Hello community, here is the log from the commit of package pure-ftpd for openSUSE:Factory checked in at 2018-02-18 11:46:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pure-ftpd (Old) and /work/SRC/openSUSE:Factory/.pure-ftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pure-ftpd" Sun Feb 18 11:46:01 2018 rev:49 rq:577703 version:1.0.47 Changes: -------- --- /work/SRC/openSUSE:Factory/pure-ftpd/pure-ftpd.changes 2017-06-16 10:54:32.877487427 +0200 +++ /work/SRC/openSUSE:Factory/.pure-ftpd.new/pure-ftpd.changes 2018-02-18 11:46:03.213654540 +0100 @@ -1,0 +2,18 @@ +Sun Feb 18 05:45:16 UTC 2018 - [email protected] + +- Version update to 1.0.47: + * If TLS was only enabled on the control channel (-Y 1), the STAT + command would send its output as other directory listing + commands, breaking the TLS stream. This has been fixed. + * The system user “_ftp” can be used as an alternative to “ftp” + for anonymous sessions. + * Compatibility with libsodium > 1.0.12 was added (including + minimal mode). + * The prefix for Argon2-hashed passwords in LDAP has been changed + to “{argon2}” (from “{argon2i}”). Ditto for MySQL and + PostgreSQL: the authentication method is now called “argon2” + instead of “argon2i”, and includes both Argon2i and Argon2id. +- use https for main site and source download +- switch to bz2 tarball (smaller) + +------------------------------------------------------------------- Old: ---- pure-ftpd-1.0.46.tar.gz pure-ftpd-1.0.46.tar.gz.sig New: ---- pure-ftpd-1.0.47.tar.bz2 pure-ftpd-1.0.47.tar.bz2.minisig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pure-ftpd.spec ++++++ --- /var/tmp/diff_new_pack.EU4d4W/_old 2018-02-18 11:46:04.641603278 +0100 +++ /var/tmp/diff_new_pack.EU4d4W/_new 2018-02-18 11:46:04.641603278 +0100 @@ -1,7 +1,7 @@ # # spec file for package pure-ftpd # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,14 +17,14 @@ Name: pure-ftpd -Version: 1.0.46 +Version: 1.0.47 Release: 0 Summary: A Lightweight, Fast, and Secure FTP Server License: BSD-3-Clause Group: Productivity/Networking/Ftp/Servers -Url: http://www.pureftpd.org -Source0: ftp://ftp.pureftpd.org/pub/%{name}/releases/%{name}-%{version}.tar.gz -Source1: ftp://ftp.pureftpd.org/pub/%{name}/releases/%{name}-%{version}.tar.gz.sig +Url: https://www.pureftpd.org +Source0: https://download.pureftpd.org/pub/%{name}/releases/%{name}-%{version}.tar.bz2 +Source1: https://download.pureftpd.org/pub/%{name}/releases/%{name}-%{version}.tar.bz2.minisig Source2: %{name}.keyring Source3: %{name}.init Source4: %{name}.pamd @@ -52,7 +52,6 @@ Requires(pre): coreutils Provides: ftp-server Provides: pureftpd = %{version}-%{release} -BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} > 1140 BuildRequires: pkgconfig(systemd) %{?systemd_requires} @@ -110,7 +109,7 @@ make %{?_smp_mflags} %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} +%make_install install -dD -m 0755 \ %{buildroot}%{_sysconfdir}/{%{name},%{name}/vhosts,pam.d,openldap/schema} @@ -166,7 +165,6 @@ %endif %files -%defattr(-, root, root) %doc AUTHORS CONTACT COPYING NEWS THANKS README %doc README.Configuration-File HISTORY README.Virtual-Users README.AppArmor %doc README.LDAP pureftpd-ldap.conf README.MySQL README.PGSQL README.TLS ++++++ pure-ftpd-1.0.46.tar.gz -> pure-ftpd-1.0.47.tar.bz2 ++++++ ++++ 1757 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/ChangeLog new/pure-ftpd-1.0.47/ChangeLog --- old/pure-ftpd-1.0.46/ChangeLog 2017-04-24 18:57:54.000000000 +0200 +++ new/pure-ftpd-1.0.47/ChangeLog 2017-10-27 10:27:19.000000000 +0200 @@ -1,4 +1,15 @@ +* Version 1.0.47: + - Unlike other directory listing commands, the STAT command should +use TLS on the control channel even if TLS has been disabled on the data +channel. It wasn't the case; this has been fixed. Thanks to Carlo +Cannas. + - Return a 451 error code instead of 226 on aborted uploads. + - The system user "_ftp" can be used as an alternative to "ftp" for +anonymous sessions. + - Compatibility with libsodium > 1.0.12 was added (including minimal +mode). + * Version 1.0.46: - The server can now be linked against OpenSSL 1.1.x with the strict API. - Unmaintained contributions have been removed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/INSTALL new/pure-ftpd-1.0.47/INSTALL --- old/pure-ftpd-1.0.46/INSTALL 2017-04-04 01:17:00.000000000 +0200 +++ new/pure-ftpd-1.0.47/INSTALL 2017-07-14 14:09:58.000000000 +0200 @@ -1,8 +1,8 @@ Installation Instructions ************************* -Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, -Inc. + Copyright (C) 1994-1996, 1999-2002, 2004-2016 Free Software +Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright @@ -12,97 +12,96 @@ Basic Installation ================== - Briefly, the shell command `./configure && make && make install' + Briefly, the shell command './configure && make && make install' should configure, build, and install this package. The following -more-detailed instructions are generic; see the `README' file for +more-detailed instructions are generic; see the 'README' file for instructions specific to this package. Some packages provide this -`INSTALL' file but do not implement all of the features documented +'INSTALL' file but do not implement all of the features documented below. The lack of an optional feature in a given package is not necessarily a bug. More recommendations for GNU packages can be found in *note Makefile Conventions: (standards)Makefile Conventions. - The `configure' shell script attempts to guess correct values for + The 'configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that +those values to create a 'Makefile' in each directory of the package. +It may also create one or more '.h' files containing system-dependent +definitions. Finally, it creates a shell script 'config.status' that you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). +file 'config.log' containing compiler output (useful mainly for +debugging 'configure'). - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. Caching is -disabled by default to prevent problems with accidental use of stale -cache files. + It can also use an optional file (typically called 'config.cache' and +enabled with '--cache-file=config.cache' or simply '-C') that saves the +results of its tests to speed up reconfiguring. Caching is disabled by +default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can +to figure out how 'configure' could check whether to do them, and mail +diffs or instructions to the address given in the 'README' so they can be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you +some point 'config.cache' contains results you don't want to keep, you may remove or edit it. - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You need `configure.ac' if -you want to change it or regenerate `configure' using a newer version -of `autoconf'. + The file 'configure.ac' (or 'configure.in') is used to create +'configure' by a program called 'autoconf'. You need 'configure.ac' if +you want to change it or regenerate 'configure' using a newer version of +'autoconf'. The simplest way to compile this package is: - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. + 1. 'cd' to the directory containing the package's source code and type + './configure' to configure the package for your system. - Running `configure' might take a while. While running, it prints + Running 'configure' might take a while. While running, it prints some messages telling which features it is checking for. - 2. Type `make' to compile the package. + 2. Type 'make' to compile the package. - 3. Optionally, type `make check' to run any self-tests that come with + 3. Optionally, type 'make check' to run any self-tests that come with the package, generally using the just-built uninstalled binaries. - 4. Type `make install' to install the programs and any data files and + 4. Type 'make install' to install the programs and any data files and documentation. When installing into a prefix owned by root, it is recommended that the package be configured and built as a regular - user, and only the `make install' phase executed with root + user, and only the 'make install' phase executed with root privileges. - 5. Optionally, type `make installcheck' to repeat any self-tests, but + 5. Optionally, type 'make installcheck' to repeat any self-tests, but this time using the binaries in their final installed location. This target does not install anything. Running this target as a - regular user, particularly if the prior `make install' required + regular user, particularly if the prior 'make install' required root privileges, verifies that the installation completed correctly. 6. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly + source code directory by typing 'make clean'. To also remove the + files that 'configure' created (so you can compile the package for + a different kind of computer), type 'make distclean'. There is + also a 'make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. - 7. Often, you can also type `make uninstall' to remove the installed + 7. Often, you can also type 'make uninstall' to remove the installed files again. In practice, not all packages have tested that uninstallation works correctly, even though it is required by the GNU Coding Standards. - 8. Some packages, particularly those that use Automake, provide `make + 8. Some packages, particularly those that use Automake, provide 'make distcheck', which can by used by developers to test that all other - targets like `make install' and `make uninstall' work correctly. + targets like 'make install' and 'make uninstall' work correctly. This target is generally not run by end users. Compilers and Options ===================== Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' +the 'configure' script does not know about. Run './configure --help' for details on some of the pertinent environment variables. - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: + You can give 'configure' initial values for configuration parameters +by setting variables in the command line or in the environment. Here is +an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix @@ -113,21 +112,21 @@ You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their -own directory. To do this, you can use GNU `make'. `cd' to the +own directory. To do this, you can use GNU 'make'. 'cd' to the directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. This -is known as a "VPATH" build. +the 'configure' script. 'configure' automatically checks for the source +code in the directory that 'configure' is in and in '..'. This is known +as a "VPATH" build. - With a non-GNU `make', it is safer to compile the package for one + With a non-GNU 'make', it is safer to compile the package for one architecture at a time in the source code directory. After you have -installed the package for one architecture, use `make distclean' before +installed the package for one architecture, use 'make distclean' before reconfiguring for another architecture. On MacOS X 10.5 and later systems, you can create libraries and executables that work on multiple system types--known as "fat" or -"universal" binaries--by specifying multiple `-arch' options to the -compiler but only a single `-arch' option to the preprocessor. Like +"universal" binaries--by specifying multiple '-arch' options to the +compiler but only a single '-arch' option to the preprocessor. Like this: ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ @@ -136,105 +135,104 @@ This is not guaranteed to produce working output in all cases, you may have to build one architecture at a time and combine the results -using the `lipo' tool if you have problems. +using the 'lipo' tool if you have problems. Installation Names ================== - By default, `make install' installs the package's commands under -`/usr/local/bin', include files under `/usr/local/include', etc. You -can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX', where PREFIX must be an + By default, 'make install' installs the package's commands under +'/usr/local/bin', include files under '/usr/local/include', etc. You +can specify an installation prefix other than '/usr/local' by giving +'configure' the option '--prefix=PREFIX', where PREFIX must be an absolute file name. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you -pass the option `--exec-prefix=PREFIX' to `configure', the package uses +pass the option '--exec-prefix=PREFIX' to 'configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give -options like `--bindir=DIR' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. In general, the -default for these options is expressed in terms of `${prefix}', so that -specifying just `--prefix' will affect all of the other directory +options like '--bindir=DIR' to specify different values for particular +kinds of files. Run 'configure --help' for a list of the directories +you can set and what kinds of files go in them. In general, the default +for these options is expressed in terms of '${prefix}', so that +specifying just '--prefix' will affect all of the other directory specifications that were not explicitly provided. The most portable way to affect installation locations is to pass the -correct locations to `configure'; however, many packages provide one or +correct locations to 'configure'; however, many packages provide one or both of the following shortcuts of passing variable assignments to the -`make install' command line to change installation locations without +'make install' command line to change installation locations without having to reconfigure or recompile. The first method involves providing an override variable for each -affected directory. For example, `make install +affected directory. For example, 'make install prefix=/alternate/directory' will choose an alternate location for all directory configuration variables that were expressed in terms of -`${prefix}'. Any directories that were specified during `configure', -but not in terms of `${prefix}', must each be overridden at install -time for the entire installation to be relocated. The approach of -makefile variable overrides for each directory variable is required by -the GNU Coding Standards, and ideally causes no recompilation. -However, some platforms have known limitations with the semantics of -shared libraries that end up requiring recompilation when using this -method, particularly noticeable in packages that use GNU Libtool. - - The second method involves providing the `DESTDIR' variable. For -example, `make install DESTDIR=/alternate/directory' will prepend -`/alternate/directory' before all installation names. The approach of -`DESTDIR' overrides is not required by the GNU Coding Standards, and +'${prefix}'. Any directories that were specified during 'configure', +but not in terms of '${prefix}', must each be overridden at install time +for the entire installation to be relocated. The approach of makefile +variable overrides for each directory variable is required by the GNU +Coding Standards, and ideally causes no recompilation. However, some +platforms have known limitations with the semantics of shared libraries +that end up requiring recompilation when using this method, particularly +noticeable in packages that use GNU Libtool. + + The second method involves providing the 'DESTDIR' variable. For +example, 'make install DESTDIR=/alternate/directory' will prepend +'/alternate/directory' before all installation names. The approach of +'DESTDIR' overrides is not required by the GNU Coding Standards, and does not work on platforms that have drive letters. On the other hand, it does better at avoiding recompilation issues, and works well even -when some directory options were not specified in terms of `${prefix}' -at `configure' time. +when some directory options were not specified in terms of '${prefix}' +at 'configure' time. Optional Features ================= If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. +with an extra prefix or suffix on their names by giving 'configure' the +option '--program-prefix=PREFIX' or '--program-suffix=SUFFIX'. - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the + Some packages pay attention to '--enable-FEATURE' options to +'configure', where FEATURE indicates an optional part of the package. +They may also pay attention to '--with-PACKAGE' options, where PACKAGE +is something like 'gnu-as' or 'x' (for the X Window System). The +'README' should mention any '--enable-' and '--with-' options that the package recognizes. - For packages that use the X Window System, `configure' can usually + For packages that use the X Window System, 'configure' can usually find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. +you can use the 'configure' options '--x-includes=DIR' and +'--x-libraries=DIR' to specify their locations. Some packages offer the ability to configure how verbose the -execution of `make' will be. For these packages, running `./configure +execution of 'make' will be. For these packages, running './configure --enable-silent-rules' sets the default to minimal output, which can be -overridden with `make V=1'; while running `./configure +overridden with 'make V=1'; while running './configure --disable-silent-rules' sets the default to verbose, which can be -overridden with `make V=0'. +overridden with 'make V=0'. Particular systems ================== - On HP-UX, the default C compiler is not ANSI C compatible. If GNU -CC is not installed, it is recommended to use the following options in + On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC +is not installed, it is recommended to use the following options in order to use an ANSI C compiler: ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" and if that doesn't work, install pre-built binaries of GCC for HP-UX. - HP-UX `make' updates targets which have the same time stamps as -their prerequisites, which makes it generally unusable when shipped -generated files such as `configure' are involved. Use GNU `make' -instead. + HP-UX 'make' updates targets which have the same time stamps as their +prerequisites, which makes it generally unusable when shipped generated +files such as 'configure' are involved. Use GNU 'make' instead. On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot -parse its `<wchar.h>' header file. The option `-nodtk' can be used as -a workaround. If GNU CC is not installed, it is therefore recommended -to try +parse its '<wchar.h>' header file. The option '-nodtk' can be used as a +workaround. If GNU CC is not installed, it is therefore recommended to +try ./configure CC="cc" @@ -242,26 +240,26 @@ ./configure CC="cc -nodtk" - On Solaris, don't put `/usr/ucb' early in your `PATH'. This + On Solaris, don't put '/usr/ucb' early in your 'PATH'. This directory contains several dysfunctional programs; working variants of -these programs are available in `/usr/bin'. So, if you need `/usr/ucb' -in your `PATH', put it _after_ `/usr/bin'. +these programs are available in '/usr/bin'. So, if you need '/usr/ucb' +in your 'PATH', put it _after_ '/usr/bin'. - On Haiku, software installed for all users goes in `/boot/common', -not `/usr/local'. It is recommended to use the following options: + On Haiku, software installed for all users goes in '/boot/common', +not '/usr/local'. It is recommended to use the following options: ./configure --prefix=/boot/common Specifying the System Type ========================== - There may be some features `configure' cannot figure out + There may be some features 'configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints +_same_ architectures, 'configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: +'--build=TYPE' option. TYPE can either be a short name for the system +type, such as 'sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM @@ -270,101 +268,101 @@ OS KERNEL-OS - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't + See the file 'config.sub' for the possible values of each field. If +'config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should -use the option `--target=TYPE' to select the type of system they will +use the option '--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. +eventually be run) with '--host=TYPE'. Sharing Defaults ================ - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. + If you want to set default values for 'configure' scripts to share, +you can create a site shell script called 'config.site' that gives +default values for variables like 'CC', 'cache_file', and 'prefix'. +'configure' looks for 'PREFIX/share/config.site' if it exists, then +'PREFIX/etc/config.site' if it exists. Or, you can set the +'CONFIG_SITE' environment variable to the location of the site script. +A warning: not all 'configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run +environment passed to 'configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: +them in the 'configure' command line, using 'VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc -causes the specified `gcc' to be used as the C compiler (unless it is +causes the specified 'gcc' to be used as the C compiler (unless it is overridden in the site shell script). -Unfortunately, this technique does not work for `CONFIG_SHELL' due to -an Autoconf limitation. Until the limitation is lifted, you can use -this workaround: +Unfortunately, this technique does not work for 'CONFIG_SHELL' due to an +Autoconf limitation. Until the limitation is lifted, you can use this +workaround: CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash -`configure' Invocation +'configure' Invocation ====================== - `configure' recognizes the following options to control how it + 'configure' recognizes the following options to control how it operates. -`--help' -`-h' - Print a summary of all of the options to `configure', and exit. +'--help' +'-h' + Print a summary of all of the options to 'configure', and exit. -`--help=short' -`--help=recursive' +'--help=short' +'--help=recursive' Print a summary of the options unique to this package's - `configure', and exit. The `short' variant lists options used - only in the top level, while the `recursive' variant lists options - also present in any nested packages. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' + 'configure', and exit. The 'short' variant lists options used only + in the top level, while the 'recursive' variant lists options also + present in any nested packages. + +'--version' +'-V' + Print the version of Autoconf used to generate the 'configure' script, and exit. -`--cache-file=FILE' +'--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to + traditionally 'config.cache'. FILE defaults to '/dev/null' to disable caching. -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' +'--config-cache' +'-C' + Alias for '--cache-file=config.cache'. + +'--quiet' +'--silent' +'-q' Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error + suppress all normal output, redirect it to '/dev/null' (any error messages will still be shown). -`--srcdir=DIR' +'--srcdir=DIR' Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. + 'configure' can determine that directory automatically. -`--prefix=DIR' - Use DIR as the installation prefix. *note Installation Names:: - for more details, including other options available for fine-tuning - the installation locations. +'--prefix=DIR' + Use DIR as the installation prefix. *note Installation Names:: for + more details, including other options available for fine-tuning the + installation locations. -`--no-create' -`-n' +'--no-create' +'-n' Run the configure checks, but stop before creating any output files. -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. +'configure' also accepts some other, not widely useful, options. Run +'configure --help' for more details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/NEWS new/pure-ftpd-1.0.47/NEWS --- old/pure-ftpd-1.0.46/NEWS 2017-04-24 16:45:33.000000000 +0200 +++ new/pure-ftpd-1.0.47/NEWS 2017-10-27 10:37:10.000000000 +0200 @@ -1,4 +1,17 @@ +* Version 1.0.47: + - If TLS was only enabled on the control channel (-Y 1), the STAT command +would send its output as other directory listing commands, breaking +the TLS stream. This has been fixed. Spotted by Carlo Cannas, thanks! + - The system user "_ftp" can be used as an alternative to "ftp" for +anonymous sessions. + - Compatibility with libsodium > 1.0.12 was added (including minimal +mode). + - The prefix for Argon2-hashed passwords in LDAP has been changed to +"{argon2}" (from "{argon2i}"). Ditto for MySQL and PostgreSQL: the +authentication method is now called "argon2" instead of "argon2i", and +includes both Argon2i and Argon2id. + * Version 1.0.46: - The server can now be linked against OpenSSL 1.1.x with the strict API. - Unmaintained contributions have been removed. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/README.LDAP new/pure-ftpd-1.0.47/README.LDAP --- old/pure-ftpd-1.0.46/README.LDAP 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/README.LDAP 2017-08-20 16:48:52.000000000 +0200 @@ -168,11 +168,11 @@ 'userPassword' is the password hashed with the system 'crypt' function, -MD5, SHA, SMD5, SSHA, SCRYPT or ARGON2I. +MD5, SHA, SMD5, SSHA, SCRYPT or ARGON2. Do not use MD5, SHA, SMD5 or SSHA except if you really have to. Use {crypt} with the strongest algorithm supported by your implementation. Or better, -use {scrypt} or {argon2i}. +use {scrypt} or {argon2}. Please note that a login can only contains common characters: A...Z, a...z, 0...9, -, ., _, space, :, @ and ' . For paranoia purposes, other characters @@ -260,11 +260,11 @@ compromised, the attacker could also easily compromise the FTP server. - ------------------------ ARGON2I ------------------------ + ------------------------ ARGON2 ------------------------ -Password hashed with argon2i can be used, provided that pure-ftpd was linked to -libsodium. +Password hashed with argon2i and argon2id can be used, provided that pure-ftpd +was linked to libsodium. They are expected to be provided as a string, as returned by the crypto_pwhash_str() function or by its bindings. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/README.MySQL new/pure-ftpd-1.0.47/README.MySQL --- old/pure-ftpd-1.0.46/README.MySQL 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/README.MySQL 2017-08-20 16:53:10.000000000 +0200 @@ -86,15 +86,15 @@ - The user's login. -- The user's password, hashed using argon2i, scrypt or crypt(3). SHA1, -MD5, and MySQL's password() format are supported for legacy reasons, -but shouldn't be used any more. Pure-FTPd also accepts the "any" value -for the MySQLCrypt field. With "any", all hash functions are +- The user's password, hashed using argon2 (argon2id or argon2i), scrypt or +crypt(3). SHA1, MD5, and MySQL's password() format are supported for legacy +reasons, but shouldn't be used any more. Pure-FTPd also accepts the "any" +value for the MySQLCrypt field. With "any", all hash functions are sequentially tried. * RECOMMENDATION: Do not use SHA1, MD5, or, obviously, plaintext. Unless your system provides a decent crypt() function, use a MySQL function to verify -the hashed password or use argon2i/scrypt. +the hashed password or use argon2/scrypt. - The system uid to map the user to. This can be a numeric id or a user name, looked up at run-time. @@ -158,11 +158,11 @@ Using these directives overrides MYSQLGetUID and MYSQLGetGID. - ------------------------ ARGON2I ------------------------ + ------------------------ ARGON2 ------------------------ -Password hashed with argon2i can be used, provided that pure-ftpd was linked to -libsodium. +Password hashed with argon2i and argon2id can be used, provided that pure-ftpd +was linked to libsodium. They are expected to be provided as a string, as returned by the crypto_pwhash_str() function or by its bindings. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/README.PGSQL new/pure-ftpd-1.0.47/README.PGSQL --- old/pure-ftpd-1.0.46/README.PGSQL 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/README.PGSQL 2017-08-20 16:52:22.000000000 +0200 @@ -82,14 +82,14 @@ - The user's login. -- The user's password, hashed using argon2i, scrypt or crypt(3). SHA1 and MD5 +- The user's password, hashed using argon2, scrypt or crypt(3). SHA1 and MD5 are also supported for legacy reasons, but shouldn't be used any more. Pure-FTPd also accepts the "any" value for the PGSQLCrypt field. With "any", all hash functions are sequentially tried. * RECOMMENDATION: Do not use SHA1, MD5, or, obviously, plaintext. Unless your system provides a decent crypt() function, use a PostgreSQL function to verify -the hashed password or use argon2i/scrypt. +the hashed password or use argon2/scrypt. - The system uid to map the user to. This can be a numeric id or a user name, looked up at run-time. @@ -151,11 +151,11 @@ Using these directives overrides PGSQLGetUID and PGSQLGetGID. - ------------------------ ARGON2I ------------------------ + ------------------------ ARGON2 ------------------------ -Password hashed with argon2i can be used, provided that pure-ftpd was linked to -libsodium. +Password hashed with argon2i and argon2id can be used, provided that pure-ftpd +was linked to libsodium. They are expected to be provided as a string, as returned by the crypto_pwhash_str() function or by its bindings. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/README.Virtual-Users new/pure-ftpd-1.0.47/README.Virtual-Users --- old/pure-ftpd-1.0.46/README.Virtual-Users 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/README.Virtual-Users 2017-08-20 16:51:56.000000000 +0200 @@ -112,9 +112,13 @@ joe:$7$C6..../....swVShTUX9kLJepm0vvj7dUXPqtULzQ9G3GT/GAO3bd3$GMHJRyUdSRwNROunwtRbEDHlx5t3eNQew7bb1dz29K2:500:101::/home/ftpusers/joe/./::::::::::::: Passwords are hashed with the most secure hash function your system supports. -Hashes are tried in this order: argon2i, scrypt, bcrypt, SHA-512, MD5. +Hashes are tried in this order: argon2, scrypt, bcrypt, SHA-512, MD5. -Argon2i and scrypt are the recommended functions, and require pure-ftpd to be +SHA-512 and MD5 should not be used any more. bcrypt requires crypt(3) +from the C library to support it, which is commonly the case on BSD +systems, but is only present on some Linux distributions. + +Argon2 and scrypt are the recommended functions, and require pure-ftpd to be compiled in presence of libsodium. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/compile new/pure-ftpd-1.0.47/compile --- old/pure-ftpd-1.0.46/compile 2015-01-05 21:26:17.000000000 +0100 +++ new/pure-ftpd-1.0.47/compile 2017-07-14 14:09:58.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2017 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -255,7 +255,8 @@ echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -342,6 +343,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/config.h.in new/pure-ftpd-1.0.47/config.h.in --- old/pure-ftpd-1.0.46/config.h.in 2017-04-24 16:45:57.000000000 +0200 +++ new/pure-ftpd-1.0.47/config.h.in 2017-10-27 10:30:39.000000000 +0200 @@ -245,9 +245,6 @@ /* Define to 1 if you have the `madvise' function. */ #undef HAVE_MADVISE -/* Define to 1 if you have the `make_scrambled_password' function. */ -#undef HAVE_MAKE_SCRAMBLED_PASSWORD - /* Define to 1 if you have the `mapviewoffile' function. */ #undef HAVE_MAPVIEWOFFILE @@ -269,9 +266,6 @@ /* Define to 1 if you have the `munmap' function. */ #undef HAVE_MUNMAP -/* Define to 1 if you have the `my_make_scrambled_password' function. */ -#undef HAVE_MY_MAKE_SCRAMBLED_PASSWORD - /* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */ #undef HAVE_NDIR_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/configure.ac new/pure-ftpd-1.0.47/configure.ac --- old/pure-ftpd-1.0.46/configure.ac 2017-04-24 16:39:24.000000000 +0200 +++ new/pure-ftpd-1.0.47/configure.ac 2017-10-27 10:28:40.000000000 +0200 @@ -1,7 +1,7 @@ dnl AM_ACLOCAL_INCLUDE(m4) AC_PREREQ(2.65) -AC_INIT([pure-ftpd],[1.0.46],[bugs at pureftpd dot org]) +AC_INIT([pure-ftpd],[1.0.47],[bugs at pureftpd dot org]) AC_CONFIG_SRCDIR(src/ftpd.c) AC_CONFIG_HEADERS([config.h]) AM_INIT_AUTOMAKE([1.9 dist-bzip2 tar-ustar]) @@ -40,7 +40,6 @@ AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-aliasing"]) AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"]) AS_IF([echo `(uname -s) 2>/dev/null` | $GREP "CYGWIN" > /dev/null], [ - AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"]) ], [ AS_IF([test `(uname -s) 2>/dev/null` = "DragonFly"], @@ -1309,7 +1308,6 @@ AC_MSG_ERROR(Your MySQL client libraries aren't properly installed) ],[]) AC_MSG_RESULT(yes) - AC_CHECK_FUNCS(my_make_scrambled_password make_scrambled_password) fi ]) AC_ARG_WITH(pgsql, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/missing new/pure-ftpd-1.0.47/missing --- old/pure-ftpd-1.0.46/missing 2015-01-05 21:26:17.000000000 +0100 +++ new/pure-ftpd-1.0.47/missing 2017-07-14 14:09:58.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2016-01-11.22; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2017 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify @@ -210,6 +210,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/pure-ftpd.conf.in new/pure-ftpd-1.0.47/pure-ftpd.conf.in --- old/pure-ftpd-1.0.46/pure-ftpd.conf.in 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/pure-ftpd.conf.in 2017-09-07 13:47:26.000000000 +0200 @@ -235,6 +235,8 @@ # Minimum UID for an authenticated user to log in. +# For example, a value of 100 prevents all users whose user id is below +# 100 from logging in. If you want "root" to be able to log in, use 0. MinUID 100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/pureftpd-mysql.conf new/pure-ftpd-1.0.47/pureftpd-mysql.conf --- old/pure-ftpd-1.0.46/pureftpd-mysql.conf 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/pureftpd-mysql.conf 2017-08-20 16:54:19.000000000 +0200 @@ -38,7 +38,7 @@ # Mandatory : how passwords are stored -# Valid values are : "cleartext", "scrypt", "crypt", "sha1", "md5", "password" and "any" +# Valid values are : "cleartext", "argon2", "scrypt", "crypt", "sha1", "md5", "password" and "any" # ("password" = MySQL password() function, which is sha1(sha1(password))) MYSQLCrypt scrypt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/pureftpd-pgsql.conf new/pure-ftpd-1.0.47/pureftpd-pgsql.conf --- old/pure-ftpd-1.0.46/pureftpd-pgsql.conf 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/pureftpd-pgsql.conf 2017-08-20 16:54:30.000000000 +0200 @@ -35,7 +35,7 @@ # Mandatory : how passwords are stored -# Valid values are : "cleartext", "scrypt", "crypt", "md5", "sha1" and "any" +# Valid values are : "cleartext", "argon2", "scrypt", "crypt", "md5", "sha1" and "any" PGSQLCrypt scrypt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/ftp_parser.c new/pure-ftpd-1.0.47/src/ftp_parser.c --- old/pure-ftpd-1.0.46/src/ftp_parser.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/ftp_parser.c 2017-10-27 10:15:21.000000000 +0200 @@ -299,7 +299,7 @@ } #endif n = (size_t) 0U; - while ((isalpha((unsigned char) cmd[n]) || cmd[n] == '@') && + while ((isalnum((unsigned char) cmd[n]) || cmd[n] == '@') && n < cmdsize) { cmd[n] = (char) tolower((unsigned char) cmd[n]); n++; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/ftpd.c new/pure-ftpd-1.0.47/src/ftpd.c --- old/pure-ftpd-1.0.46/src/ftpd.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/ftpd.c 2017-10-27 10:15:21.000000000 +0200 @@ -1381,7 +1381,8 @@ pw = &pw_; } #else - if ((pw = getpwnam("ftp")) == NULL || + if (((pw = getpwnam("ftp")) == NULL && + (pw = getpwnam("_ftp")) == NULL) || pw->pw_uid == 0 || pw->pw_gid == 0 || doinitsupgroups("ftp", (uid_t) -1, pw->pw_gid) != 0 || setgid(pw->pw_gid) || setegid(pw->pw_gid)) { @@ -2847,7 +2848,9 @@ } resolved_path[sizeof_resolved_path - 1U] = 0; if (realpath(name, resolved_path) == NULL) { - (void) unlink(name); + if (up != 0) { + (void) unlink(name); + } free(resolved_path); logfile(LOG_ERR, "realpath() failure : [%s] => [%s]", name, strerror(errno)); @@ -4429,7 +4432,7 @@ if (ret == 0) { addreply_noformat(226, MSG_TRANSFER_SUCCESSFUL); } else { - addreply_noformat(226, MSG_ABORTED); + addreply_noformat(451, MSG_ABORTED); } displayrate(MSG_UPLOADED, ulhandler.total_uploaded, started, name2 ? name2 : name, 1); @@ -4921,22 +4924,6 @@ } } -#ifndef HAVE_RANDOM_DEV -static void seed_old_rng(void) -{ - struct timeval tv; - gettimeofday(&tv, NULL); - const unsigned int seed = (unsigned int) - (((long) getpid() * 131072L) ^ tv->tv_sec ^ (tv_usec * 4096L)); - -# if defined(HAVE_RANDOM) - srandom(seed); -# else - srand(seed); -# endif -} -#endif - static void doit(void) { socklen_t socksize; @@ -4950,9 +4937,6 @@ fcntl(clientfd, F_SETOWN, getpid()); #endif set_signals_client(); -#ifndef HAVE_RANDOM_DEV - seed_old_rng(); -#endif alt_arc4random_stir(); (void) umask((mode_t) 0); socksize = (socklen_t) sizeof ctrlconn; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_ldap.c new/pure-ftpd-1.0.47/src/log_ldap.c --- old/pure-ftpd-1.0.46/src/log_ldap.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_ldap.c 2017-08-20 16:49:18.000000000 +0200 @@ -561,17 +561,17 @@ free(result->backend_data); result->backend_data = NULL; spwd = pw->pw_passwd; -# ifdef HAVE_LIBSODIUM -# ifdef crypto_pwhash_STRPREFIX - if (strncasecmp(spwd, PASSWD_LDAP_ARGON2I_PREFIX, - sizeof PASSWD_LDAP_ARGON2I_PREFIX - 1U) == 0) { - spwd += (sizeof PASSWD_LDAP_ARGON2I_PREFIX - 1U); +# ifdef crypto_pwhash_STRPREFIX + if (strncasecmp(spwd, PASSWD_LDAP_ARGON2_PREFIX, + sizeof PASSWD_LDAP_ARGON2_PREFIX - 1U) == 0) { + spwd += (sizeof PASSWD_LDAP_ARGON2_PREFIX - 1U); if (crypto_pwhash_str_verify(spwd, password, strlen(password)) == 0) { goto pwd_ok; } return; } else -# endif +# endif +# ifdef crypto_pwhash_scryptsalsa208sha256_STRPREFIX if (strncasecmp(spwd, PASSWD_LDAP_SCRYPT_PREFIX, sizeof PASSWD_LDAP_SCRYPT_PREFIX - 1U) == 0) { spwd += (sizeof PASSWD_LDAP_SCRYPT_PREFIX - 1U); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_ldap.h new/pure-ftpd-1.0.47/src/log_ldap.h --- old/pure-ftpd-1.0.46/src/log_ldap.h 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_ldap.h 2017-08-20 16:48:02.000000000 +0200 @@ -36,7 +36,7 @@ #define PASSWD_LDAP_SHA_PREFIX "{sha}" #define PASSWD_LDAP_SSHA_PREFIX "{ssha}" #define PASSWD_LDAP_SCRYPT_PREFIX "{scrypt}" -#define PASSWD_LDAP_ARGON2I_PREFIX "{argon2i}" +#define PASSWD_LDAP_ARGON2_PREFIX "{argon2}" #define LDAP_DEFAULT_SCHEME "ldap" #define LDAP_DEFAULT_SERVER "localhost" #define LDAP_DEFAULT_PORT 389 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_mysql.c new/pure-ftpd-1.0.47/src/log_mysql.c --- old/pure-ftpd-1.0.46/src/log_mysql.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_mysql.c 2017-08-20 16:51:05.000000000 +0200 @@ -331,7 +331,7 @@ char *escaped_peer_ip = NULL; char *escaped_decimal_ip = NULL; int committed = 1; - int crypto_argon2i = 0, crypto_scrypt = 0, crypto_crypt = 0, + int crypto_argon2 = 0, crypto_scrypt = 0, crypto_crypt = 0, crypto_mysql = 0, crypto_md5 = 0, crypto_sha1 = 0, crypto_plain = 0; unsigned long decimal_ip_num = 0UL; char decimal_ip[42]; @@ -423,14 +423,14 @@ } result->auth_ok--; /* -1 */ if (strcasecmp(crypto, PASSWD_SQL_ANY) == 0) { - crypto_argon2i++; + crypto_argon2++; crypto_scrypt++; crypto_crypt++; crypto_mysql++; crypto_md5++; crypto_sha1++; - } else if (strcasecmp(crypto, PASSWD_SQL_ARGON2I) == 0) { - crypto_argon2i++; + } else if (strcasecmp(crypto, PASSWD_SQL_ARGON2) == 0) { + crypto_argon2++; } else if (strcasecmp(crypto, PASSWD_SQL_SCRYPT) == 0) { crypto_scrypt++; } else if (strcasecmp(crypto, PASSWD_SQL_CRYPT) == 0) { @@ -444,14 +444,14 @@ } else { /* default to plaintext */ crypto_plain++; } -#ifdef HAVE_LIBSODIUM -# ifdef crypto_pwhash_STRPREFIX - if (crypto_argon2i != 0) { +#ifdef crypto_pwhash_STRPREFIX + if (crypto_argon2 != 0) { if (crypto_pwhash_str_verify(spwd, password, strlen(password)) == 0) { goto auth_ok; } } -# endif +#endif +#ifdef crypto_pwhash_scryptsalsa208sha256_STRPREFIX if (crypto_scrypt != 0) { if (crypto_pwhash_scryptsalsa208sha256_str_verify (spwd, password, strlen(password)) == 0) { @@ -469,34 +469,24 @@ } if (crypto_mysql != 0) { char scrambled_password[42]; /* 2 * 20 (sha1 hash size) + 2 */ + SHA1_CTX ctx; + unsigned char h0[20], h1[20]; + char *p; -# ifdef HAVE_MY_MAKE_SCRAMBLED_PASSWORD - my_make_scrambled_password(scrambled_password, password, - strlen(password)); -# elif defined(HAVE_MAKE_SCRAMBLED_PASSWORD) - make_scrambled_password(scrambled_password, password); -# else - { - SHA1_CTX ctx; - unsigned char h0[20], h1[20]; - char *p; - - SHA1Init(&ctx); - SHA1Update(&ctx, password, strlen(password)); - SHA1Final(h0, &ctx); - SHA1Init(&ctx); - SHA1Update(&ctx, h0, sizeof h0); - pure_memzero(h0, sizeof h0); - SHA1Final(h1, &ctx); + SHA1Init(&ctx); + SHA1Update(&ctx, password, strlen(password)); + SHA1Final(h0, &ctx); + SHA1Init(&ctx); + SHA1Update(&ctx, h0, sizeof h0); + pure_memzero(h0, sizeof h0); + SHA1Final(h1, &ctx); *scrambled_password = '*'; - hexify(scrambled_password + 1U, h1, - (sizeof scrambled_password) - 1U, sizeof h1); - *(p = scrambled_password) = '*'; - while (*p++ != 0) { - *p = (char) toupper((unsigned char) *p); - } + hexify(scrambled_password + 1U, h1, + (sizeof scrambled_password) - 1U, sizeof h1); + *(p = scrambled_password) = '*'; + while (*p++ != 0) { + *p = (char) toupper((unsigned char) *p); } -# endif if (pure_strcmp(scrambled_password, spwd) == 0) { goto auth_ok; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_mysql.h new/pure-ftpd-1.0.47/src/log_mysql.h --- old/pure-ftpd-1.0.46/src/log_mysql.h 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_mysql.h 2017-08-20 16:50:11.000000000 +0200 @@ -1,7 +1,7 @@ #ifndef __LOG_MYSQL_H__ #define __LOG_MYSQL_H__ 1 -#define PASSWD_SQL_ARGON2I "argon2i" +#define PASSWD_SQL_ARGON2 "argon2" #define PASSWD_SQL_SCRYPT "scrypt" #define PASSWD_SQL_CRYPT "crypt" #define PASSWD_SQL_CLEARTEXT "cleartext" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_pgsql.c new/pure-ftpd-1.0.47/src/log_pgsql.c --- old/pure-ftpd-1.0.46/src/log_pgsql.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_pgsql.c 2017-08-20 16:51:15.000000000 +0200 @@ -409,7 +409,7 @@ char *escaped_decimal_ip = NULL; char *scrambled_password = NULL; int committed = 1; - int crypto_argon2i = 0, crypto_scrypt = 0, crypto_crypt = 0, crypto_md5 = 0, + int crypto_argon2 = 0, crypto_scrypt = 0, crypto_crypt = 0, crypto_md5 = 0, crypto_sha1 = 0, crypto_plain = 0; unsigned long decimal_ip_num = 0UL; char decimal_ip[42]; @@ -499,13 +499,13 @@ } result->auth_ok--; /* -1 */ if (strcasecmp(crypto, PASSWD_SQL_ANY) == 0) { - crypto_argon2i++; + crypto_argon2++; crypto_scrypt++; crypto_crypt++; crypto_md5++; crypto_sha1++; - } else if (strcasecmp(crypto, PASSWD_SQL_ARGON2I) == 0) { - crypto_argon2i++; + } else if (strcasecmp(crypto, PASSWD_SQL_ARGON2)) { + crypto_argon2++; } else if (strcasecmp(crypto, PASSWD_SQL_SCRYPT) == 0) { crypto_scrypt++; } else if (strcasecmp(crypto, PASSWD_SQL_CRYPT) == 0) { @@ -517,14 +517,14 @@ } else { /* default to plaintext */ crypto_plain++; } -#ifdef HAVE_LIBSODIUM -# ifdef crypto_pwhash_STRPREFIX - if (crypto_argon2i != 0) { +#ifdef crypto_pwhash_STRPREFIX + if (crypto_argon2 != 0) { if (crypto_pwhash_str_verify(spwd, password, strlen(password)) == 0) { goto auth_ok; } } -# endif +#endif +#ifdef crypto_pwhash_scryptsalsa208sha256_STRPREFIX if (crypto_scrypt != 0) { if (crypto_pwhash_scryptsalsa208sha256_str_verify (spwd, password, strlen(password)) == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_pgsql.h new/pure-ftpd-1.0.47/src/log_pgsql.h --- old/pure-ftpd-1.0.46/src/log_pgsql.h 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_pgsql.h 2017-08-20 16:50:23.000000000 +0200 @@ -1,7 +1,7 @@ #ifndef __LOG_PGSQL_H__ #define __LOG_PGSQL_H__ 1 -#define PASSWD_SQL_ARGON2I "argon2i" +#define PASSWD_SQL_ARGON2 "argon2" #define PASSWD_SQL_SCRYPT "scrypt" #define PASSWD_SQL_CRYPT "crypt" #define PASSWD_SQL_CLEARTEXT "cleartext" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/log_puredb.c new/pure-ftpd-1.0.47/src/log_puredb.c --- old/pure-ftpd-1.0.46/src/log_puredb.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/log_puredb.c 2017-08-20 13:49:59.000000000 +0200 @@ -228,22 +228,15 @@ const char *crypted; int ret = -1; -#ifdef HAVE_LIBSODIUM -# ifdef crypto_pwhash_STRPREFIX - if (strncmp(crypto_pwhash_STRPREFIX, line, - (sizeof crypto_pwhash_STRPREFIX) - 1U) == 0) { - ret = crypto_pwhash_str_verify(line, pwd, strlen(pwd)); - if (ret != 0) { - return -1; - } +#ifdef crypto_pwhash_STRPREFIX + if (crypto_pwhash_str_verify(line, pwd, strlen(pwd)) == 0) { + /* pass */ } else -# endif - if (line[0] == '$' && line[1] == '7' && line[2] == '$') { - ret = crypto_pwhash_scryptsalsa208sha256_str_verify - (line, pwd, strlen(pwd)); - if (ret != 0) { - return -1; - } +#endif +#ifdef crypto_pwhash_scryptsalsa208sha256_STRPREFIX + if (crypto_pwhash_scryptsalsa208sha256_str_verify + (line, pwd, strlen(pwd)) == 0) { + /* pass */ } else #endif { @@ -321,7 +314,7 @@ } #ifdef PER_USER_LIMITS if (*line != 0) { - result->per_user_max = (unsigned int) strtoull(line, NULL, 10); + result->per_user_max = (unsigned int) strtoull(line, NULL, 10); } #endif if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* files quota */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/ls.c new/pure-ftpd-1.0.47/src/ls.c --- old/pure-ftpd-1.0.46/src/ls.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/ls.c 2017-08-19 01:47:43.000000000 +0200 @@ -58,7 +58,7 @@ l -= rest; } #ifdef WITH_TLS - if (data_protection_level == CPL_PRIVATE) { + if (tls_fd != NULL) { if (secure_safe_write(tls_fd, outbuf, sizeof outbuf) != (ssize_t) sizeof outbuf) { return; @@ -72,7 +72,7 @@ } } #ifdef WITH_TLS - if (data_protection_level == CPL_PRIVATE) { + if (tls_fd != NULL) { while (l > sizeof outbuf) { if (secure_safe_write(tls_fd, s, sizeof outbuf) != (ssize_t) sizeof outbuf) { @@ -889,7 +889,7 @@ } else { /* STAT command */ c = clientfd; #ifdef WITH_TLS - if (data_protection_level == CPL_PRIVATE) { + if (tls_cnx != NULL) { secure_safe_write(tls_cnx, "213-STAT" CRLF, sizeof "213-STAT" CRLF - 1U); tls_fd = tls_cnx; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/pure-uploadscript.c new/pure-ftpd-1.0.47/src/pure-uploadscript.c --- old/pure-ftpd-1.0.46/src/pure-uploadscript.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/pure-uploadscript.c 2017-08-19 01:47:43.000000000 +0200 @@ -436,7 +436,7 @@ } buf_len = strlen(buf); if (safe_write(fd, buf, buf_len, -1) != (ssize_t) buf_len) { - ftruncate(fd, (off_t) 0); + (void) ftruncate(fd, (off_t) 0); } close(fd); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pure-ftpd-1.0.46/src/simpleconf.c new/pure-ftpd-1.0.47/src/simpleconf.c --- old/pure-ftpd-1.0.46/src/simpleconf.c 2017-04-24 16:32:45.000000000 +0200 +++ new/pure-ftpd-1.0.47/src/simpleconf.c 2017-08-19 01:47:43.000000000 +0200 @@ -475,6 +475,7 @@ out_pnt++; state = STATE_TEMPLATE_RCHAR; } else { + free(arg); return ENTRYRESULT_INVALID_ENTRY; } continue; @@ -602,6 +603,7 @@ } if ((argv_tmp = realloc(*argv_p, (sizeof arg) * ((size_t) *argc_p + 1))) == NULL) { + free(arg); fclose(fp); return -1; } ++++++ pure-ftpd-1.0.47.tar.bz2.minisig ++++++ untrusted comment: signature from minisign secret key RWRvw8aArS/yEO+w/TYW7L9gIt6iADKe6u6uLeBokmIyJSE4ZC/eK4rH7CN0uDIXeo4xHJ7hS5bmPlzFVpLrbwA4WAHmWosNPAA= trusted comment: timestamp:1509094144 file:pure-ftpd-1.0.47.tar.bz2 Sfu2B3GodkbRfPwv0iQyzQaabMa2nXCj/TsvGvhns30Bds46rA/PAU2Mv0Rc2ThOdTMgvkgKLBBg7pyT0FZGAA==
