I hope I am following the proper procedures for security patches, as I
am new to Ubuntu development and did my best to follow the packaging
guide. The following debdiff patch fixes this issue by disabling SSLv3
using the -S flag included with the TLSCipherSuite parameter. You can
verify the bug by running ./testssl.sh --starttls ftp localhost:21
(script from http://testssl.sh/testssl.sh) and checking that SSLv3 is
enabled in the output. To test, the patch below was applied and the
package rebuilt using pbuilder in a clean environment. The output deb
file was applied over the currently available trusty version on a
virtual machine without issue. The filezilla client was used to ensure
normal operation of the ftp server. Re-running ./testssl.sh --starttls
ftp localhost:21 then showed SSLv3 to be disabled. This issue was fixed
in Debian version 1.0.36-3 meaning no future versions of Ubuntu are
affected. I chose to use the -S flag rather than the Debian fix of
including !SSLv3 in TLSCipherSuite because that also disables TLSv1 and
TLSv1.1 (all 3 share the same cipher suites). I can also submit a
branch merge request if that method is preferred.
** Patch added: "pure-ftpd_1.0.36-1.1ubuntu0.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/pure-ftpd/+bug/1381840/+attachment/4663553/+files/pure-ftpd_1.0.36-1.1ubuntu0.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1381840
Title:
Wrapper doesn't include TLSCipherSuite
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pure-ftpd/+bug/1381840/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
