Source: pure-ftpd
Version: 1.0.36-3.2
Severity: normal

Dear Maintainer,

I was performing verification of pure-ftpd cipher suites configuration
and discovered it was using DHE with with very low dhparam value of 1024.

It's security issue that needs to be addressed, but it seems that switching
to ECDHE (with secp521r1) or using DHE with dhparam 4096 is possible since
pure-ftpd 1.0.38, where options to configure forward secrecy cipher suites
were added (TLS_DEFAULT_ECDH_CURVE, TLS_DHPARAMS_FILE).

My proposal is to either update pure-ftpd to 1.0.38, or backport this
specific features to 1.0.36, so setting secure cipher suites would
be possible.

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to