Package: proftpd-basic
Version: 1.3.6-2+b1
The distribution of proftpd mod_sftp presently in Buster/Sid is critically
flawed. Clients that use DSA and ECDSA keys may have issues connecting.
This was caused by an OpenSSL API change (upstream states OpenSSL 1.1.x is
affected).
Specifically, the position of the signature struct pointer passed
DSA_SIG_get0() and ECDSA_SIG_get0() had been altered in OpenSSL (moved from
position #2 to position #0), causing key exchanges and other signing-based
processes to break in mod_sftp.
The fix should be as straightforward as cherry picking the upstream commit. I
will be testing this patch with the debian source code shortly.