems that switching to ECDHE (with secp521r1) or using DHE with dhparam 4096 is possible since pure-ftpd 1.0.38, where options to configure forward secrecy cipher suites were added (TLS_DEFAULT_ECDH_CURVE, TLS_DHPARAMS_FILE). My proposal is to either update pure-ftpd to 1.0.38, or backport this specific features to 1.0.36, so setting secure cipher suites would be possible. -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

