From 0672bc5cc438bf96ed6983e8cf69363046990216 Mon Sep 17 00:00:00 2001 From: webbuilder_pel7ppc64bebuilder0 Date: Mon, 9 Apr 2018 10:48:22 +0200 Subject: [PATCH] added proftpd package Signed-off-by: webbuilder_pel7ppc64bebuilder0 --- SOURCES/08ba2f63.patch | 78 + SOURCES/1825a2b8.patch | 23 + SOURCES/389cc579.patch | 206 +++ SOURCES/41ecb7dc.patch | 326 ++++ SOURCES/459693c7.patch | 31 + SOURCES/6cc96b5f.patch | 37 + SOURCES/73887e02.patch | 66 + SOURCES/757b9633.patch | 119 ++ SOURCES/7907aa65.patch | 47 + SOURCES/8a186e2d.patch | 147 ++ SOURCES/aa85f127.patch | 159 ++ SOURCES/ad786eaa.patch | 23 + SOURCES/adfdc01d.patch | 25 + SOURCES/c3e5d75f.patch | 97 + SOURCES/proftpd-1.3.4rc1-mod_vroot-test.patch | 14 + ....6-add-enable-tests-nonetwork-option.patch | 186 ++ SOURCES/proftpd-1.3.6-no-mod-wrap.patch | 14 + SOURCES/proftpd-1.3.6-shellbang.patch | 40 + SOURCES/proftpd-welcome.msg | 6 + SOURCES/proftpd.conf | 430 +++++ SOURCES/proftpd.conf-no-memcached.patch | 13 + SOURCES/proftpd.sysconfig | 12 + SPECS/proftpd.spec | 1602 +++++++++++++++++ 23 files changed, 3701 insertions(+) create mode 100644 SOURCES/08ba2f63.patch create mode 100644 SOURCES/1825a2b8.patch create mode 100644 SOURCES/389cc579.patch create mode 100644 SOURCES/41ecb7dc.patch create mode 100644 SOURCES/459693c7.patch create mode 100644 SOURCES/6cc96b5f.patch create mode 100644 SOURCES/73887e02.patch create mode 100644 SOURCES/757b9633.patch create mode 100644 SOURCES/7907aa65.patch create mode 100644 SOURCES/8a186e2d.patch create mode 100644 SOURCES/aa85f127.patch create mode 100644 SOURCES/ad786eaa.patch create mode 100644 SOURCES/adfdc01d.patch create mode 100644 SOURCES/c3e5d75f.patch create mode 100644 SOURCES/proftpd-1.3.4rc1-mod_vroot-test.patch create mode 100644 SOURCES/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch create mode 100644 SOURCES/proftpd-1.3.6-no-mod-wrap.patch create mode 100644 SOURCES/proftpd-1.3.6-shellbang.patch create mode 100644 SOURCES/proftpd-welcome.msg create mode 100644 SOURCES/proftpd.conf create mode 100644 SOURCES/proftpd.conf-no-memcached.patch create mode 100644 SOURCES/proftpd.sysconfig create mode 100644 SPECS/proftpd.spec diff --git a/SOURCES/08ba2f63.patch b/SOURCES/08ba2f63.patch new file mode 100644 index 0000000..c89e57d --- /dev/null +++ b/SOURCES/08ba2f63.patch @@ -0,0 +1,78 @@ +From 08ba2f630c8eebd023ae68d8e2abd1e7170468af Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Sun, 14 May 2017 14:09:23 -0700 +Subject: [PATCH] Issue #501: Avoid a spurious "Address already in use" error + on startup because we are listening on a local socket twice. + +--- + modules/mod_ctrls.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +diff --git a/modules/mod_ctrls.c b/modules/mod_ctrls.c +index 25ea723..8efd8b4 100644 +--- a/modules/mod_ctrls.c ++++ b/modules/mod_ctrls.c +@@ -2,8 +2,7 @@ + * ProFTPD: mod_ctrls -- a module implementing the ftpdctl local socket + * server, as well as several utility functions for other Controls + * modules +- * +- * Copyright (c) 2000-2016 TJ Saunders ++ * Copyright (c) 2000-2017 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -81,8 +80,6 @@ static ctrls_acl_t ctrls_sock_acl; + + static unsigned char ctrls_engine = TRUE; + +-#define CTRLS_LISTEN_FL_REMOVE_SOCKET 0x0001 +- + /* Necessary prototypes */ + static int ctrls_setblock(int sockfd); + static int ctrls_setnonblock(int sockfd); +@@ -437,7 +434,7 @@ static int ctrls_cls_write(void) { + } + + /* Create a listening local socket */ +-static int ctrls_listen(const char *sock_file, int flags) { ++static int ctrls_listen(const char *sock_file) { + int sockfd = -1, len = 0; + struct sockaddr_un sock; + #if !defined(SO_PEERCRED) && !defined(HAVE_GETPEEREID) && \ +@@ -497,12 +494,10 @@ static int ctrls_listen(const char *sock_file, int flags) { + return -1; + } + +- if (flags & CTRLS_LISTEN_FL_REMOVE_SOCKET) { +- /* Make sure the path to which we want to bind this socket doesn't already +- * exist. +- */ +- (void) unlink(sock_file); +- } ++ /* Make sure the path to which we want to bind this socket doesn't already ++ * exist. ++ */ ++ (void) unlink(sock_file); + + /* Fill in the socket structure fields */ + memset(&sock, 0, sizeof(sock)); +@@ -1206,7 +1201,7 @@ static void ctrls_postparse_ev(const void *event_data, void *user_data) { + + /* Start listening on the ctrl socket */ + PRIVS_ROOT +- ctrls_sockfd = ctrls_listen(ctrls_sock_file, CTRLS_LISTEN_FL_REMOVE_SOCKET); ++ ctrls_sockfd = ctrls_listen(ctrls_sock_file); + PRIVS_RELINQUISH + + /* Start a timer for the checking/processing of the ctrl socket. */ +@@ -1298,9 +1293,6 @@ static int ctrls_init(void) { + memset(&ctrls_sock_acl, '\0', sizeof(ctrls_acl_t)); + ctrls_sock_acl.acl_usrs.allow = ctrls_sock_acl.acl_grps.allow = FALSE; + +- /* Start listening on the ctrl socket */ +- ctrls_sockfd = ctrls_listen(ctrls_sock_file, 0); +- + pr_event_register(&ctrls_module, "core.restart", ctrls_restart_ev, NULL); + pr_event_register(&ctrls_module, "core.shutdown", ctrls_shutdown_ev, NULL); + pr_event_register(&ctrls_module, "core.postparse", ctrls_postparse_ev, NULL); diff --git a/SOURCES/1825a2b8.patch b/SOURCES/1825a2b8.patch new file mode 100644 index 0000000..a5b541b --- /dev/null +++ b/SOURCES/1825a2b8.patch @@ -0,0 +1,23 @@ +From ee528a5c6513932c6dbe7cf69fdcda3fbf009621 Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Wed, 19 Apr 2017 15:23:30 +0100 +Subject: [PATCH] fsio: fix test in xattr-copying loop + +Fixes segfaults in fsio file copying tests (Issue #483) +--- + src/fsio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fsio.c b/src/fsio.c +index a54c64d..91ad0d7 100644 +--- a/src/fsio.c ++++ b/src/fsio.c +@@ -2063,7 +2063,7 @@ int pr_fs_copy_file2(const char *src, const char *dst, int flags, + const char **names; + + names = xattrs->elts; +- for (i = 0; xattrs->nelts; i++) { ++ for (i = 0; i < xattrs->nelts; i++) { + ssize_t valsz; + + /* First, find out how much memory we need for this attribute's diff --git a/SOURCES/389cc579.patch b/SOURCES/389cc579.patch new file mode 100644 index 0000000..a352176 --- /dev/null +++ b/SOURCES/389cc579.patch @@ -0,0 +1,206 @@ +From 389cc579bc8d5704f9dcc2fd01ffd6307aee6b2b Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Mon, 17 Apr 2017 20:01:47 -0700 +Subject: [PATCH] Address some nits in the unit tests, to help make more + repeatable builds on the variety of testing platforms; addresses Issue #483. + +--- + tests/api/data.c | 5 +++-- + tests/api/fsio.c | 28 ++++++++++++++++++++-------- + tests/api/inet.c | 19 ++++++++++--------- + tests/api/pool.c | 7 ++++++- + 4 files changed, 39 insertions(+), 20 deletions(-) + +diff --git a/tests/api/data.c b/tests/api/data.c +index e4442ab..223a3af 100644 +--- a/tests/api/data.c ++++ b/tests/api/data.c +@@ -313,8 +313,9 @@ START_TEST (data_sendfile_test) { + mark_point(); + res = pr_data_sendfile(fd, &offset, strlen(text)); + if (res < 0) { +- fail_unless(errno == ENOTSOCK, "Expected ENOTSOCK (%d), got %s (%d)", +- ENOTSOCK, strerror(errno), errno); ++ fail_unless(errno == ENOTSOCK || errno == EINVAL, ++ "Expected ENOTSOCK (%d) or EINVAL (%d), got %s (%d)", ENOTSOCK, EINVAL, ++ strerror(errno), errno); + } + + (void) close(fd); +diff --git a/tests/api/fsio.c b/tests/api/fsio.c +index 508ca46..4677d8f 100644 +--- a/tests/api/fsio.c ++++ b/tests/api/fsio.c +@@ -34,6 +34,8 @@ static const char *fsio_test2_path = "/tmp/prt-foo.bar.baz.quxx.quzz"; + static const char *fsio_unlink_path = "/tmp/prt-fsio-link.dat"; + static const char *fsio_link_path = "/tmp/prt-fsio-symlink.lnk"; + static const char *fsio_testdir_path = "/tmp/prt-fsio-test.d"; ++static const char *fsio_copy_src_path = "/tmp/prt-fs-src.dat"; ++static const char *fsio_copy_dst_path = "/tmp/prt-fs-dst.dat"; + + /* Fixtures */ + +@@ -1010,8 +1012,12 @@ START_TEST (fsio_sys_access_dir_test) { + strerror(errno)); + + if (getenv("TRAVIS") == NULL) { +- uid_t other_uid = 1000; +- gid_t other_gid = 1000; ++ uid_t other_uid; ++ gid_t other_gid; ++ ++ /* Deliberately use IDs other than the current ones. */ ++ other_uid = uid - 1; ++ other_gid = gid - 1; + + /* Next, check that others can access the directory. */ + pr_fs_clear_cache2(fsio_testdir_path); +@@ -3297,7 +3303,7 @@ END_TEST + + START_TEST (fs_copy_file_test) { + int res; +- char *src_path, *dst_path, *text; ++ char *src_path = NULL, *dst_path = NULL, *text; + pr_fh_t *fh; + + res = pr_fs_copy_file(NULL, NULL); +@@ -3305,15 +3311,15 @@ START_TEST (fs_copy_file_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- src_path = "/tmp/prt-fs-src.dat"; ++ src_path = fsio_copy_src_path; + res = pr_fs_copy_file(src_path, NULL); + fail_unless(res < 0, "Failed to handle null destination path"); + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- dst_path = "/tmp/prt-fs-dst.dat"; ++ dst_path = fsio_copy_dst_path; + res = pr_fs_copy_file(src_path, dst_path); +- fail_unless(res < 0, "Failed to handle null destination path"); ++ fail_unless(res < 0, "Failed to handle nonexistent source path"); + fail_unless(errno == ENOENT, "Expected ENOENT (%d), got %s (%d)", ENOENT, + strerror(errno), errno); + +@@ -3322,6 +3328,7 @@ START_TEST (fs_copy_file_test) { + fail_unless(errno == EISDIR, "Expected EISDIR (%d), got %s (%d)", EISDIR, + strerror(errno), errno); + ++ (void) unlink(src_path); + fh = pr_fsio_open(src_path, O_CREAT|O_EXCL|O_WRONLY); + fail_unless(fh != NULL, "Failed to open '%s': %s", src_path, strerror(errno)); + +@@ -3347,6 +3354,8 @@ START_TEST (fs_copy_file_test) { + res = pr_fs_copy_file(src_path, src_path); + fail_unless(res == 0, "Failed to copy file to itself: %s", strerror(errno)); + ++ (void) unlink(dst_path); ++ + mark_point(); + res = pr_fs_copy_file(src_path, dst_path); + fail_unless(res == 0, "Failed to copy file: %s", strerror(errno)); +@@ -3366,10 +3375,13 @@ START_TEST (fs_copy_file2_test) { + char *src_path, *dst_path, *text; + pr_fh_t *fh; + +- src_path = "/tmp/prt-fs-src.dat"; +- dst_path = "/tmp/prt-fs-dst.dat"; ++ src_path = fsio_copy_src_path; ++ dst_path = fsio_copy_dst_path; + flags = PR_FSIO_COPY_FILE_FL_NO_DELETE_ON_FAILURE; + ++ (void) unlink(src_path); ++ (void) unlink(dst_path); ++ + fh = pr_fsio_open(src_path, O_CREAT|O_EXCL|O_WRONLY); + fail_unless(fh != NULL, "Failed to open '%s': %s", src_path, strerror(errno)); + +diff --git a/tests/api/inet.c b/tests/api/inet.c +index b75c839..03c4781 100644 +--- a/tests/api/inet.c ++++ b/tests/api/inet.c +@@ -508,7 +508,7 @@ START_TEST (inet_connect_ipv4_test) { + conn = pr_inet_create_conn(p, sockfd, NULL, port, FALSE); + fail_unless(conn != NULL, "Failed to create conn: %s", strerror(errno)); + +- res = pr_inet_connect(p, conn, NULL, 80); ++ res = pr_inet_connect(p, conn, NULL, 180); + fail_unless(res < 0, "Failed to handle null address"); + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); +@@ -517,8 +517,8 @@ START_TEST (inet_connect_ipv4_test) { + fail_unless(addr != NULL, "Failed to resolve '127.0.0.1': %s", + strerror(errno)); + +- res = pr_inet_connect(p, conn, addr, 80); +- fail_unless(res < 0, "Connected to 127.0.0.1#80 unexpectedly"); ++ res = pr_inet_connect(p, conn, addr, 180); ++ fail_unless(res < 0, "Connected to 127.0.0.1#180 unexpectedly"); + fail_unless(errno == ECONNREFUSED, "Expected ECONNREFUSED (%d), got %s (%d)", + ECONNREFUSED, strerror(errno), errno); + +@@ -573,8 +573,8 @@ START_TEST (inet_connect_ipv6_test) { + fail_unless(addr != NULL, "Failed to resolve '::1': %s", + strerror(errno)); + +- res = pr_inet_connect(p, conn, addr, 80); +- fail_unless(res < 0, "Connected to ::1#80 unexpectedly"); ++ res = pr_inet_connect(p, conn, addr, 180); ++ fail_unless(res < 0, "Connected to ::1#180 unexpectedly"); + fail_unless(errno == ECONNREFUSED || errno == ENETUNREACH || errno == EADDRNOTAVAIL, + "Expected ECONNREFUSED (%d), ENETUNREACH (%d), or EADDRNOTAVAIL (%d), got %s (%d)", + ECONNREFUSED, ENETUNREACH, EADDRNOTAVAIL, strerror(errno), errno); +@@ -637,7 +637,7 @@ START_TEST (inet_connect_nowait_test) { + conn = pr_inet_create_conn(p, sockfd, NULL, port, FALSE); + fail_unless(conn != NULL, "Failed to create conn: %s", strerror(errno)); + +- res = pr_inet_connect_nowait(p, conn, NULL, 80); ++ res = pr_inet_connect_nowait(p, conn, NULL, 180); + fail_unless(res < 0, "Failed to handle null address"); + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); +@@ -646,8 +646,8 @@ START_TEST (inet_connect_nowait_test) { + fail_unless(addr != NULL, "Failed to resolve '127.0.0.1': %s", + strerror(errno)); + +- res = pr_inet_connect_nowait(p, conn, addr, 80); +- fail_unless(res != -1, "Connected to 127.0.0.1#80 unexpectedly"); ++ res = pr_inet_connect_nowait(p, conn, addr, 180); ++ fail_unless(res != -1, "Connected to 127.0.0.1#180 unexpectedly"); + + /* Try connecting to Google's DNS server. */ + +@@ -657,7 +657,8 @@ START_TEST (inet_connect_nowait_test) { + + res = pr_inet_connect_nowait(p, conn, addr, 53); + if (res < 0 && +- errno != ECONNREFUSED) { ++ errno != ECONNREFUSED && ++ errno != EBADF) { + fail_unless(res != -1, "Failed to connect to 8.8.8.8#53: %s", + strerror(errno)); + } +diff --git a/tests/api/pool.c b/tests/api/pool.c +index 8008f1c..d2f4c0d 100644 +--- a/tests/api/pool.c ++++ b/tests/api/pool.c +@@ -52,12 +52,17 @@ START_TEST (pool_destroy_pool_test) { + p = make_sub_pool(permanent_pool); + destroy_pool(p); + +-#if !defined(PR_USE_DEVEL) + /* What happens if we destroy an already-destroyed pool? Answer: IFF + * --enable-devel was used, THEN destroying an already-destroyed pool + * will result in an exit(2) call from within pool.c, via the + * chk_on_blk_list() function. How impolite. ++ * ++ * And if --enable-devel was NOT used, on SOME systems, this test tickles ++ * other libc/malloc/free behaviors, which are unsettling. ++ * ++ * Sigh. So for now, I'll just leave this here, but commented out. + */ ++#if 0 + mark_point(); + destroy_pool(p); + #endif diff --git a/SOURCES/41ecb7dc.patch b/SOURCES/41ecb7dc.patch new file mode 100644 index 0000000..bc4a680 --- /dev/null +++ b/SOURCES/41ecb7dc.patch @@ -0,0 +1,326 @@ +From 41ecb7dc3932dd57bac52980982c76bf036ccfd8 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Wed, 12 Jul 2017 23:14:59 -0700 +Subject: [PATCH] Bug#4309: Allow SFTP/SCP logins to succeed properly when + "AllowEmptyPasswords off" in effect. + +Also ensure that a truly empty SFTP/SCP password IS properly rejected in such +a configuration. +--- + contrib/mod_sftp/auth-password.c | 41 +++++++- + modules/mod_auth.c | 55 +++++++---- + tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm | 132 ++++++++++++++++++++++++++ + 3 files changed, 205 insertions(+), 23 deletions(-) + +diff --git a/contrib/mod_sftp/auth-password.c b/contrib/mod_sftp/auth-password.c +index 2605af7f6..8fb9804bd 100644 +--- a/contrib/mod_sftp/auth-password.c ++++ b/contrib/mod_sftp/auth-password.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - mod_sftp 'password' user authentication +- * Copyright (c) 2008-2015 TJ Saunders ++ * Copyright (c) 2008-2017 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -37,6 +37,7 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, + char *passwd; + int have_new_passwd, res; + struct passwd *pw; ++ size_t passwd_len; + + cipher_algo = sftp_cipher_get_read_algo(); + mac_algo = sftp_mac_get_read_algo(); +@@ -77,6 +78,7 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, + + passwd = sftp_msg_read_string(pkt->pool, buf, buflen); + passwd = sftp_utf8_decode_str(pkt->pool, passwd); ++ passwd_len = strlen(passwd); + + pass_cmd->arg = passwd; + +@@ -92,7 +94,7 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, + pr_cmd_dispatch_phase(pass_cmd, POST_CMD_ERR, 0); + pr_cmd_dispatch_phase(pass_cmd, LOG_CMD_ERR, 0); + +- pr_memscrub(passwd, strlen(passwd)); ++ pr_memscrub(passwd, passwd_len); + + *send_userauth_fail = TRUE; + errno = EPERM; +@@ -109,15 +111,46 @@ int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd, + session.c->remote_name, pr_netaddr_get_ipstr(session.c->remote_addr), + pr_netaddr_get_ipstr(session.c->local_addr), session.c->local_port); + +- pr_memscrub(passwd, strlen(passwd)); ++ pr_memscrub(passwd, passwd_len); + + *send_userauth_fail = TRUE; + errno = ENOENT; + return 0; + } + ++ if (passwd_len == 0) { ++ config_rec *c; ++ int allow_empty_passwords = TRUE; ++ ++ c = find_config(main_server->conf, CONF_PARAM, "AllowEmptyPasswords", ++ FALSE); ++ if (c != NULL) { ++ allow_empty_passwords = *((int *) c->argv[0]); ++ } ++ ++ if (allow_empty_passwords == FALSE) { ++ pr_log_debug(DEBUG5, ++ "Refusing empty password from user '%s' (AllowEmptyPasswords false)", ++ user); ++ pr_log_auth(PR_LOG_NOTICE, ++ "Refusing empty password from user '%s'", user); ++ ++ pr_event_generate("mod_auth.empty-password", user); ++ pr_response_add_err(R_501, "Login incorrect."); ++ ++ pr_cmd_dispatch_phase(pass_cmd, POST_CMD_ERR, 0); ++ pr_cmd_dispatch_phase(pass_cmd, LOG_CMD_ERR, 0); ++ ++ pr_memscrub(passwd, passwd_len); ++ ++ *send_userauth_fail = TRUE; ++ errno = EPERM; ++ return 0; ++ } ++ } ++ + res = pr_auth_authenticate(pkt->pool, user, passwd); +- pr_memscrub(passwd, strlen(passwd)); ++ pr_memscrub(passwd, passwd_len); + + switch (res) { + case PR_AUTH_OK: +diff --git a/modules/mod_auth.c b/modules/mod_auth.c +index 2b76070f7..b60cea5a9 100644 +--- a/modules/mod_auth.c ++++ b/modules/mod_auth.c +@@ -2636,35 +2636,52 @@ MODRET auth_pre_pass(cmd_rec *cmd) { + + allow_empty_passwords = *((int *) c->argv[0]); + if (allow_empty_passwords == FALSE) { ++ const char *proto; ++ int reject_empty_passwd = FALSE, using_ssh2 = FALSE; + size_t passwd_len = 0; + ++ proto = pr_session_get_protocol(0); ++ if (strcmp(proto, "ssh2") == 0) { ++ using_ssh2 = TRUE; ++ } ++ + if (cmd->argc > 1) { + if (cmd->arg != NULL) { + passwd_len = strlen(cmd->arg); + } + } + +- /* Make sure to NOT enforce 'AllowEmptyPasswords off' if e.g. +- * the AllowDotLogin TLSOption is in effect. +- */ +- if (cmd->argc == 1 || +- passwd_len == 0) { +- +- if (session.auth_mech == NULL || +- strcmp(session.auth_mech, "mod_tls.c") != 0) { +- pr_log_debug(DEBUG5, +- "Refusing empty password from user '%s' (AllowEmptyPasswords " +- "false)", user); +- pr_log_auth(PR_LOG_NOTICE, +- "Refusing empty password from user '%s'", user); +- +- pr_event_generate("mod_auth.empty-password", user); +- pr_response_add_err(R_501, _("Login incorrect.")); +- return PR_ERROR(cmd); ++ if (passwd_len == 0) { ++ reject_empty_passwd = TRUE; ++ ++ /* Make sure to NOT enforce 'AllowEmptyPasswords off' if e.g. ++ * the AllowDotLogin TLSOption is in effect, or if the protocol is ++ * SSH2 (for mod_sftp uses "fake" PASS commands for the SSH login ++ * protocol). ++ */ ++ ++ if (session.auth_mech != NULL && ++ strcmp(session.auth_mech, "mod_tls.c") == 0) { ++ pr_log_debug(DEBUG9, "%s", "'AllowEmptyPasswords off' in effect, " ++ "BUT client authenticated via the AllowDotLogin TLSOption"); ++ reject_empty_passwd = FALSE; + } + +- pr_log_debug(DEBUG9, "%s", "'AllowEmptyPasswords off' in effect, " +- "BUT client authenticated via the AllowDotLogin TLSOption"); ++ if (using_ssh2 == TRUE) { ++ reject_empty_passwd = FALSE; ++ } ++ } ++ ++ if (reject_empty_passwd == TRUE) { ++ pr_log_debug(DEBUG5, ++ "Refusing empty password from user '%s' (AllowEmptyPasswords " ++ "false)", user); ++ pr_log_auth(PR_LOG_NOTICE, ++ "Refusing empty password from user '%s'", user); ++ ++ pr_event_generate("mod_auth.empty-password", user); ++ pr_response_add_err(R_501, _("Login incorrect.")); ++ return PR_ERROR(cmd); + } + } + } +diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm +index c919844ea..c608e76fc 100644 +--- a/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm ++++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_sftp.pm +@@ -1279,6 +1279,11 @@ my $TESTS = { + test_class => [qw(bug forking sftp ssh2)], + }, + ++ sftp_config_allow_empty_passwords_off_bug4309 => { ++ order => ++$order, ++ test_class => [qw(bug forking sftp ssh2)], ++ }, ++ + sftp_multi_channels => { + order => ++$order, + test_class => [qw(forking sftp ssh2)], +@@ -41885,6 +41890,133 @@ sub sftp_config_insecure_hostkey_perms_bug4098 { + test_cleanup($setup->{log_file}, $ex); + } + ++sub sftp_config_allow_empty_passwords_off_bug4309 { ++ my $self = shift; ++ my $tmpdir = $self->{tmpdir}; ++ my $setup = test_setup($tmpdir, 'sftp'); ++ ++ my $other_user = 'nopassword'; ++ my $other_passwd = ''; ++ my $other_uid = 1000; ++ my $other_gid = 1000; ++ ++ auth_user_write($setup->{auth_user_file}, $other_user, $other_passwd, ++ $other_uid, $other_gid, $setup->{home_dir}, '/bin/bash'); ++ auth_group_write($setup->{auth_group_file}, $setup->{group}, $setup->{gid}, ++ $other_user); ++ ++ my $rsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_rsa_key'); ++ my $dsa_host_key = File::Spec->rel2abs('t/etc/modules/mod_sftp/ssh_host_dsa_key'); ++ ++ my $config = { ++ PidFile => $setup->{pid_file}, ++ ScoreboardFile => $setup->{scoreboard_file}, ++ SystemLog => $setup->{log_file}, ++ TraceLog => $setup->{log_file}, ++ Trace => 'DEFAULT:10 ssh2:20 sftp:20', ++ ++ AuthUserFile => $setup->{auth_user_file}, ++ AuthGroupFile => $setup->{auth_group_file}, ++ ++ IfModules => { ++ 'mod_delay.c' => { ++ DelayEngine => 'off', ++ }, ++ ++ 'mod_sftp.c' => [ ++ "SFTPEngine on", ++ "SFTPLog $setup->{log_file}", ++ "SFTPHostKey $rsa_host_key", ++ "SFTPHostKey $dsa_host_key", ++ "AllowEmptyPasswords off", ++ ], ++ }, ++ }; ++ ++ my ($port, $config_user, $config_group) = config_write($setup->{config_file}, ++ $config); ++ ++ # Open pipes, for use between the parent and child processes. Specifically, ++ # the child will indicate when it's done with its test by writing a message ++ # to the parent. ++ my ($rfh, $wfh); ++ unless (pipe($rfh, $wfh)) { ++ die("Can't open pipe: $!"); ++ } ++ ++ require Net::SSH2; ++ ++ my $ex; ++ ++ # Fork child ++ $self->handle_sigchld(); ++ defined(my $pid = fork()) or die("Can't fork: $!"); ++ if ($pid) { ++ eval { ++ my $ssh2 = Net::SSH2->new(); ++ ++ sleep(1); ++ ++ # First, we'll try to login with normal user/password; this should ++ # succeed. ++ unless ($ssh2->connect('127.0.0.1', $port)) { ++ my ($err_code, $err_name, $err_str) = $ssh2->error(); ++ die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str"); ++ } ++ ++ unless ($ssh2->auth_password($setup->{user}, $setup->{passwd})) { ++ my ($err_code, $err_name, $err_str) = $ssh2->error(); ++ die("Can't login to SSH2 server: [$err_name] ($err_code) $err_str"); ++ } ++ ++ my $sftp = $ssh2->sftp(); ++ unless ($sftp) { ++ my ($err_code, $err_name, $err_str) = $ssh2->error(); ++ die("Can't use SFTP on SSH2 server: [$err_name] ($err_code) $err_str"); ++ } ++ ++ $sftp = undef; ++ $ssh2->disconnect(); ++ $ssh2 = undef; ++ ++ # Then, we'll try to login with an empty password; this should fail. ++ ++ $ssh2 = Net::SSH2->new(); ++ unless ($ssh2->connect('127.0.0.1', $port)) { ++ my ($err_code, $err_name, $err_str) = $ssh2->error(); ++ die("Can't connect to SSH2 server: [$err_name] ($err_code) $err_str"); ++ } ++ ++ if ($ssh2->auth_password($other_user, $other_passwd)) { ++ die("Login with empty password succeeded unexpectedly"); ++ } ++ ++ $ssh2->disconnect(); ++ }; ++ if ($@) { ++ $ex = $@; ++ } ++ ++ $wfh->print("done\n"); ++ $wfh->flush(); ++ ++ } else { ++ eval { server_wait($setup->{config_file}, $rfh) }; ++ if ($@) { ++ warn($@); ++ exit 1; ++ } ++ ++ exit 0; ++ } ++ ++ # Stop server ++ server_stop($setup->{pid_file}); ++ $self->assert_child_ok($pid); ++ ++ test_cleanup($setup->{log_file}, $ex); ++} ++ + sub sftp_multi_channel_downloads { + my $self = shift; + my $tmpdir = $self->{tmpdir}; diff --git a/SOURCES/459693c7.patch b/SOURCES/459693c7.patch new file mode 100644 index 0000000..1052706 --- /dev/null +++ b/SOURCES/459693c7.patch @@ -0,0 +1,31 @@ +From 459693c70c83b7d173ec10bb8089d4ce4e59d301 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Tue, 2 May 2017 19:56:39 -0700 +Subject: [PATCH] Bug#4306: AllowChrootSymlinks off could cause login failures + depending on filesystem permissions. + +Use the IDs of the logging-in user to perform the directory walk, looking +for symlinks, to be more consistent with similar checks done during login. +--- + modules/mod_auth.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/modules/mod_auth.c b/modules/mod_auth.c +index d93c630..2b76070 100644 +--- a/modules/mod_auth.c ++++ b/modules/mod_auth.c +@@ -936,9 +936,13 @@ static int get_default_root(pool *p, int allow_symlinks, const char **root) { + path[pathlen-1] = '\0'; + } + ++ PRIVS_USER + res = is_symlink_path(p, path, pathlen); ++ xerrno = errno; ++ PRIVS_RELINQUISH ++ + if (res < 0) { +- if (errno == EPERM) { ++ if (xerrno == EPERM) { + pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink " + "(denied by AllowChrootSymlinks config)", path); + } diff --git a/SOURCES/6cc96b5f.patch b/SOURCES/6cc96b5f.patch new file mode 100644 index 0000000..94d6cd6 --- /dev/null +++ b/SOURCES/6cc96b5f.patch @@ -0,0 +1,37 @@ +From 48012e5ab7969fc77d0724769b1e737343ed654d Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Wed, 10 May 2017 10:10:40 +0100 +Subject: [PATCH] Switch to Type = simple and add configuration test + +Upstream recommends Type = simple if possible rather than Type = forking: +http://0pointer.de/public/systemd-man/daemon.html#Integration%20with%20Systemd + +Also add configuration test prior to starting the daemon, to help diagnose +start-up problems. +--- + contrib/dist/rpm/proftpd.service | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service +index 07802ca..8a4df33 100644 +--- a/contrib/dist/rpm/proftpd.service ++++ b/contrib/dist/rpm/proftpd.service +@@ -3,14 +3,13 @@ Description = ProFTPD FTP Server + After = network.target nss-lookup.target local-fs.target remote-fs.target + + [Service] +-Type = forking +-PIDFile = /run/proftpd/proftpd.pid ++Type = simple + Environment = PROFTPD_OPTIONS= + EnvironmentFile = -/etc/sysconfig/proftpd +-ExecStart = /usr/sbin/proftpd $PROFTPD_OPTIONS +-ExecStartPost = /usr/bin/touch /var/lock/subsys/proftpd +-ExecStopPost = /bin/rm -f /var/lock/subsys/proftpd ++ExecStartPre = /usr/sbin/proftpd --configtest ++ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS + ExecReload = /bin/kill -HUP $MAINPID ++PIDFile = /run/proftpd/proftpd.pid + + [Install] + WantedBy = multi-user.target diff --git a/SOURCES/73887e02.patch b/SOURCES/73887e02.patch new file mode 100644 index 0000000..1213a0f --- /dev/null +++ b/SOURCES/73887e02.patch @@ -0,0 +1,66 @@ +From 73887e02dbcc9e6e94b26f30c3ef89acb8016f2d Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Sun, 21 May 2017 13:25:50 -0700 +Subject: [PATCH] Merge pull request #510 from pghmcfc/32-bit-fixes + +32 bit fixes +--- + src/trace.c | 16 ++++++++++++++++ + tests/api/misc.c | 2 +- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/trace.c b/src/trace.c +index 1c29cc6bf..dc22e9e89 100644 +--- a/src/trace.c ++++ b/src/trace.c +@@ -273,7 +273,13 @@ int pr_trace_parse_levels(char *str, int *min_level, int *max_level) { + ptr = strchr(str, '-'); + if (ptr == NULL) { + /* Just a single value. */ ++ errno = 0; + high = (int) strtol(str, &ptr, 10); ++ if (errno == ERANGE) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (ptr && *ptr) { + errno = EINVAL; + return -1; +@@ -302,6 +308,11 @@ int pr_trace_parse_levels(char *str, int *min_level, int *max_level) { + *ptr = '\0'; + + low = (int) strtol(str, &tmp, 10); ++ if (errno == ERANGE) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (tmp && *tmp) { + *ptr = '-'; + errno = EINVAL; +@@ -316,6 +327,11 @@ int pr_trace_parse_levels(char *str, int *min_level, int *max_level) { + + tmp = NULL; + high = (int) strtol(ptr + 1, &tmp, 10); ++ if (errno == ERANGE) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (tmp && *tmp) { + errno = EINVAL; + return -1; +diff --git a/tests/api/misc.c b/tests/api/misc.c +index 16d56cb71..926d9b3e3 100644 +--- a/tests/api/misc.c ++++ b/tests/api/misc.c +@@ -702,7 +702,7 @@ START_TEST (check_shutmsg_test) { + + (void) unlink(path); + res = write_shutmsg(path, +- "2340 1 1 0 0 0 0000 0000\nGoodbye, cruel world!\n"); ++ "2037 1 1 0 0 0 0000 0000\nGoodbye, cruel world!\n"); + fail_unless(res == 0, "Failed to write '%s': %s", path, strerror(errno)); + + mark_point(); diff --git a/SOURCES/757b9633.patch b/SOURCES/757b9633.patch new file mode 100644 index 0000000..e4027f0 --- /dev/null +++ b/SOURCES/757b9633.patch @@ -0,0 +1,119 @@ +From 757b9633191eafa32a86ab8ec032e743d0227093 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Wed, 5 Jul 2017 23:33:16 -0700 +Subject: [PATCH] Bug#4308: When authorizing a user, check for any shadow + information for that user, and use such information as part of the + authorization check. + +--- + modules/mod_auth_unix.c | 67 +++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 54 insertions(+), 13 deletions(-) + +diff --git a/modules/mod_auth_unix.c b/modules/mod_auth_unix.c +index 788b4c549..7d7a994d7 100644 +--- a/modules/mod_auth_unix.c ++++ b/modules/mod_auth_unix.c +@@ -715,34 +715,40 @@ static char *get_pwd_info(pool *p, const char *u, time_t *lstchg, time_t *min, + MODRET pw_auth(cmd_rec *cmd) { + int res; + time_t now; +- char *cpw; +- time_t lstchg = -1, max = -1, inact = -1, disable = -1; ++ char *cleartxt_passwd; ++ time_t lstchg = -1, max = -1, inact = -1, expire = -1; + const char *name; ++ size_t cleartxt_passwdlen; + + name = cmd->argv[0]; +- time(&now); + +- cpw = get_pwd_info(cmd->tmp_pool, name, &lstchg, NULL, &max, NULL, &inact, +- &disable); +- if (cpw == NULL) { ++ cleartxt_passwd = get_pwd_info(cmd->tmp_pool, name, &lstchg, NULL, &max, ++ NULL, &inact, &expire); ++ if (cleartxt_passwd == NULL) { + return PR_DECLINED(cmd); + } + +- res = pr_auth_check(cmd->tmp_pool, cpw, cmd->argv[0], cmd->argv[1]); ++ res = pr_auth_check(cmd->tmp_pool, cleartxt_passwd, cmd->argv[0], ++ cmd->argv[1]); ++ cleartxt_passwdlen = strlen(cleartxt_passwd); ++ pr_memscrub(cleartxt_passwd, cleartxt_passwdlen); ++ + if (res < PR_AUTH_OK) { + return PR_ERROR_INT(cmd, res); + } + ++ time(&now); ++ + if (lstchg > (time_t) 0 && + max > (time_t) 0 && + inact > (time_t) 0) { +- if (now > lstchg + max + inact) { ++ if (now > (lstchg + max + inact)) { + return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD); + } + } + +- if (disable > (time_t) 0 && +- now > disable) { ++ if (expire > (time_t) 0 && ++ now > expire) { + return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD); + } + +@@ -751,14 +757,49 @@ MODRET pw_auth(cmd_rec *cmd) { + } + + MODRET pw_authz(cmd_rec *cmd) { ++ time_t now; ++ char *user, *cleartxt_passwd; ++ time_t lstchg = -1, max = -1, inact = -1, expire = -1; ++ size_t cleartxt_passwdlen; ++ ++ user = cmd->argv[0]; ++ ++ cleartxt_passwd = get_pwd_info(cmd->tmp_pool, user, &lstchg, NULL, &max, ++ NULL, &inact, &expire); ++ if (cleartxt_passwd == NULL) { ++ pr_log_auth(LOG_WARNING, "no password information found for user '%.100s'", ++ user); ++ return PR_ERROR_INT(cmd, PR_AUTH_NOPWD); ++ } ++ ++ cleartxt_passwdlen = strlen(cleartxt_passwd); ++ pr_memscrub(cleartxt_passwd, cleartxt_passwdlen); ++ ++ time(&now); ++ ++ if (lstchg > (time_t) 0 && ++ max > (time_t) 0 && ++ inact > (time_t) 0) { ++ if (now > (lstchg + max + inact)) { ++ pr_log_auth(LOG_WARNING, ++ "account for user '%.100s' disabled due to inactivity", user); ++ return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD); ++ } ++ } ++ ++ if (expire > (time_t) 0 && ++ now > expire) { ++ pr_log_auth(LOG_WARNING, ++ "account for user '%.100s' disabled due to password expiration", user); ++ return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD); ++ } ++ + /* XXX Any other implementations here? */ + + #ifdef HAVE_LOGINRESTRICTIONS + if (!(auth_unix_opts & AUTH_UNIX_OPT_AIX_NO_RLOGIN)) { + int res, xerrno, code = 0; +- char *user = NULL, *reason = NULL; +- +- user = cmd->argv[0]; ++ char *reason = NULL; + + /* Check for account login restrictions and such using AIX-specific + * functions. diff --git a/SOURCES/7907aa65.patch b/SOURCES/7907aa65.patch new file mode 100644 index 0000000..3badbe6 --- /dev/null +++ b/SOURCES/7907aa65.patch @@ -0,0 +1,47 @@ +From 925ee5b8f636ab2fd5a3e02af79ba49f54a85b8d Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Fri, 5 May 2017 15:38:59 +0100 +Subject: [PATCH] Don't touch TLSCipherSuite when using system profiles + +Fedora and possibly other Linux distributions support system-wide +crypto policies to enable sane defaults to be specified in an ever +changing world of different cipher recommendations. In order to use +such a policy, OpenSSL users just set their cipher selection to +"PROFILE=SYSTEM", and the system-wide policy will be selected +(which can itself be set to various values, for best compatibility, +best strength, a compromise of the two, etc.). + +See: +https://fedoraproject.org/wiki/Packaging:CryptoPolicies +https://fedoraproject.org/wiki/Changes/CryptoPolicy + +The "PROFILE=SYSTEM" string cannot be used in conjunction with other +cipher selections, so prepending it with "!EXPORT:" results in: + +mod_tls/2.7[xxxxx]: unable to accept TLS connection: client does not support +any cipher from 'TLSCipherSuite !EXPORT:PROFILE=SYSTEM' (see `openssl ciphers +!EXPORT:PROFILE=SYSTEM` for full list) + +Hence, do not touch the supplied TLSCipherSuite if it starts with "PROFILE=". +--- + contrib/mod_tls.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c +index 3ff8ee2..c38ecac 100644 +--- a/contrib/mod_tls.c ++++ b/contrib/mod_tls.c +@@ -11985,7 +11985,12 @@ MODRET set_tlsciphersuite(cmd_rec *cmd) { + c = add_config_param(cmd->argv[0], 1, NULL); + + /* Make sure that EXPORT ciphers cannot be used, per Bug#4163. */ +- ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); ++ /* This breaks system profiles though, so don't change them. */ ++ if (strncmp(ciphersuite, "PROFILE=", 8) == 0) { ++ ciphersuite = pstrdup(c->pool, ciphersuite); ++ } else { ++ ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); ++ } + + /* Check that our construct ciphersuite is acceptable. */ + ctx = SSL_CTX_new(SSLv23_server_method()); diff --git a/SOURCES/8a186e2d.patch b/SOURCES/8a186e2d.patch new file mode 100644 index 0000000..e4c9ee9 --- /dev/null +++ b/SOURCES/8a186e2d.patch @@ -0,0 +1,147 @@ +From 2f563aa12cf1ed199671821e2fba7088ab36b681 Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Thu, 18 May 2017 15:38:46 +0100 +Subject: [PATCH] Use /etc/hosts rather than /etc/resolv.conf in fsio unit + tests + +The fsio unit tests require a read-only system file to test that +files can be read, can't be written or deleted etc. The file +/etc/resolv.conf is currently used for this, but does not exist +in the minimum build environment used on Fedora's koji build +servers, resulting in test failures. Using /etc/hosts, which does +exist there and should be equally ubiquitous, fixes this issue. +--- + tests/api/fsio.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +diff --git a/tests/api/fsio.c b/tests/api/fsio.c +index bacd306..3cb1741 100644 +--- a/tests/api/fsio.c ++++ b/tests/api/fsio.c +@@ -119,8 +119,8 @@ START_TEST (fsio_sys_open_test) { + + mark_point(); + flags = O_RDONLY; +- fh = pr_fsio_open("/etc/resolv.conf", flags); +- fail_unless(fh != NULL, "Failed to /etc/resolv.conf: %s", strerror(errno)); ++ fh = pr_fsio_open("/etc/hosts", flags); ++ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", strerror(errno)); + + (void) pr_fsio_close(fh); + } +@@ -144,8 +144,8 @@ START_TEST (fsio_sys_open_canon_test) { + strerror(errno), errno); + + flags = O_RDONLY; +- fh = pr_fsio_open_canon("/etc/resolv.conf", flags); +- fail_unless(fh != NULL, "Failed to /etc/resolv.conf: %s", strerror(errno)); ++ fh = pr_fsio_open_canon("/etc/hosts", flags); ++ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", strerror(errno)); + + (void) pr_fsio_close(fh); + } +@@ -159,7 +159,7 @@ START_TEST (fsio_sys_open_chroot_guard_test) { + res = pr_fsio_guard_chroot(TRUE); + fail_unless(res == FALSE, "Expected FALSE (%d), got %d", FALSE, res); + +- path = "/etc/resolv.conf"; ++ path = "/etc/hosts"; + flags = O_CREAT|O_RDONLY; + fh = pr_fsio_open(path, flags); + if (fh != NULL) { +@@ -203,7 +203,7 @@ START_TEST (fsio_sys_open_chroot_guard_test) { + + (void) pr_fsio_guard_chroot(FALSE); + +- path = "/etc/resolv.conf"; ++ path = "/etc/hosts"; + flags = O_RDONLY; + fh = pr_fsio_open(path, flags); + fail_unless(fh != NULL, "Failed to open '%s': %s", path, strerror(errno)); +@@ -220,8 +220,8 @@ START_TEST (fsio_sys_close_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s %d", EINVAL, + strerror(errno), errno); + +- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); +- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", ++ fh = pr_fsio_open("/etc/hosts", O_RDONLY); ++ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", + strerror(errno)); + + res = pr_fsio_close(fh); +@@ -265,8 +265,8 @@ START_TEST (fsio_sys_unlink_chroot_guard_test) { + res = pr_fsio_guard_chroot(TRUE); + fail_unless(res == FALSE, "Expected FALSE (%d), got %d", FALSE, res); + +- res = pr_fsio_unlink("/etc/resolv.conf"); +- fail_unless(res < 0, "Deleted /etc/resolv.conf unexpectedly"); ++ res = pr_fsio_unlink("/etc/hosts"); ++ fail_unless(res < 0, "Deleted /etc/hosts unexpectedly"); + fail_unless(errno == EACCES, "Expected EACCES (%d), got %s %d", EACCES, + strerror(errno), errno); + +@@ -352,12 +352,12 @@ START_TEST (fsio_sys_fstat_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); +- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", ++ fh = pr_fsio_open("/etc/hosts", O_RDONLY); ++ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", + strerror(errno)); + + res = pr_fsio_fstat(fh, &st); +- fail_unless(res == 0, "Failed to fstat /etc/resolv.conf: %s", ++ fail_unless(res == 0, "Failed to fstat /etc/hosts: %s", + strerror(errno)); + (void) pr_fsio_close(fh); + } +@@ -374,8 +374,8 @@ START_TEST (fsio_sys_read_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); +- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", ++ fh = pr_fsio_open("/etc/hosts", O_RDONLY); ++ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", + strerror(errno)); + + res = pr_fsio_read(fh, NULL, 0); +@@ -443,8 +443,8 @@ START_TEST (fsio_sys_lseek_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- fh = pr_fsio_open("/etc/resolv.conf", O_RDONLY); +- fail_unless(fh != NULL, "Failed to open /etc/resolv.conf: %s", ++ fh = pr_fsio_open("/etc/hosts", O_RDONLY); ++ fail_unless(fh != NULL, "Failed to open /etc/hosts: %s", + strerror(errno)); + + res = pr_fsio_lseek(fh, 0, 0); +@@ -2083,7 +2083,7 @@ START_TEST (fsio_sys_chdir_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- res = pr_fsio_chdir("/etc/resolv.conf", FALSE); ++ res = pr_fsio_chdir("/etc/hosts", FALSE); + fail_unless(res < 0, "Failed to handle file argument"); + fail_unless(errno == EINVAL || errno == ENOTDIR, + "Expected EINVAL (%d) or ENOTDIR (%d), got %s (%d)", EINVAL, ENOTDIR, +@@ -2145,7 +2145,7 @@ START_TEST (fsio_sys_opendir_test) { + strerror(errno), errno); + + mark_point(); +- path = "/etc/resolv.conf"; ++ path = "/etc/hosts"; + res = pr_fsio_opendir(path); + fail_unless(res == NULL, "Failed to handle file argument"); + fail_unless(errno == ENOTDIR, "Expected ENOTDIR (%d), got %s (%d)", ENOTDIR, +@@ -2175,7 +2175,7 @@ START_TEST (fsio_sys_readdir_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + +- dent = pr_fsio_readdir("/etc/resolv.conf"); ++ dent = pr_fsio_readdir("/etc/hosts"); + fail_unless(dent == NULL, "Failed to handle file argument"); + fail_unless(errno == ENOTDIR, "Expected ENOTDIR (%d), got %s (%d)", ENOTDIR, + strerror(errno), errno); diff --git a/SOURCES/aa85f127.patch b/SOURCES/aa85f127.patch new file mode 100644 index 0000000..3f46ec6 --- /dev/null +++ b/SOURCES/aa85f127.patch @@ -0,0 +1,159 @@ +From aa85f127d31346a28c619ee426090f1f23fd2249 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Fri, 5 May 2017 09:24:10 -0700 +Subject: [PATCH] Improve detection of badly configured ciphersuites (e.g. + unsupported/misspelled cipher suites) at startup time. + +--- + contrib/mod_tls.c | 21 +++++++++++- + doc/contrib/mod_tls.html | 21 +++++++++++- + tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm | 50 ++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 2 deletions(-) + +diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c +index 7a2a74f..3ff8ee2 100644 +--- a/contrib/mod_tls.c ++++ b/contrib/mod_tls.c +@@ -11976,6 +11976,7 @@ MODRET set_tlscertchain(cmd_rec *cmd) { + MODRET set_tlsciphersuite(cmd_rec *cmd) { + config_rec *c = NULL; + char *ciphersuite = NULL; ++ SSL_CTX *ctx; + + CHECK_ARGS(cmd, 1); + CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL); +@@ -11984,8 +11985,26 @@ MODRET set_tlsciphersuite(cmd_rec *cmd) { + c = add_config_param(cmd->argv[0], 1, NULL); + + /* Make sure that EXPORT ciphers cannot be used, per Bug#4163. */ +- c->argv[0] = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); ++ ciphersuite = pstrcat(c->pool, "!EXPORT:", ciphersuite, NULL); ++ ++ /* Check that our construct ciphersuite is acceptable. */ ++ ctx = SSL_CTX_new(SSLv23_server_method()); ++ if (ctx != NULL) { ++ if (SSL_CTX_set_cipher_list(ctx, ciphersuite) != 1) { ++ /* Note: tls_get_errors() relies on session.pool, so temporarily set ++ * it to our temporary pool. ++ */ ++ session.pool = cmd->tmp_pool; ++ ++ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, ++ "unable to use configured TLSCipherSuite '", ciphersuite, "': ", ++ tls_get_errors(), NULL)); ++ } ++ ++ SSL_CTX_free(ctx); ++ } + ++ c->argv[0] = ciphersuite; + return PR_HANDLED(cmd); + } + +diff --git a/doc/contrib/mod_tls.html b/doc/contrib/mod_tls.html +index c1d3f2d..cc88946 100644 +--- a/doc/contrib/mod_tls.html ++++ b/doc/contrib/mod_tls.html +@@ -295,7 +295,13 @@ + Compatibility: 1.2.7rc1 and later + +

+-Default cipher list is "DEFAULT:!ADH:!EXPORT:!DES". ++Sets the list of SSL/TLS ciphersuites for use. Default cipher list is ++"DEFAULT:!ADH:!EXPORT:!DES". ++ ++

++Note that mod_tls will automatically prepend the ++configured cipher-list with "!EXPORT", in order to prevent the ++use of the insecure "export grade" ciphers. + +

+ How to put together a cipher list parameter: +@@ -2215,6 +2221,19 @@ + TLSDHParamFile /path/to/dh1024.pem + + ++

++Question: I tried to configure a specific ciphersuite ++using TLSCipherSuite, but ProFTPD fails on startup with this error: ++

++  fatal: TLSCipherSuite: unable to use configured TLSCipherSuite '!EXPORT:MYCIPHER':
++  (1) error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match on line 16 of '/etc/proftpd/tls.conf'
++
++Answer: This error indicates that the version of OpenSSL ++does not recognize/support one of the ciphers that you configured in your ++TLSCipherSuite list. Unfortunately the OpenSSL error reporting ++does not pinpoint which is the offending ciphersuite; experimenting ++with your cipher list will reveal which ones are problematic. ++ +

+

+

Installation

+diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm +index f7cd171..226d47c 100644 +--- a/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm ++++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_tls.pm +@@ -299,6 +299,11 @@ my $TESTS = { + test_class => [qw(bug forking)], + }, + ++ tls_config_tlsciphersuite_bad_cipher => { ++ order => ++$order, ++ test_class => [qw(forking)], ++ }, ++ + tls_session_cache_off_bug3869 => { + order => ++$order, + test_class => [qw(bug forking)], +@@ -8983,6 +8988,51 @@ sub tls_config_tlsdhparamfile_bug3868 { + unlink($log_file); + } + ++sub tls_config_tlsciphersuite_bad_cipher { ++ my $self = shift; ++ my $tmpdir = $self->{tmpdir}; ++ my $setup = test_setup($tmpdir, 'tls'); ++ ++ my $cert_file = File::Spec->rel2abs('t/etc/modules/mod_tls/server-cert.pem'); ++ my $ca_file = File::Spec->rel2abs('t/etc/modules/mod_tls/ca-cert.pem'); ++ ++ my $config = { ++ PidFile => $setup->{pid_file}, ++ ScoreboardFile => $setup->{scoreboard_file}, ++ SystemLog => $setup->{log_file}, ++ ++ IfModules => { ++ 'mod_delay.c' => { ++ DelayEngine => 'off', ++ }, ++ ++ 'mod_tls.c' => { ++ TLSEngine => 'on', ++ TLSLog => $setup->{log_file}, ++ TLSRSACertificateFile => $cert_file, ++ TLSCACertificateFile => $ca_file, ++ TLSCipherSuite => 'FOOBAR', ++ }, ++ }, ++ }; ++ ++ my ($port, $config_user, $config_group) = config_write($setup->{config_file}, ++ $config); ++ ++ my $ex; ++ ++ # This should silently fail. ++ server_start($setup->{config_file}); ++ ++ # This is where we detect the actual problem. ++ eval { server_stop($setup->{pid_file}) }; ++ unless ($@) { ++ $ex = "Server start with bad config unexpectedly"; ++ } ++ ++ test_cleanup($setup->{log_file}, $ex); ++} ++ + sub tls_session_cache_off_bug3869 { + my $self = shift; + my $tmpdir = $self->{tmpdir}; diff --git a/SOURCES/ad786eaa.patch b/SOURCES/ad786eaa.patch new file mode 100644 index 0000000..05042b7 --- /dev/null +++ b/SOURCES/ad786eaa.patch @@ -0,0 +1,23 @@ +From ad786eaa8a232795470dbeab2380dc8d8ac803af Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Fri, 27 Oct 2017 09:28:19 -0700 +Subject: [PATCH] Merge pull request #617 from pghmcfc/systemd-network-online + +systemd: use network-online.target +--- + contrib/dist/rpm/proftpd.service | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service +index 8a4df33c9..6c81db398 100644 +--- a/contrib/dist/rpm/proftpd.service ++++ b/contrib/dist/rpm/proftpd.service +@@ -1,6 +1,7 @@ + [Unit] + Description = ProFTPD FTP Server +-After = network.target nss-lookup.target local-fs.target remote-fs.target ++Wants=network-online.target ++After=network-online.target nss-lookup.target local-fs.target remote-fs.target + + [Service] + Type = simple diff --git a/SOURCES/adfdc01d.patch b/SOURCES/adfdc01d.patch new file mode 100644 index 0000000..89817b9 --- /dev/null +++ b/SOURCES/adfdc01d.patch @@ -0,0 +1,25 @@ +From 84549ece3a839161794deee1721fc0cf9bf9eb9c Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Mon, 8 May 2017 10:16:32 +0100 +Subject: [PATCH] Use absolute pathnames for executables in systemd unit files + +Otherwise, systemd complains about them and ignores the commands. +--- + contrib/dist/rpm/proftpd.service | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service +index c2fd401..07802ca 100644 +--- a/contrib/dist/rpm/proftpd.service ++++ b/contrib/dist/rpm/proftpd.service +@@ -8,8 +8,8 @@ PIDFile = /run/proftpd/proftpd.pid + Environment = PROFTPD_OPTIONS= + EnvironmentFile = -/etc/sysconfig/proftpd + ExecStart = /usr/sbin/proftpd $PROFTPD_OPTIONS +-ExecStartPost = touch /var/lock/subsys/proftpd +-ExecStopPost = rm -f /var/lock/subsys/proftpd ++ExecStartPost = /usr/bin/touch /var/lock/subsys/proftpd ++ExecStopPost = /bin/rm -f /var/lock/subsys/proftpd + ExecReload = /bin/kill -HUP $MAINPID + + [Install] diff --git a/SOURCES/c3e5d75f.patch b/SOURCES/c3e5d75f.patch new file mode 100644 index 0000000..5228f13 --- /dev/null +++ b/SOURCES/c3e5d75f.patch @@ -0,0 +1,97 @@ +From c3e5d75f9c8a60af42646319fcca832d5f1a55d4 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Sun, 21 May 2017 13:44:23 -0700 +Subject: [PATCH] Merge pull request #513 from pghmcfc/similars + +Fix pr_str_get_similars +--- + src/str.c | 4 ++-- + tests/api/str.c | 36 +++++++++++++++++++----------------- + 2 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/src/str.c b/src/str.c +index eeed096ef..0a59f2379 100644 +--- a/src/str.c ++++ b/src/str.c +@@ -725,11 +725,11 @@ static int distance_cmp(const void *a, const void *b) { + const char *s1, *s2; + int distance1, distance2; + +- cand1 = a; ++ cand1 = * (const struct candidate **) a; + s1 = cand1->s; + distance1 = cand1->distance; + +- cand2 = b; ++ cand2 = * (const struct candidate **) b; + s2 = cand2->s; + distance2 = cand2->distance; + +diff --git a/tests/api/str.c b/tests/api/str.c +index 7c6e11000..9dce95820 100644 +--- a/tests/api/str.c ++++ b/tests/api/str.c +@@ -1469,25 +1469,23 @@ START_TEST (similars_test) { + mark_point(); + similars = (const char **) res->elts; + +- /* Note: We see different results here due to (I think) different +- * qsort(3) implementations. ++ /* ++ * Note: expected distances are as follows: ++ * ++ * Candidate Case-Sensitive Case-Insensitive ++ * fools 0 0 ++ * odd 5 5 ++ * bar 5 5 ++ * FOO 5 0 + */ + +- expected = "FOO"; +- if (strcmp(similars[0], expected) != 0) { +- expected = "fools"; +- } ++ expected = "fools"; + + fail_unless(strcmp(similars[0], expected) == 0, + "Expected similar '%s', got '%s'", expected, similars[0]); + +- expected = "fools"; +- if (strcmp(similars[1], expected) != 0) { +- expected = "FOO"; +- } +- +- fail_unless(strcmp(similars[1], expected) == 0, +- "Expected similar '%s', got '%s'", expected, similars[1]); ++ fail_unless(strcmp(similars[1], expected) != 0, ++ "Unexpectedly got similar '%s'", similars[1]); + + mark_point(); + res = pr_str_get_similars(p, s, candidates, 0, PR_STR_FL_IGNORE_CASE); +@@ -1499,18 +1497,22 @@ START_TEST (similars_test) { + mark_point(); + similars = (const char **) res->elts; + ++ /* ++ * similars[0] and similars[1] should be "FOO" and "fools", but ++ * not necessarily in that order ++ */ + expected = "FOO"; + if (strcmp(similars[0], expected) != 0) { +- expected = "fools"; ++ expected = similars[0]; ++ similars[0] = similars[1]; ++ similars[1] = expected; ++ expected = "FOO"; + } + + fail_unless(strcmp(similars[0], expected) == 0, + "Expected similar '%s', got '%s'", expected, similars[0]); + + expected = "fools"; +- if (strcmp(similars[1], expected) != 0) { +- expected = "FOO"; +- } + + fail_unless(strcmp(similars[1], expected) == 0, + "Expected similar '%s', got '%s'", expected, similars[1]); diff --git a/SOURCES/proftpd-1.3.4rc1-mod_vroot-test.patch b/SOURCES/proftpd-1.3.4rc1-mod_vroot-test.patch new file mode 100644 index 0000000..be6d071 --- /dev/null +++ b/SOURCES/proftpd-1.3.4rc1-mod_vroot-test.patch @@ -0,0 +1,14 @@ +--- proftpd-1.3.4rc1/tests/tests.pl 2010-12-15 00:57:04.000000000 +0000 ++++ proftpd-1.3.4rc1/tests/tests.pl 2011-01-11 09:22:57.746669659 +0000 +@@ -283,6 +283,11 @@ + test_class => [qw(mod_unique_id)], + }, + ++ 't/modules/mod_vroot.t' => { ++ order => ++$order, ++ test_class => [qw(mod_vroot)], ++ }, ++ + 't/modules/mod_wrap.t' => { + order => ++$order, + test_class => [qw(mod_wrap)], diff --git a/SOURCES/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch b/SOURCES/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch new file mode 100644 index 0000000..254b9d5 --- /dev/null +++ b/SOURCES/proftpd-1.3.6-add-enable-tests-nonetwork-option.patch @@ -0,0 +1,186 @@ +From 49ef73f7193242eac07de27c2e853d9e805162ec Mon Sep 17 00:00:00 2001 +From: Paul Howarth +Date: Wed, 3 May 2017 11:57:23 +0100 +Subject: [PATCH] Add --enable-tests=nonetwork option + +This disables API tests that involve resolving/connecting to external +network services such as Google, which may not be possible in some +build environments. + +Tested using systemd-nspawn --private-network +--- + config.h.in | 3 +++ + configure.in | 5 ++++- + tests/api/inet.c | 6 ++++++ + tests/api/netaddr.c | 6 ++++++ + 4 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/config.h.in b/config.h.in +index a38734a..229c9db 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -1068,6 +1068,9 @@ + /* Define if ncursesw support, if available, should be used. */ + #undef PR_USE_NCURSESW + ++/* Define if non-local network tests are enabled. */ ++#undef PR_USE_NETWORK_TESTS ++ + /* Define if using nonblocking open of log files. */ + #undef PR_USE_NONBLOCKING_LOG_OPEN + +diff --git a/configure.in b/configure.in +index 1e39c37..dba39ba 100644 +--- a/configure.in ++++ b/configure.in +@@ -985,7 +985,7 @@ AC_ARG_ENABLE(tests, + [--enable-tests], + [enable unit tests (default=no)]) + ], +- [ if test x"$enableval" = x"yes" ; then ++ [ if test x"$enableval" = x"yes" || test x"$enableval" = x"nonetwork" ; then + AC_CHECK_HEADERS(check.h) + + AC_CHECK_LIB(check, tcase_create, +@@ -997,6 +997,9 @@ AC_ARG_ENABLE(tests, + AC_MSG_ERROR([libcheck support, required for tests, not present -- aborting]) + ] + ) ++ if test x"$enableval" != x"nonetwork" ; then ++ AC_DEFINE(PR_USE_NETWORK_TESTS, 1, [Define if non-local network tests are enabled.]) ++ fi + fi + ]) + +diff -up a/configure b/configure +--- a/configure ++++ b/configure +@@ -20423,7 +20423,7 @@ fi + ENABLE_TESTS="\"\"" + # Check whether --enable-tests was given. + if test "${enable_tests+set}" = set; then +- enableval=$enable_tests; if test x"$enableval" = x"yes" ; then ++ enableval=$enable_tests; if test x"$enableval" = x"yes" || test x"$enableval" = x"nonetwork" ; then + + for ac_header in check.h + do +@@ -20648,6 +20648,13 @@ echo "$as_me: error: libcheck support, r + + fi + ++ if test x"$enableval" != x"nonetwork" ; then ++ ++cat >>confdefs.h <<\_ACEOF ++#define PR_USE_NETWORK_TESTS 1 ++_ACEOF ++ ++ fi + fi + + fi +diff --git a/tests/api/inet.c b/tests/api/inet.c +index 03c4781..c111629 100644 +--- a/tests/api/inet.c ++++ b/tests/api/inet.c +@@ -522,6 +522,7 @@ START_TEST (inet_connect_ipv4_test) { + fail_unless(errno == ECONNREFUSED, "Expected ECONNREFUSED (%d), got %s (%d)", + ECONNREFUSED, strerror(errno), errno); + ++#if defined(PR_USE_NETWORK_TESTS) + /* Try connecting to Google's DNS server. */ + + addr = pr_netaddr_get_addr(p, "8.8.8.8", NULL); +@@ -551,6 +552,7 @@ START_TEST (inet_connect_ipv4_test) { + fail_unless(errno == EISCONN, "Expected EISCONN (%d), got %s (%d)", + EISCONN, strerror(errno), errno); + pr_inet_close(p, conn); ++#endif + } + END_TEST + +@@ -579,6 +581,7 @@ START_TEST (inet_connect_ipv6_test) { + "Expected ECONNREFUSED (%d), ENETUNREACH (%d), or EADDRNOTAVAIL (%d), got %s (%d)", + ECONNREFUSED, ENETUNREACH, EADDRNOTAVAIL, strerror(errno), errno); + ++#if defined(PR_USE_NETWORK_TESTS) + /* Try connecting to Google's DNS server. */ + + addr = pr_netaddr_get_addr(p, "2001:4860:4860::8888", NULL); +@@ -614,6 +617,7 @@ START_TEST (inet_connect_ipv6_test) { + fail_unless(errno == EISCONN || errno == EHOSTUNREACH || errno == ENETUNREACH || errno == EADDRNOTAVAIL, + "Expected EISCONN (%d) or EHOSTUNREACH (%d) or ENETUNREACH (%d) or EADDRNOTAVAIL (%d), got %s (%d)", EISCONN, EHOSTUNREACH, ENETUNREACH, EADDRNOTAVAIL, strerror(errno), errno); + pr_inet_close(p, conn); ++#endif + + pr_inet_set_default_family(p, AF_INET); + +@@ -649,6 +653,7 @@ START_TEST (inet_connect_nowait_test) { + res = pr_inet_connect_nowait(p, conn, addr, 180); + fail_unless(res != -1, "Connected to 127.0.0.1#180 unexpectedly"); + ++#if defined(PR_USE_NETWORK_TESTS) + /* Try connecting to Google's DNS server. */ + + addr = pr_netaddr_get_addr(p, "8.8.8.8", NULL); +@@ -664,6 +669,7 @@ START_TEST (inet_connect_nowait_test) { + } + + pr_inet_close(p, conn); ++#endif + + /* Restore the default family to AF_INET, for other tests. */ + pr_inet_set_default_family(p, AF_INET); +diff --git a/tests/api/netaddr.c b/tests/api/netaddr.c +index 80d3327..124dc39 100644 +--- a/tests/api/netaddr.c ++++ b/tests/api/netaddr.c +@@ -146,6 +146,7 @@ START_TEST (netaddr_get_addr_test) { + fail_unless(res->na_family == AF_INET, "Expected family %d, got %d", + AF_INET, res->na_family); + ++#if defined(PR_USE_NETWORK_TESTS) + /* Google: the Dial Tone of the Internet. */ + name = "www.google.com"; + +@@ -161,6 +162,7 @@ START_TEST (netaddr_get_addr_test) { + strerror(errno)); + fail_unless(res->na_family == AF_INET, "Expected family %d, got %d", + AF_INET, res->na_family); ++#endif + + name = "127.0.0.1"; + +@@ -903,6 +905,7 @@ START_TEST (netaddr_get_dnsstr_list_test) { + + pr_netaddr_clear_cache(); + ++#if defined(PR_USE_NETWORK_TESTS) + addr = pr_netaddr_get_addr(p, "www.google.com", &addrs); + fail_unless(addr != NULL, "Failed to resolve 'www.google.com': %s", + strerror(errno)); +@@ -921,6 +924,7 @@ START_TEST (netaddr_get_dnsstr_list_test) { + /* Ideally we would check that res->nelts > 0, BUT this turns out to + * a fragile test condition, dependent on DNS vagaries. + */ ++#endif + + pr_netaddr_set_reverse_dns(reverse_dns); + } +@@ -1082,6 +1086,7 @@ START_TEST (netaddr_is_loopback_test) { + fail_unless(errno == EINVAL, "Expected EINVAL (%d), got %s (%d)", EINVAL, + strerror(errno), errno); + ++#if defined(PR_USE_NETWORK_TESTS) + name = "www.google.com"; + addr = pr_netaddr_get_addr(p, name, NULL); + fail_unless(addr != NULL, "Failed to resolve '%s': %s", name, +@@ -1089,6 +1094,7 @@ START_TEST (netaddr_is_loopback_test) { + + res = pr_netaddr_is_loopback(addr); + fail_unless(res == FALSE, "Expected FALSE, got %d", res); ++#endif + + name = "127.0.0.1"; + addr = pr_netaddr_get_addr(p, name, NULL); +-- +2.9.3 diff --git a/SOURCES/proftpd-1.3.6-no-mod-wrap.patch b/SOURCES/proftpd-1.3.6-no-mod-wrap.patch new file mode 100644 index 0000000..e3c5562 --- /dev/null +++ b/SOURCES/proftpd-1.3.6-no-mod-wrap.patch @@ -0,0 +1,14 @@ +--- proftpd.conf ++++ proftpd.conf +@@ -238,11 +238,6 @@ LoadModule mod_ctrls_admin.c + # LoadModule mod_tls_memcache.c + # + # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny +-# files, for IP-based access control +-# (http://www.proftpd.org/docs/contrib/mod_wrap.html) +-# LoadModule mod_wrap.c +-# +-# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny + # files, as well as SQL-based access rules, for IP-based access control + # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) + # LoadModule mod_wrap2.c diff --git a/SOURCES/proftpd-1.3.6-shellbang.patch b/SOURCES/proftpd-1.3.6-shellbang.patch new file mode 100644 index 0000000..a7d6acc --- /dev/null +++ b/SOURCES/proftpd-1.3.6-shellbang.patch @@ -0,0 +1,40 @@ +--- contrib/ftpasswd ++++ contrib/ftpasswd +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2000-2015 TJ Saunders + # +--- contrib/ftpmail ++++ contrib/ftpmail +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2013 TJ Saunders + # +--- contrib/ftpquota ++++ contrib/ftpquota +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # ------------------------------------------------------------------------- + # Copyright (C) 2000-2017 TJ Saunders + # +--- contrib/xferstats.holger-preiss ++++ contrib/xferstats.holger-preiss +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # + # USAGE: xferstats +--- src/prxs.in ++++ src/prxs.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2012 TJ Saunders diff --git a/SOURCES/proftpd-welcome.msg b/SOURCES/proftpd-welcome.msg new file mode 100644 index 0000000..2a190a2 --- /dev/null +++ b/SOURCES/proftpd-welcome.msg @@ -0,0 +1,6 @@ + + *** Welcome to this anonymous ftp server! *** + + You are user %N out of a maximum of %M authorized anonymous logins. + The current time here is %T. + If you experience any problems here, contact : %E diff --git a/SOURCES/proftpd.conf b/SOURCES/proftpd.conf new file mode 100644 index 0000000..f10490a --- /dev/null +++ b/SOURCES/proftpd.conf @@ -0,0 +1,430 @@ +# This is the ProFTPD configuration file +# +# See: http://www.proftpd.org/docs/directives/linked/by-name.html + +# Security-Enhanced Linux (SELinux) Notes: +# +# In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux +# in order to mitigate the effects of an attacker taking advantage of an +# unpatched vulnerability and getting control of the ftp server. By default, +# ProFTPD cannot read or write most files on a system nor connect to many +# external network services, but these restrictions can be relaxed by +# setting SELinux booleans as follows: +# +# setsebool -P ftpd_anon_write=1 +# This allows the ftp daemon to write to files and directories labelled +# with the public_content_rw_t context type; the daemon would only have +# read access to these files normally. Files to be made available by ftp +# but not writeable should be labelled public_content_t. +# On older systems this boolean was called allow_ftpd_anon_write. +# +# setsebool -P ftpd_full_access=1 +# This allows the ftp daemon to read and write all files on the system. +# On older systems this boolean was called allow_ftpd_full_access, and there +# was a separate boolean ftp_home_dir to allow the ftp daemon access to +# files in users' home directories. +# +# setsebool -P ftpd_use_cifs=1 +# This allows the ftp daemon to read and write files on CIFS-mounted +# filesystems. +# On older systems this boolean was called allow_ftpd_use_cifs. +# +# setsebool -P ftpd_use_fusefs=1 +# This allows the ftp daemon to read and write files on ntfs/fusefs-mounted +# filesystems. +# +# setsebool -P ftpd_use_nfs=1 +# This allows the ftp daemon to read and write files on NFS-mounted +# filesystems. +# On older systems this boolean was called allow_ftpd_use_nfs. +# +# setsebool -P ftpd_connect_all_unreserved=1 +# This setting is only available from Fedora 16/RHEL-7 onwards, and is +# necessary for active-mode ftp transfers to work reliably with non-Linux +# clients (see http://bugzilla.redhat.com/782177), which may choose to +# use port numbers outside the "ephemeral port" range of 32768-61000. +# +# setsebool -P ftpd_connect_db=1 +# This setting allows the ftp daemon to connect to commonly-used database +# ports over the network, which is necessary if you are using a database +# back-end for user authentication, etc. +# +# setsebool -P ftpd_use_passive_mode=1 +# This setting allows the ftp daemon to bind to all unreserved ports for +# passive mode. +# +# All of these booleans are unset by default. +# +# See also the "ftpd_selinux" manpage. +# +# Note that the "-P" option to setsebool makes the setting permanent, i.e. +# it will still be in effect after a reboot; without the "-P" option, the +# effect only lasts until the next reboot. +# +# Restrictions imposed by SELinux are on top of those imposed by ordinary +# file ownership and access permissions; in normal operation, the ftp daemon +# will not be able to read and/or write a file unless *all* of the ownership, +# permission and SELinux restrictions allow it. + +# Server Config - config used for anything outside a or context +# See: http://www.proftpd.org/docs/howto/Vhost.html + +# Trace logging, disabled by default for performance reasons +# (http://www.proftpd.org/docs/howto/Tracing.html) +#TraceLog /var/log/proftpd/trace.log +#Trace DEFAULT:0 + +ServerName "ProFTPD server" +ServerIdent on "FTP Server ready." +ServerAdmin root@localhost +DefaultServer on + +# Cause every FTP user except adm to be chrooted into their home directory +DefaultRoot ~ !adm + +# Use pam to authenticate (default) and be authoritative +AuthPAMConfig proftpd +AuthOrder mod_auth_pam.c* mod_auth_unix.c +# If you use NIS/YP/LDAP you may need to disable PersistentPasswd +#PersistentPasswd off + +# Don't do reverse DNS lookups (hangs on DNS problems) +UseReverseDNS off + +# Set the user and group that the server runs as +User nobody +Group nobody + +# To prevent DoS attacks, set the maximum number of child processes +# to 20. If you need to allow more than 20 concurrent connections +# at once, simply increase this value. Note that this ONLY works +# in standalone mode; in inetd mode you should use an inetd server +# that allows you to limit maximum number of processes per service +# (such as xinetd) +MaxInstances 20 + +# Disable sendfile by default since it breaks displaying the download speeds in +# ftptop and ftpwho +UseSendfile off + +# Define the log formats +LogFormat default "%h %l %u %t \"%r\" %s %b" +LogFormat auth "%v [%P] %h %t \"%r\" %s" + +# Dynamic Shared Object (DSO) loading +# See README.DSO and howto/DSO.html for more details +# +# General database support (http://www.proftpd.org/docs/contrib/mod_sql.html) +# LoadModule mod_sql.c +# +# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL tables +# (contrib/mod_sql_passwd.html) +# LoadModule mod_sql_passwd.c +# +# Mysql support (requires proftpd-mysql package) +# (http://www.proftpd.org/docs/contrib/mod_sql.html) +# LoadModule mod_sql_mysql.c +# +# Postgresql support (requires proftpd-postgresql package) +# (http://www.proftpd.org/docs/contrib/mod_sql.html) +# LoadModule mod_sql_postgres.c +# +# SQLite support (requires proftpd-sqlite package) +# (http://www.proftpd.org/docs/contrib/mod_sql.html, +# http://www.proftpd.org/docs/contrib/mod_sql_sqlite.html) +# LoadModule mod_sql_sqlite.c +# +# Quota support (http://www.proftpd.org/docs/contrib/mod_quotatab.html) +# LoadModule mod_quotatab.c +# +# File-specific "driver" for storing quota table information in files +# (http://www.proftpd.org/docs/contrib/mod_quotatab_file.html) +# LoadModule mod_quotatab_file.c +# +# SQL database "driver" for storing quota table information in SQL tables +# (http://www.proftpd.org/docs/contrib/mod_quotatab_sql.html) +# LoadModule mod_quotatab_sql.c +# +# LDAP support (requires proftpd-ldap package) +# (http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html) +# LoadModule mod_ldap.c +# +# LDAP quota support (requires proftpd-ldap package) +# (http://www.proftpd.org/docs/contrib/mod_quotatab_ldap.html) +# LoadModule mod_quotatab_ldap.c +# +# Support for authenticating users using the RADIUS protocol +# (http://www.proftpd.org/docs/contrib/mod_radius.html) +# LoadModule mod_radius.c +# +# Retrieve quota limit table information from a RADIUS server +# (http://www.proftpd.org/docs/contrib/mod_quotatab_radius.html) +# LoadModule mod_quotatab_radius.c +# +# SITE CPFR and SITE CPTO commands (analogous to RNFR and RNTO), which can be +# used to copy files/directories from one place to another on the server +# without having to transfer the data to the client and back +# (http://www.castaglia.org/proftpd/modules/mod_copy.html) +# LoadModule mod_copy.c +# +# Administrative control actions for the ftpdctl program +# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) +LoadModule mod_ctrls_admin.c +# +# Support for MODE Z commands, which allows FTP clients and servers to +# compress data for transfer +# (http://www.castaglia.org/proftpd/modules/mod_deflate.html) +# LoadModule mod_deflate.c +# +# Execute external programs or scripts at various points in the process +# of handling FTP commands +# (http://www.castaglia.org/proftpd/modules/mod_exec.html) +# LoadModule mod_exec.c +# +# Support for POSIX ACLs +# (http://www.proftpd.org/docs/modules/mod_facl.html) +# LoadModule mod_facl.c +# +# Support for using the GeoIP library to look up geographical information on +# the connecting client and using that to set access controls for the server +# (http://www.castaglia.org/proftpd/modules/mod_geoip.html) +# LoadModule mod_geoip.c +# +# Allow for version-specific configuration sections of the proftpd config file, +# useful for using the same proftpd config across multiple servers where +# different proftpd versions may be in use +# (http://www.castaglia.org/proftpd/modules/mod_ifversion.html) +# LoadModule mod_ifversion.c +# +# Configure server availability based on system load +# (http://www.proftpd.org/docs/contrib/mod_load.html) +# LoadModule mod_load.c +# +# Limit downloads to a multiple of upload volume (see README.ratio) +# LoadModule mod_ratio.c +# +# Rewrite FTP commands sent by clients on-the-fly, +# using regular expression matching and substitution +# (http://www.proftpd.org/docs/contrib/mod_rewrite.html) +# LoadModule mod_rewrite.c +# +# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over +# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html) +# LoadModule mod_sftp.c +# +# Use PAM to provide a 'keyboard-interactive' SSH2 authentication method for +# mod_sftp (http://www.castaglia.org/proftpd/modules/mod_sftp_pam.html) +# LoadModule mod_sftp_pam.c +# +# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for user +# and host based authentication +# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html) +# LoadModule mod_sftp_sql.c +# +# Provide data transfer rate "shaping" across the entire server +# (http://www.castaglia.org/proftpd/modules/mod_shaper.html) +# LoadModule mod_shaper.c +# +# Support for miscellaneous SITE commands such as SITE MKDIR, SITE SYMLINK, +# and SITE UTIME (http://www.proftpd.org/docs/contrib/mod_site_misc.html) +# LoadModule mod_site_misc.c +# +# Provide an external SSL session cache using shared memory +# (contrib/mod_tls_shmcache.html) +# LoadModule mod_tls_shmcache.c +# +# Provide a memcached-based implementation of an external SSL session cache +# (contrib/mod_tls_memcache.html) +# LoadModule mod_tls_memcache.c +# +# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny +# files, for IP-based access control +# (http://www.proftpd.org/docs/contrib/mod_wrap.html) +# LoadModule mod_wrap.c +# +# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny +# files, as well as SQL-based access rules, for IP-based access control +# (http://www.proftpd.org/docs/contrib/mod_wrap2.html) +# LoadModule mod_wrap2.c +# +# Support module for mod_wrap2 that handles access rules stored in specially +# formatted files on disk +# (http://www.proftpd.org/docs/contrib/mod_wrap2_file.html) +# LoadModule mod_wrap2_file.c +# +# Support module for mod_wrap2 that handles access rules stored in SQL +# database tables (http://www.proftpd.org/docs/contrib/mod_wrap2_sql.html) +# LoadModule mod_wrap2_sql.c +# +# Implement a virtual chroot capability that does not require root privileges +# (http://www.castaglia.org/proftpd/modules/mod_vroot.html) +# Using this module rather than the kernel's chroot() system call works +# around issues with PAM and chroot (http://bugzilla.redhat.com/506735) +LoadModule mod_vroot.c +# +# Provide a flexible way of specifying that certain configuration directives +# only apply to certain sessions, based on credentials such as connection +# class, user, or group membership +# (http://www.proftpd.org/docs/contrib/mod_ifsession.html) +# LoadModule mod_ifsession.c + +# Allow only user root to load and unload modules, but allow everyone +# to see which modules have been loaded +# (http://www.proftpd.org/docs/modules/mod_dso.html#ModuleControlsACLs) +ModuleControlsACLs insmod,rmmod allow user root +ModuleControlsACLs lsmod allow user * + +# Enable basic controls via ftpdctl +# (http://www.proftpd.org/docs/modules/mod_ctrls.html) +ControlsEngine on +ControlsACLs all allow user root +ControlsSocketACL allow user * +ControlsLog /var/log/proftpd/controls.log + +# Enable admin controls via ftpdctl +# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) + + AdminControlsEngine on + AdminControlsACLs all allow user root + + +# Enable mod_vroot by default for better compatibility with PAM +# (http://bugzilla.redhat.com/506735) + + VRootEngine on + + +# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) + + TLSEngine on + TLSRequired off + TLSCertificateChainFile /etc/pki/tls/certs/proftpd-chain.pem + TLSRSACertificateFile /etc/pki/tls/certs/proftpd-cert.pem + TLSRSACertificateKeyFile /etc/pki/tls/private/proftpd-key.pem + TLSCipherSuite PROFILE=SYSTEM + # Relax the requirement that the SSL session be re-used for data transfers + TLSOptions NoSessionReuseRequired + TLSLog /var/log/proftpd/tls.log + + TLSSessionCache shm:/file=/var/run/proftpd/sesscache + + + +# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) +# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd + + LoadModule mod_ban.c + BanEngine on + BanLog /var/log/proftpd/ban.log + BanTable /var/run/proftpd/ban.tab + + # If the same client reaches the MaxLoginAttempts limit 2 times + # within 10 minutes, automatically add a ban for that client that + # will expire after one hour. + BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00 + + # Inform the user that it's not worth persisting + BanMessage "Host %a has been banned" + + # Allow the FTP admin to manually add/remove bans + BanControlsACLs all allow user ftpadm + + +# Set networking-specific "Quality of Service" (QoS) bits on the packets used +# by the server (contrib/mod_qos.html) + + LoadModule mod_qos.c + # RFC791 TOS parameter compatibility + QoSOptions dataqos throughput ctrlqos lowdelay + # For a DSCP environment (may require tweaking) + #QoSOptions dataqos CS2 ctrlqos AF41 + + +# Global Config - config common to Server Config and all virtual hosts +# See: http://www.proftpd.org/docs/howto/Vhost.html + + + # Umask 022 is a good standard umask to prevent new dirs and files + # from being group and world writable + Umask 022 + + # Allow users to overwrite files and change permissions + AllowOverwrite yes + + AllowAll + + + + +# A basic anonymous configuration, with an upload directory +# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd + + + User ftp + Group ftp + AccessGrantMsg "Anonymous login ok, restrictions apply." + + # We want clients to be able to login with "anonymous" as well as "ftp" + UserAlias anonymous ftp + + # Limit the maximum number of anonymous logins + MaxClients 10 "Sorry, max %m users -- try again later" + + # Put the user into /pub right after login + #DefaultChdir /pub + + # We want 'welcome.msg' displayed at login, '.message' displayed in + # each newly chdired directory and tell users to read README* files. + DisplayLogin /welcome.msg + DisplayChdir .message + DisplayReadme README* + + # Cosmetic option to make all files appear to be owned by user "ftp" + DirFakeUser on ftp + DirFakeGroup on ftp + + # Limit WRITE everywhere in the anonymous chroot + + DenyAll + + + # An upload directory that allows storing files but not retrieving + # or creating directories. + # + # Directory specification is slightly different if mod_vroot is in + # use: see http://sourceforge.net/p/proftp/mailman/message/31728570/ + # https://bugzilla.redhat.com/show_bug.cgi?id=1045922 + + + AllowOverwrite no + + DenyAll + + + + AllowAll + + + + + + AllowOverwrite no + + DenyAll + + + + AllowAll + + + + + # Don't write anonymous accesses to the system wtmp file (good idea!) + WtmpLog off + + # Logging for the anonymous transfers + ExtendedLog /var/log/proftpd/access.log WRITE,READ default + ExtendedLog /var/log/proftpd/auth.log AUTH auth + + + diff --git a/SOURCES/proftpd.conf-no-memcached.patch b/SOURCES/proftpd.conf-no-memcached.patch new file mode 100644 index 0000000..8ef6703 --- /dev/null +++ b/SOURCES/proftpd.conf-no-memcached.patch @@ -0,0 +1,13 @@ +--- proftpd.conf 2011-04-05 11:59:10.491108239 +0100 ++++ proftpd.conf 2010-12-23 15:19:13.667374844 +0000 +@@ -167,10 +167,6 @@ + # (contrib/mod_tls_shmcache.html) + # LoadModule mod_tls_shmcache.c + # +-# Provide a memcached-based implementation of an external SSL session cache +-# (contrib/mod_tls_memcache.html) +-# LoadModule mod_tls_memcache.c +-# + # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny + # files, for IP-based access control + # (http://www.proftpd.org/docs/contrib/mod_wrap.html) diff --git a/SOURCES/proftpd.sysconfig b/SOURCES/proftpd.sysconfig new file mode 100644 index 0000000..fcef206 --- /dev/null +++ b/SOURCES/proftpd.sysconfig @@ -0,0 +1,12 @@ +# Set PROFTPD_OPTIONS to add command-line options for proftpd. +# See proftpd(8) for a comprehensive list of what can be used. +# +# The following "Defines" can be used with the default configuration file: +# -DANONYMOUS_FTP : Enable anonymous FTP +# -DDYNAMIC_BAN_LISTS : Enable dynamic ban lists (mod_ban) +# -DQOS : Enable QoS bits on server traffic (mod_qos) +# -DTLS : Enable TLS (mod_tls) +# +# For example, for anonymous FTP and dynamic ban list support: +# PROFTPD_OPTIONS="-DANONYMOUS_FTP -DDYNAMIC_BAN_LISTS" +PROFTPD_OPTIONS="" diff --git a/SPECS/proftpd.spec b/SPECS/proftpd.spec new file mode 100644 index 0000000..bd535ff --- /dev/null +++ b/SPECS/proftpd.spec @@ -0,0 +1,1602 @@ +# +# Rebuild switch: +# --with integrationtests enable integration tests (not fully maintained, likely to fail) +# + +# Do a systemd-based build from Fedora 15; otherwise, a sysvinit-based build +# With systemd, the runtime directory is /run on tmpfs rather than /var/run on persistent storage +%if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 14) +%global use_systemd 0 +%global rundir %{_localstatedir}/run +%global rundir_tmpfs 0 +%else +%global use_systemd 1 +%global rundir /run +%global rundir_tmpfs 1 +%endif + +# systemd-units merged into systemd at Fedora 17 +%if (0%{?fedora} && 0%{?fedora} <= 16) +%global systemd_units systemd-units +%else +%global systemd_units systemd +%endif + +# Support systemd presets from Fedora 18, RHEL 7 +%if (0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 17) +%global preset_support 0 +%else +%global preset_support 1 +%endif + +# For memcached support we need libmemcached ≥ 0.41, available from F-14 (EL-6 and below have libmemcached 0.31) +%if !((0%{?rhel} && 0%{?rhel} <= 6) || (0%{?fedora} && 0%{?fedora} <= 13)) +%global have_libmemcached 1 +%endif + +# Switch from mysql-devel to mariadb-connector-c-devel from Fedora 28 onwards +# Also disable tcp_wrappers support from Fedora 28 onwards (#1518776) +%if (0%{?rhel} && 0%{?rhel} <= 7) || (0%{?fedora} && 0%{?fedora} <= 27) +%global mysql_lib mysql +%global mysql_devel_pkg mysql-devel +%global libwrap_support 1 +%else +%global mysql_lib mariadb +%global mysql_devel_pkg mariadb-connector-c-devel +%endif + +# Do a hardened build where possible +%global _hardened_build 1 + +# Dynamic modules contain references to symbols in main dæmon, so we need to disable linker checks for undefined symbols +%undefine _strict_symbol_defs_build + +#global prever rc3 +%global rpmrel 14 +%global mod_vroot_version 0.9.5 + +Summary: Flexible, stable and highly-configurable FTP server +Name: proftpd +Version: 1.3.6 +Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist} +License: GPLv2+ +URL: http://www.proftpd.org/ + +Source0: ftp://ftp.proftpd.org/distrib/source/proftpd-%{version}%{?prever}.tar.gz +Source1: proftpd.conf +Source5: proftpd-welcome.msg +Source9: proftpd.sysconfig +Source10: http://github.com/Castaglia/proftpd-mod_vroot/archive/v%{mod_vroot_version}.tar.gz + +Patch1: proftpd-1.3.6-shellbang.patch +Patch2: proftpd.conf-no-memcached.patch +Patch3: proftpd-1.3.4rc1-mod_vroot-test.patch +Patch4: proftpd-1.3.6-no-mod-wrap.patch + +Patch100: https://github.com/proftpd/proftpd/commit/459693c7.patch +Patch101: https://github.com/proftpd/proftpd/commit/389cc579.patch +Patch102: https://github.com/proftpd/proftpd/commit/1825a2b8.patch +Patch103: https://github.com/proftpd/proftpd/commit/73887e02.patch +Patch104: https://github.com/proftpd/proftpd/commit/8a186e2d.patch +Patch105: https://github.com/proftpd/proftpd/commit/c3e5d75f.patch +Patch106: proftpd-1.3.6-add-enable-tests-nonetwork-option.patch +Patch107: https://github.com/proftpd/proftpd/commit/adfdc01d.patch +Patch108: https://github.com/proftpd/proftpd/commit/6cc96b5f.patch +Patch109: https://github.com/proftpd/proftpd/commit/aa85f127.patch +Patch110: https://github.com/proftpd/proftpd/commit/7907aa65.patch +Patch111: https://github.com/proftpd/proftpd/commit/08ba2f63.patch +Patch112: https://github.com/proftpd/proftpd/commit/757b9633.patch +Patch113: https://github.com/proftpd/proftpd/commit/41ecb7dc.patch +Patch114: https://github.com/proftpd/proftpd/commit/ad786eaa.patch + +BuildRequires: coreutils +BuildRequires: gcc +BuildRequires: GeoIP-devel +BuildRequires: gettext +BuildRequires: libacl-devel +BuildRequires: libcap-devel +%if 0%{?have_libmemcached:1} +BuildRequires: libmemcached-devel >= 0.41 +%endif +BuildRequires: %{mysql_devel_pkg} +BuildRequires: ncurses-devel +BuildRequires: openldap-devel +BuildRequires: openssl-devel +BuildRequires: pam-devel +BuildRequires: pcre-devel >= 7.0 +BuildRequires: perl-generators +%if (0%{?rhel} && 0%{?rhel} <= 7) || (0%{?fedora} && 0%{?fedora} <= 25) +BuildRequires: perl +%else +BuildRequires: perl-interpreter +%endif +BuildRequires: pkgconfig +BuildRequires: postgresql-devel +BuildRequires: sqlite-devel +BuildRequires: tar +%if 0%{?libwrap_support:1} +BuildRequires: tcp_wrappers-devel +%endif +BuildRequires: zlib-devel + +# Test suite requirements +BuildRequires: check-devel +%if 0%{?_with_integrationtests:1} +BuildRequires: perl(Compress::Zlib) +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(HTTP::Request) +BuildRequires: perl(IO::Socket::SSL) +BuildRequires: perl(LWP::UserAgent) +BuildRequires: perl(Net::FTPSSL) +BuildRequires: perl(Net::SSLeay) +BuildRequires: perl(Net::Telnet) +BuildRequires: perl(Sys::HostAddr) +BuildRequires: perl(Test::Harness) +BuildRequires: perl(Test::Unit) >= 0.25 +BuildRequires: perl(Time::HiRes) +%endif + +# Need %%{systemd_units} for ownership of /usr/lib/tmpfiles.d directory +%if %{rundir_tmpfs} +Requires: %{systemd_units} +%endif + +# Scriptlet dependencies +Requires(preun): coreutils, findutils +%if %{use_systemd} +BuildRequires: %{systemd_units} +%{?systemd_requires} +%else +Requires(post): chkconfig +Requires(preun): chkconfig, initscripts +Requires(postun): initscripts +%endif + +Provides: ftpserver + +%description +ProFTPD is an enhanced FTP server with a focus toward simplicity, security, +and ease of configuration. It features a very Apache-like configuration +syntax, and a highly customizable server infrastructure, including support for +multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory +visibility. +%if %{use_systemd} +This package defaults to the standalone behavior of ProFTPD, but all the +needed scripts to have it run by systemd instead are included. +%else +This package defaults to the standalone behavior of ProFTPD, but all the +needed scripts to have it run by xinetd instead are included. +%endif + +%package devel +Summary: ProFTPD - Tools and header files for developers +Requires: %{name} = %{version}-%{release} +# devel package requires the same devel packages as were build-required +# for the main package +Requires: gcc, libtool +Requires: GeoIP-devel +Requires: libacl-devel +Requires: libcap-devel +%if 0%{?have_libmemcached:1} +Requires: libmemcached-devel >= 0.41 +%endif +Requires: %{mysql_devel_pkg} +Requires: ncurses-devel +Requires: openldap-devel +Requires: openssl-devel +Requires: pam-devel +Requires: pcre-devel +Requires: pkgconfig +Requires: postgresql-devel +Requires: sqlite-devel +%if 0%{?libwrap_support:1} +Requires: tcp_wrappers-devel +%endif +Requires: zlib-devel + +%description devel +This package is required to build additional modules for ProFTPD. + +%package ldap +Summary: Module to add LDAP support to the ProFTPD FTP server +Requires: %{name} = %{version}-%{release} + +%description ldap +Module to add LDAP support to the ProFTPD FTP server. + +%package mysql +Summary: Module to add MySQL support to the ProFTPD FTP server +Requires: %{name} = %{version}-%{release} + +%description mysql +Module to add MySQL support to the ProFTPD FTP server. + +%package postgresql +Summary: Module to add PostgreSQL support to the ProFTPD FTP server +Requires: %{name} = %{version}-%{release} + +%description postgresql +Module to add PostgreSQL support to the ProFTPD FTP server. + +%package sqlite +Summary: Module to add SQLite support to the ProFTPD FTP server +Requires: %{name} = %{version}-%{release} + +%description sqlite +Module to add SQLite support to the ProFTPD FTP server. + +%package utils +Summary: ProFTPD - Additional utilities +Requires: %{name} = %{version}-%{release} +Requires: perl-interpreter +# ftpasswd --use-cracklib requires Crypt::Cracklib +BuildRequires: perl(Crypt::Cracklib) +Requires: perl(Crypt::Cracklib) + +%description utils +This package contains additional utilities for monitoring and configuring the +ProFTPD server: + +* ftpasswd: generate passwd(5) files for use with AuthUserFile +* ftpcount: show the current number of connections per server/virtualhost +* ftpmail: monitor transfer log and send email when files uploaded +* ftpquota: manipulate quota tables +* ftptop: show the current status of FTP sessions +* ftpwho: show the current process information for each FTP session + +%prep +%setup -q -n %{name}-%{version}%{?prever} + +# Extract mod_vroot source into contrib/ +# Directory must be named mod_vroot for configure script to find it +cd contrib +tar xfz %{SOURCE10} +mv proftpd-mod_vroot-%{mod_vroot_version} mod_vroot +cd - + +# Default config file +cp -p %{SOURCE1} proftpd.conf + +# Avoid documentation name conflicts +mv contrib/README contrib/README.contrib + +# Change shellbangs /usr/bin/env perl ⇒ /usr/bin/perl +%patch1 + +# If we don't have libmemcached support, remove the mod_tls_memcache +# snippet from the config file +%if 0%{!?have_libmemcached:1} +%patch2 +%endif + +# If we're running the full test suite, include the mod_vroot test +%patch3 -p1 -b .test_vroot + +# Remove references to mod_wrap from the configuration file if necessary +%if 0%{!?libwrap_support:1} +%patch4 -b .nowrappers +%endif + +# Check for symlinks in home directory path as logging-in user +# http://bugs.proftpd.org/show_bug.cgi?id=4306 +# https://bugzilla.redhat.com/show_bug.cgi?id=1443507 +# https://github.com/proftpd/proftpd/pull/496 +%patch100 -p1 + +# Fix API tests to work in Fedora/RHEL environments +# https://github.com/proftpd/proftpd/issues/483 +# https://github.com/proftpd/proftpd/pull/510 +# https://github.com/proftpd/proftpd/pull/514 +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 +%patch104 -p1 + +# Fix similars functionality and unit test +# https://github.com/proftpd/proftpd/pull/513 +%patch105 -p1 + +# Add functionality to disable external network tests +# https://github.com/proftpd/proftpd/pull/497 +%patch106 -p1 + +# Systemd requires that executeable pathnames are absolute +# https://github.com/proftpd/proftpd/pull/502 +%patch107 -p1 + +# Systemd upstream recommends Type = simple for services if possible +# https://github.com/proftpd/proftpd/pull/506 +%patch108 -p1 + +# Don't mess with system profiles in TLSCipherSuite +# https://github.com/proftpd/proftpd/pull/499 +%patch109 -p1 +%patch110 -p1 + +# Remove redundant bind() to controls socket +# https://github.com/proftpd/proftpd/issues/501 +%patch111 -p1 + +# mod_sftp failed to check shadow password information when publickey +# authentication used +# http://bugs.proftpd.org/show_bug.cgi?id=4308 +%patch112 -p1 + +# Use of "AllowEmptyPasswords off" broke SFTP/SCP logins +# http://bugs.proftpd.org/show_bug.cgi?id=4309 +%patch113 -p1 + +# With systemd, wait for network-online.target before starting +# https://bugzilla.redhat.com/show_bug.cgi?id=1506805 +# https://github.com/proftpd/proftpd/pull/617 +%patch114 -p1 + +# OpenSSL Cipher Profiles introduced in Fedora 21 +# Elsewhere, we use the default of DEFAULT:!ADH:!EXPORT:!DES +%if (0%{?rhel} && 0%{?rhel} <= 7) || (0%{?fedora} && 0%{?fedora} <= 20) +sed -i -e '/^[[:space:]]*TLSCipherSuite[[:space:]]*PROFILE=SYSTEM$/d' proftpd.conf +%endif + +# Tweak logrotate script for systemd compatibility (#802178) +%if %{use_systemd} +sed -i -e '/killall/s/test.*/systemctl reload proftpd.service/' \ + contrib/dist/rpm/proftpd.logrotate +%endif + +# Avoid docfile dependencies +chmod -c -x contrib/xferstats.holger-preiss + +# Remove bogus exec permissions from source files +chmod -c -x include/hanson-tpl.h lib/hanson-tpl.c + +# Remove any patch backup files from documentation +find doc/ contrib/ -name '*.orig' -delete + +%build +# Modules to be built as DSO's (excluding mod_ifsession, always specified last) +SMOD1=mod_sql:mod_sql_passwd:mod_sql_mysql:mod_sql_postgres:mod_sql_sqlite +SMOD2=mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_quotatab_sql +SMOD3=mod_ldap:mod_ban%{?libwrap_support::mod_wrap}:mod_ctrls_admin:mod_facl:mod_load:mod_vroot +SMOD4=mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper:mod_geoip +SMOD5=mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_copy:mod_deflate:mod_ifversion:mod_qos +SMOD6=mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache%{?have_libmemcached::mod_tls_memcache} + +%configure \ + --libexecdir="%{_libexecdir}/proftpd" \ + --localstatedir="%{rundir}/proftpd" \ + --disable-strip \ + --enable-ctrls \ + --enable-dso \ + --enable-facl \ + --enable-ipv6 \ +%{?have_libmemcached: --enable-memcache} \ + --enable-nls \ + --enable-openssl \ + --disable-pcre \ + --disable-redis \ + --enable-shadow \ + --enable-tests=nonetwork \ + --with-libraries="%{_libdir}/%{mysql_lib}" \ + --with-includes="%{_includedir}/mysql" \ + --with-modules=mod_readme:mod_auth_pam:mod_tls \ + --with-shared=${SMOD1}:${SMOD2}:${SMOD3}:${SMOD4}:${SMOD5}:${SMOD6}:mod_ifsession + +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} \ + rundir="%{rundir}/proftpd" \ + INSTALL_USER=`id -un` \ + INSTALL_GROUP=`id -gn` +install -D -p -m 640 proftpd.conf %{buildroot}%{_sysconfdir}/proftpd.conf +install -D -p -m 644 contrib/dist/rpm/proftpd.pam \ + %{buildroot}%{_sysconfdir}/pam.d/proftpd +%if %{use_systemd} +install -D -p -m 644 contrib/dist/rpm/proftpd.service \ + %{buildroot}%{_unitdir}/proftpd.service +install -D -p -m 644 contrib/dist/systemd/proftpd.socket \ + %{buildroot}%{_unitdir}/proftpd.socket +install -D -p -m 644 contrib/dist/systemd/proftpd@.service \ + %{buildroot}%{_unitdir}/proftpd@.service +%else +install -D -p -m 755 contrib/dist/rpm/proftpd.init.d \ + %{buildroot}%{_sysconfdir}/rc.d/init.d/proftpd +install -D -p -m 644 contrib/dist/rpm/xinetd \ + %{buildroot}%{_sysconfdir}/xinetd.d/xproftpd +%endif +install -D -p -m 644 contrib/dist/rpm/proftpd.logrotate \ + %{buildroot}%{_sysconfdir}/logrotate.d/proftpd +install -D -p -m 644 %{SOURCE5} %{buildroot}%{_localstatedir}/ftp/welcome.msg +install -D -p -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/sysconfig/proftpd +mkdir -p %{buildroot}%{_localstatedir}/{ftp/{pub,uploads},log/proftpd} +touch %{buildroot}%{_sysconfdir}/ftpusers + +# Make sure %%{rundir}/proftpd exists at boot time for systems where it's on tmpfs (#656675) +%if %{rundir_tmpfs} +install -d -m 755 %{buildroot}%{_prefix}/lib/tmpfiles.d +install -p -m 644 contrib/dist/rpm/proftpd-tmpfs.conf \ + %{buildroot}%{_prefix}/lib/tmpfiles.d/proftpd.conf +%endif + +# Find translations +%find_lang proftpd + +%check +# Integration tests not fully maintained - stick to API tests only by default +%if 0%{?_with_integrationtests:1} +ln ftpdctl tests/ +make check +%else +# API tests should always be OK +if ! make -C tests api-tests; then + # Diagnostics to report upstream + cat tests/api-tests.log + ./proftpd -V + # Fail the build + false +fi +%endif + +%post +%if %{use_systemd} +systemctl daemon-reload &>/dev/null || : +%endif +if [ $1 -eq 1 ]; then + # Initial installation +%if ! %{use_systemd} + chkconfig --add proftpd || : +%endif +%if %{preset_support} + systemctl preset proftpd.service &>/dev/null || : +%endif + IFS=":"; cat /etc/passwd | \ + while { read username nu nu gid nu nu nu nu; }; do \ + if [ $gid -lt 100 -a "$username" != "ftp" ]; then + echo $username >> %{_sysconfdir}/ftpusers + fi + done +fi + +%preun +if [ $1 -eq 0 ]; then + # Package removal, not upgrade +%if %{use_systemd} + systemctl --no-reload disable proftpd.service &>/dev/null || : + systemctl stop proftpd.service &>/dev/null || : +%else + service proftpd stop &>/dev/null || : + chkconfig --del proftpd || : +%endif + find %{rundir}/proftpd -depth -mindepth 1 | + xargs rm -rf &>/dev/null || : +fi + +%postun +%if %{use_systemd} +systemctl daemon-reload &>/dev/null || : +%endif +if [ $1 -ge 1 ]; then + # Package upgrade, not uninstall +%if %{use_systemd} + systemctl try-restart proftpd.service &>/dev/null || : +%else + service proftpd condrestart &>/dev/null || : +else + # Package removal, not upgrade + service xinetd reload &>/dev/null || : +%endif +fi + +%files -f proftpd.lang +%if 0%{?_licensedir:1} +%license COPYING +%else +%doc COPYING +%endif +%doc CREDITS ChangeLog NEWS README.md +%doc README.DSO README.modules README.IPv6 README.PAM +%doc README.capabilities README.classes README.controls README.facl +%doc contrib/README.contrib contrib/README.ratio +%doc doc/* sample-configurations/ +%dir %{_localstatedir}/ftp/ +%dir %{_localstatedir}/ftp/pub/ +%dir %{rundir}/proftpd/ +%config(noreplace) %{_localstatedir}/ftp/welcome.msg +%config(noreplace) %{_sysconfdir}/blacklist.dat +%config(noreplace) %{_sysconfdir}/dhparams.pem +%config(noreplace) %{_sysconfdir}/ftpusers +%config(noreplace) %{_sysconfdir}/logrotate.d/proftpd +%config(noreplace) %{_sysconfdir}/pam.d/proftpd +%config(noreplace) %{_sysconfdir}/proftpd.conf +%config(noreplace) %{_sysconfdir}/sysconfig/proftpd +%if %{use_systemd} +%{_unitdir}/proftpd.service +%{_unitdir}/proftpd.socket +%{_unitdir}/proftpd@.service +%else +%config(noreplace) %{_sysconfdir}/xinetd.d/xproftpd +%{_sysconfdir}/rc.d/init.d/proftpd +%endif +%if %{rundir_tmpfs} +%{_prefix}/lib/tmpfiles.d/proftpd.conf +%endif +%{_bindir}/ftpdctl +%{_sbindir}/ftpscrub +%{_sbindir}/ftpshut +%{_sbindir}/in.proftpd +%{_sbindir}/proftpd +%{_mandir}/man5/proftpd.conf.5* +%{_mandir}/man5/xferlog.5* +%{_mandir}/man8/ftpdctl.8* +%{_mandir}/man8/ftpscrub.8* +%{_mandir}/man8/ftpshut.8* +%{_mandir}/man8/proftpd.8* +%dir %{_libexecdir}/proftpd/ +%{_libexecdir}/proftpd/mod_ban.so +%{_libexecdir}/proftpd/mod_ctrls_admin.so +%{_libexecdir}/proftpd/mod_copy.so +%{_libexecdir}/proftpd/mod_deflate.so +%{_libexecdir}/proftpd/mod_exec.so +%{_libexecdir}/proftpd/mod_facl.so +%{_libexecdir}/proftpd/mod_geoip.so +%{_libexecdir}/proftpd/mod_ifsession.so +%{_libexecdir}/proftpd/mod_ifversion.so +%{_libexecdir}/proftpd/mod_load.so +%{_libexecdir}/proftpd/mod_qos.so +%{_libexecdir}/proftpd/mod_quotatab.so +%{_libexecdir}/proftpd/mod_quotatab_file.so +%{_libexecdir}/proftpd/mod_quotatab_radius.so +%{_libexecdir}/proftpd/mod_quotatab_sql.so +%{_libexecdir}/proftpd/mod_radius.so +%{_libexecdir}/proftpd/mod_ratio.so +%{_libexecdir}/proftpd/mod_rewrite.so +%{_libexecdir}/proftpd/mod_sftp.so +%{_libexecdir}/proftpd/mod_sftp_pam.so +%{_libexecdir}/proftpd/mod_sftp_sql.so +%{_libexecdir}/proftpd/mod_shaper.so +%{_libexecdir}/proftpd/mod_site_misc.so +%{_libexecdir}/proftpd/mod_sql.so +%{_libexecdir}/proftpd/mod_sql_passwd.so +%{?have_libmemcached:%{_libexecdir}/proftpd/mod_tls_memcache.so} +%{_libexecdir}/proftpd/mod_tls_shmcache.so +%{_libexecdir}/proftpd/mod_vroot.so +%{?libwrap_support:%{_libexecdir}/proftpd/mod_wrap.so} +%{_libexecdir}/proftpd/mod_wrap2.so +%{_libexecdir}/proftpd/mod_wrap2_file.so +%{_libexecdir}/proftpd/mod_wrap2_sql.so +%exclude %{_libexecdir}/proftpd/*.a +%exclude %{_libexecdir}/proftpd/*.la +%attr(331, ftp, ftp) %dir %{_localstatedir}/ftp/uploads/ +%attr(750, root, root) %dir %{_localstatedir}/log/proftpd/ + +%files devel +%{_bindir}/prxs +%{_includedir}/proftpd/ +%{_libdir}/pkgconfig/proftpd.pc + +%files ldap +%doc README.LDAP contrib/mod_quotatab_ldap.ldif contrib/mod_quotatab_ldap.schema +%{_libexecdir}/proftpd/mod_ldap.so +%{_libexecdir}/proftpd/mod_quotatab_ldap.so + +%files mysql +%{_libexecdir}/proftpd/mod_sql_mysql.so + +%files postgresql +%{_libexecdir}/proftpd/mod_sql_postgres.so + +%files sqlite +%{_libexecdir}/proftpd/mod_sql_sqlite.so + +%files utils +%doc contrib/xferstats.holger-preiss +%{_bindir}/ftpasswd +%{_bindir}/ftpcount +%{_bindir}/ftpmail +%{_bindir}/ftpquota +%{_bindir}/ftptop +%{_bindir}/ftpwho +%{_mandir}/man1/ftpasswd.1* +%{_mandir}/man1/ftpcount.1* +%{_mandir}/man1/ftpmail.1* +%{_mandir}/man1/ftpquota.1* +%{_mandir}/man1/ftptop.1* +%{_mandir}/man1/ftpwho.1* + +%changelog +* Fri Feb 09 2018 Fedora Release Engineering - 1.3.6-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Jan 28 2018 Paul Howarth - 1.3.6-13 +- Account for systemd-units being merged into systemd at Fedora 17 +- Use forward-looking conditionals +- Don't use full paths from commands in scriptlets, to aid readability + +* Mon Jan 22 2018 Paul Howarth - 1.3.6-12 +- Disable strict linker checks for undefined symbols, which breaks build due + to modules containing references to symbols in the main daemon + +* Sat Jan 20 2018 Björn Esser - 1.3.6-11 +- Rebuilt for switch to libxcrypt + +* Tue Jan 09 2018 Merlin Mathesius - 1.3.6-10 +- Cleanup spec file conditionals + +* Fri Dec 1 2017 Paul Howarth - 1.3.6-9 +- Disable tcp_wrappers support via libwrap/mod_wrap from F-28 onwards; note + that similar functionality is still available using mod_wrap2, which does + not use libwrap (ref: https://bugzilla.redhat.com/show_bug.cgi?id=1518776) + +* Mon Oct 30 2017 Paul Howarth - 1.3.6-8 +- With systemd, wait for network-online.target before starting (#1506805) + +* Thu Sep 21 2017 Paul Howarth - 1.3.6-7 +- Switch to build with MariaDB Connector/C library rather than full mysql-devel + package from Fedora 28 onwards (#1493657, + https://fedoraproject.org/wiki/User:Hhorak/mariadb-connector-c-proposal) + +* Wed Sep 20 2017 Paul Howarth - 1.3.6-6 +- Add sqlite sub-package with mod_sql_sqlite for SQLite support (#1328321) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Fri Jul 28 2017 Fedora Release Engineering - 1.3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 13 2017 Paul Howarth - 1.3.6-3 +- mod_sftp failed to check shadow password information when publickey + authentication used (http://bugs.proftpd.org/show_bug.cgi?id=4308) +- Use of "AllowEmptyPasswords off" broke SFTP/SCP logins + (http://bugs.proftpd.org/show_bug.cgi?id=4309) + +* Thu Jul 13 2017 Petr Pisar - 1.3.6-2 +- perl dependency renamed to perl-interpreter + + +* Mon May 22 2017 Paul Howarth - 1.3.6-1 +- Update to 1.3.6 (see NEWS for details) +- Update mod_vroot to 0.9.5 (API compatibility with 1.3.6) +- Add upstream fixes for flaky API tests + (https://github.com/proftpd/proftpd/issues/483) + (https://github.com/proftpd/proftpd/pull/510) + (https://github.com/proftpd/proftpd/pull/514) +- Add functionality to disable external network tests + (https://github.com/proftpd/proftpd/pull/497) +- Update template TLS configuration +- PCRE 7.0 always available for use now +- Disable PCRE support for now as JIT compiler has SELinux issues + (https://bugs.exim.org/show_bug.cgi?id=1749) +- Update proftpd.service to use Type=simple rather than Type=forking + (https://github.com/proftpd/proftpd/pull/506) +- Remove redundant bind() to controls socket + (https://github.com/proftpd/proftpd/issues/501) +- Fix similars functionality and unit test + (https://github.com/proftpd/proftpd/pull/513) +- Integration tests can use system Test::Unit now +- tcpd.h can always be found in tcp_wrappers-devel now + +* Wed May 3 2017 Paul Howarth - 1.3.5e-2 +- AllowChrootSymlinks off could cause login failures depending on filesystem + permissions: use the IDs of the logging-in user to perform the directory + walk, looking for symlinks, to be more consistent with similar checks done + during login (#1443507, upstream bug 4306) +- Crypt::CrackLib always available now + +* Mon Apr 10 2017 Paul Howarth - 1.3.5e-1 +- Update to 1.3.5e + - SFTP clients using umac-64@openssh.com digest failed to connect + (upstream bug 4287) + - SFTP rekeying failure with ProFTPD 1.3.5d, caused by null pointer + dereference (upstream bug 4288) + - AllowChrootSymlinks off did not check entire DefaultRoot path for symlinks + (CVE-2017-7418, upstream bug 4295) +- Change shellbangs in shipped perl scripts to use system perl +- Drop EL-5 support + - Drop BuildRoot: and Group: tags + - Drop explicit buildroot cleaning in %%install section + - Drop explicit %%clean section + - /etc/pam.d/password-auth always available now + - pcre 7.0 or later always available now + +* Sun Feb 12 2017 Paul Howarth - 1.3.5d-3 +- Properly allocate (and clear) the UMAC contexts, to fix segfault in mod_sftp + (#1420365, upstream bug 4287) + +* Sat Feb 11 2017 Fedora Release Engineering - 1.3.5d-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 16 2017 Paul Howarth - 1.3.5d-1 +- Update to 1.3.5d + - Support OpenSSL 1.1.x API (upstream bug 4275) + Bug fixes: + - SSH rekey during authentication can cause issues with clients + (upstream bug 4254) + - Recursive SCP uploads of multiple directories not handled properly + (upstream bug 4257) + - LIST returns different results for file, depending on path syntax + (upstream bug 4259) + - "AuthAliasOnly on" in server config breaks anonymous logins + (upstream bug 4255) + - CapabilitiesEngine directive not honored for / sections + (upstream bug 4272) + - Memory leak when mod_facl is used (upstream bug 4278) + - All FTP logins treated as anonymous logins again (upstream bug 4283, + regression in 1.3.5c of upstream bug 3307) + +* Sat Nov 19 2016 Paul Howarth - 1.3.5b-3 +- Support OpenSSL 1.1.x API (upstream bug 4275) + +* Sat May 21 2016 Paul Howarth - 1.3.5b-2 +- Handle client/server version skew in mod_sql_mysql + (https://forums.proftpd.org/smf/index.php?topic=11887.0) +- Fix a possible cause of segfaults in mod_sftp (#1337880, upstream bug 4203) +- BR: perl-generators for correct dependencies in utils sub-package + +* Fri Mar 11 2016 Paul Howarth - 1.3.5b-1 +- Update to 1.3.5b + - mod_geoip did not load all of the GeoIPTables properly (upstream bug 4187) + - "Incorrect string value" reported by mod_sql_mysql for some UTF8 characters + (upstream bug 4191) + - SSH rekey failed when using RSA hostkey smaller than 2048 bits + (upstream bug 4097) + - MLSD/MLST fact type "cdir" is incorrectly used for the current working + directory (upstream bug 4198) + - HiddenStores temporary files not removed when exceeding quota using SCP + (upstream bug 4201) + - MLSD lines not properly terminated with CRLF (upstream bug 4202) + - Zero-length memory allocation possible, with undefined results + (upstream bug 4209) + - Avoid unbounded SFTP extended attribute key/values (upstream bug 4210) + - Ensure that FTP data transfer commands fail appropriately when + "RootRevoke on" is in effect (upstream bug 4212) + - Handle FTP re-authentication attempts better (upstream bug 4217) + - Permissions on files uploaded via STOU did not honor configured Umask + (upstream bug 4223) + - Support SFTP clients that send multiple INIT requests (upstream bug 4227) + - TLSDHParamFile directive appears ignored because unexpected DH is chosen + (upstream bug 4230) +- Drop unbundled old version of mod_geoip +- Drop upstreamed patches + +* Thu Feb 04 2016 Fedora Release Engineering - 1.3.5a-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Dec 1 2015 Paul Howarth - 1.3.5a-5 +- Avoid unbounded SFTP extended attribute key/values + (#1286977, http://bugs.proftpd.org/show_bug.cgi?id=4210) + +* Thu Oct 29 2015 Paul Howarth - 1.3.5a-4 +- See if we can fix crash in mod_lang + http://bugs.proftpd.org/show_bug.cgi?id=4206 + https://retrace.fedoraproject.org/faf/reports/10744/ + +* Thu Sep 10 2015 Paul Howarth - 1.3.5a-3 +- Add dependency on perl(Crypt::Cracklib), needed for ftpasswd --use-cracklib + +* Thu Jun 18 2015 Fedora Release Engineering - 1.3.5a-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu May 28 2015 Paul Howarth - 1.3.5a-1 +- Update to 1.3.5a + - Fixed "stalled" SSL/TLS handshakes for data transfers + - Fixed handling of SSH keys with overlong Comment headers in mod_sftp_sql + - By default, mod_tls will no longer support SSLv3 connections; in order to + support SSLv3 connections (for sites that need to), you must explicitly + configure this via the TLSProtocol directive, e.g.: + TLSProtocol SSLv3 TLSv1 ... + - The mod_copy module is enabled by default; there may be cases where the + module should be disabled, without requiring a rebuild of the server, thus + mod_copy now supports a CopyEngine directive to enable/disable the module + - The DeleteAbortedStores directive (for Bug#3917) is only enabled when + HiddenStores is in effect, as intended when originally implemented, rather + than all the time + - Many other bug-fixes, see NEWS for details +- Drop upstreamed patches + +* Wed May 27 2015 Paul Howarth - 1.3.5-7 +- Update mod_vroot to 0.9.4 + - Fix broken vroot alias checks (GH#4, GH#5) + - Improve documentation + - Add further regression tests + +* Tue Apr 28 2015 Paul Howarth - 1.3.5-6 +- Unauthenticated copying of files via SITE CPFR/CPTO was allowed by mod_copy + (CVE-2015-3306, http://bugs.proftpd.org/show_bug.cgi?id=4169) + +* Thu Feb 5 2015 Paul Howarth - 1.3.5-5 +- Update mod_vroot to 0.9.3 and drop upstreamed mod_vroot patch +- Anonymous upload directory specification needs to be slightly different if + mod_vroot is in use (#1045922) + http://sourceforge.net/p/proftp/mailman/message/31728570/ +- For systemd-based systems, use systemd rather than xinetd for inetd mode + activation (#737707); to use this mode, set "ServerType inetd" in + /etc/proftpd.conf and do "systemctl enable proftpd.socket" (and + "systemctl start proftpd.socket" to start listening for connections) +- Use %%license where possible + +* Sun Aug 17 2014 Fedora Release Engineering - 1.3.5-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 7 2014 Fedora Release Engineering 1.3.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri May 16 2014 Paul Howarth 1.3.5-2 +- Add upstream fix to ignore any ENOPROTOOPT errors when setting the + IPv6 TCLASS (TOS) flags on the socket; they make for noisier logging + without providing any actual value to the user/admin (upstream bug 4055) + +* Fri May 16 2014 Paul Howarth 1.3.5-1 +- Update to 1.3.5 (see NEWS for details) +- Drop upstreamed patches +- Drop sysv-to-systemd migration script +- No longer need to support pam_stack + +* Fri Dec 20 2013 Paul Howarth 1.3.4d-5 +- Fix support for 8192-bit DH parameters (#1044586) +- Add 3072-bit and 7680-bit DH parameters (upstream bug 4002) + +* Sat Sep 14 2013 Paul Howarth 1.3.4d-4 +- Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication + (#1007678, upstream bug #3973, CVE-2013-4359) + +* Sun Aug 04 2013 Fedora Release Engineering 1.3.4d-2.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar 1.3.4d-2.1 +- Perl 5.18 rebuild + +* Mon Jun 17 2013 Paul Howarth 1.3.4d-2 +- Fix spurious log messages at session close (upstream bug #3945) + +* Sat Jun 15 2013 Paul Howarth 1.3.4d-1 +- Update to 1.3.4d + - Fixed broken build when using --disable-ipv6 configure option + - Fixed mod_sql "SQLAuthType Backend" MySQL issues + - Various other bugs fixed - see NEWS for details +- Drop upstreamed patch for PAM session closing + +* Tue Apr 16 2013 Paul Howarth 1.3.4c-2 +- Make sure we can switch back to root before closing PAM sessions so that + they're closed properly and don't pollute the system logs with dbus reject + messages (#951728, upstream bug #3929) + +* Thu Mar 7 2013 Paul Howarth 1.3.4c-1 +- Update to 1.3.4c + - Added Spanish translation + - Fixed several mod_sftp issues, including SFTPPassPhraseProvider, + handling of symlinks for REALPATH requests, and response code logging + - Fixed symlink race for creating directories when UserOwner is in effect + - Increased performance of FTP directory listings +- Drop MySQL password patch, no longer needed +- Drop upstreamed proftpd patch for CVE-2012-6095 +- Update patch for bug 3744 to apply against updated proftpd code + +* Thu Feb 14 2013 Fedora Release Engineering 1.3.4b-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 16 2013 Paul Howarth 1.3.4b-5 +- Update patch for CVE-2012-6095 to cover vroot cases + +* Mon Jan 7 2013 Paul Howarth 1.3.4b-4 +- Fix possible symlink race when applying UserOwner to newly created directory + (CVE-2012-6095, #892715, http://bugs.proftpd.org/show_bug.cgi?id=3841) + +* Sat Sep 22 2012 Remi Collet 1.3.4b-3 +- Rebuild against libmemcached.so.11 without SASL + +* Thu Aug 30 2012 Paul Howarth 1.3.4b-2 +- Add support for systemd presets in Fedora 18+ (#850281) + +* Wed Aug 1 2012 Paul Howarth 1.3.4b-1 +- Update to 1.3.4b + - Fixed mod_ldap segfault on login when LDAPUsers with no filters used + - Fixed sporadic SFTP upload issues for large files + - Fixed SSH2 handling for some clients (e.g. OpenVMS) + - New FactsOptions directive; see doc/modules/mod_facts.html#FactsOptions + - Fixed build errors on Tru64, AIX, Cygwin + - Lots of bugs fixed - see NEWS for details +- No bzipped tarball release this time, so revert to gzipped one +- Drop patches for fixes included in upstream release + +* Sat Jul 21 2012 Fedora Release Engineering 1.3.4a-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 3 2012 Paul Howarth 1.3.4a-10 +- Move tmpfiles.d file from %%{_sysconfdir} to %%{_prefix}/lib + +* Sat Apr 21 2012 Paul Howarth 1.3.4a-9 +- Rebuild for new libmemcached in Rawhide + +* Fri Apr 13 2012 Paul Howarth 1.3.4a-8 +- Do hardened (PIE) builds where possible +- Drop %%defattr, redundant since rpm 4.4 +- Always look for TLS certs in /etc/pki/tls/certs + +* Mon Mar 12 2012 Paul Howarth 1.3.4a-7 +- Tweak logrotate script for systemd compatibility (#802178) +- Fix leaked file descriptors for log files (as per bug 3751) + +* Sat Mar 3 2012 Paul Howarth 1.3.4a-6 +- Rebuild for new libmemcached in Rawhide + +* Tue Feb 28 2012 Paul Howarth 1.3.4a-5 +- Document SELinux configuration for ProFTPD in proftpd.conf (#785443) +- Add support for basic and administrative controls actions using ftpdctl by + default (#786623) +- Add trace logging directives in proftpd.conf but disable them by default as + they impair performance +- Fix ftpwho/ftptop not showing command arguments (bug 3714) +- Fix MLSD/MLST fail with "DirFakeUser off" or "DirFakeGroup off" (bug 3715) +- Fix proftpd fails to run with "Abort trap" error message (bug 3717) +- Fix LIST -R can loop endlessly if bad directory symlink exists (bug 3719) +- Fix overly restrictive module logfile permissions (bug 3720) +- Fix mod_memcache segfault on server restart (bug 3723) +- Fix unloading mod_quotatab causes segfault (#757311, bug 3724) +- Fix mod_exec does not always capture stdout/stderr output from executed + command (bug 3726) +- Fix mod_wrap2 causes unexpected LogFormat %%u expansion for SFTP connections + (bug 3727) +- Fix mod_ldap segfault when LDAPUsers is used with no optional filters + (bug 3729) +- Fix DirFakeUser/DirFakeGroup off with name causes SIGSEGV for MLSD/MLST + commands (bug 3734) +- Fix improper handling of self-signed certificate in client-sent cert list + when "TLSVerifyClient on" is used (bug 3742) +- Fix random stalls/segfaults seen when transferring large files via SFTP + (bug 3743) +- Support ls(1) -1 option for LIST command (bug 3744) +- Reject PASV command if no IPv4 address available (bug 3745) +- Support applying ListOptions only to NLST or to LIST commands (bug 3746) +- Support option for displaying symlinks via MLSD using syntax preferred by + FileZilla (bug 3747) +- Fix mod_ban not closing and reopening the BanLog/BanTable file descriptors + on restart, causing a file descriptor leak (bug 3751) +- Fix mod_ctrls no longer listening on ControlsSocket after restart (bug 3756) + +* Thu Feb 9 2012 Paul Howarth 1.3.4a-4 +- Rebuild for new libpcre in Rawhide + +* Mon Jan 16 2012 Paul Howarth 1.3.4a-3 +- Add -utils subpackage for support tools, which means the main package + no longer requires perl + +* Tue Jan 10 2012 Paul Howarth 1.3.4a-2 +- Make mod_vroot a DSO, loaded by default (#772354) +- VRootAlias for /etc/security/pam_env.conf is redundant, so remove it +- Add BanMessage (#772354) +- Add -devel subpackage for building third-party modules + +* Fri Nov 11 2011 Paul Howarth 1.3.4a-1 +- Update to 1.3.4a: + - Fixed mod_load/mod_wrap2 build issues +- Drop now-redundant workaround for building mod_load and mod_wrap2 +- Drop upstreamed patch for xinetd config typo + +* Thu Nov 10 2011 Paul Howarth 1.3.4-1 +- Update to 1.3.4, addressing the following bugs since 1.3.4rc3: + - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD (bug 3702) + - mod_sql_mysql.so: undefined symbol: make_scrambled_password with MySQL 5.5 + on Fedora (bug 3669) + - PQescapeStringConn() needs a better check (bug 3192) + - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704); + to disable this countermeasure, which may cause interoperability issues + with some clients, use the NoEmptyFragments TLSOption + - Support SFTPOption for ignoring requests to modify timestamps (bug 3706) + - RPM build on CentOS 5.5 (64bit): "File not found by glob" (bug 3640) + - Response pool use-after-free memory corruption error + (bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130) +- Drop upstream patch for make_scrambled_password_323 +- Use upstream SysV initscript rather than our own +- Use upstream systemd service file rather than our own +- Use upstream PAM configuration rather than our own +- Use upstream logrotate configuration rather than our own +- Use upstream tempfiles configuration rather than our own +- Use upstream xinetd configuration rather than our own + +* Thu Oct 6 2011 Paul Howarth 1.3.4-0.15.rc3 +- Add upstream patch to not try make_scrambled_password_323 if the MySQL + library doesn't export it (#718327, upstream bug 3669); this removes support + for password hashes generated on MySQL prior to 4.1 + +* Thu Sep 29 2011 Paul Howarth 1.3.4-0.14.rc3 +- Update to 1.3.4rc3 (see NEWS and RELEASE_NOTES for full details) + - The mod_ldap configuration directives have changed to a simplified version; + please read the "Changes" section in README.LDAP for details + - Support for using RADIUS for authentication SSH2 logins, and for supporting + the NAS-IPv6-Address RADIUS attribute + - Automatically disable sendfile support on AIX systems + - now prevents renaming/moving a file out of the limited + directory + - ExtendedLog entries now written for data transfers that time out +- Drop upstreamed patches +- Use new --disable-strip option to retain debugging symbols +- Use upstream LDAP quota table schema rather than our own copy +- Add patch for broken MySQL auth (#718327, upstream bug 3669) +- Remove spurious exec permissions on systemd unit file + +* Tue Sep 27 2011 Paul Howarth 1.3.4-0.13.rc2 +- Restore back-compatibility with older releases and EPEL, broken by -11 update +- Use /run rather than /var/run if using systemd init +- Avoid the use of triggers in SysV-to-systemd migration + +* Sat Sep 17 2011 Remi Collet 1.3.4-0.12.rc2 +- Rebuild against libmemcached.so.8 + +* Mon Sep 12 2011 Tom Callaway 1.3.4-0.11.rc2 +- Convert to systemd + +* Fri Jun 3 2011 Paul Howarth 1.3.4-0.10.rc2 +- Rebuild for new libmemcached in Rawhide + +* Tue May 17 2011 Paul Howarth 1.3.4-0.9.rc2 +- Add a number of fixes for bugs reported upstream: + - Avoid spinning proftpd process if read(2) returns EAGAIN (bug 3639) + - SITE CPFR/CPTO does not update quota tally (bug 3641) + - Segfault in mod_sql_mysql if "SQLAuthenticate groupsetfast" used (bug 3642) + - Disable signal handling for exiting session processes (bug 3644) + - Ensure that SQLNamedConnectInfos with PERSESSION connection policies are + opened before chroot (bug 3645) + - MaxStoreFileSize can be bypassed using REST/APPE (bug 3649) + - Fix TCPAccessSyslogLevel directive (bug 3652) + - Segfault with "DefaultServer off" and no matching server for incoming IP + address (bug 3653) + +* Fri Apr 8 2011 Paul Howarth 1.3.4-0.8.rc2 +- Update mod_geoip to 0.3 (update for new regexp API) +- Drop patch for mod_geoip API fix + +* Mon Apr 4 2011 Paul Howarth 1.3.4-0.7.rc2 +- Update to 1.3.4rc2 (see NEWS and RELEASE_NOTES for full details) + - Display messages work properly again + - Fixes plaintext command injection vulnerability in FTPS implementation + (bug 3624) + - Fixes CVE-2011-1137 (badly formed SSH messages cause DoS - bug 3586) + - Performance improvements, especially during server startup/restarts + - New modules mod_memcache and mod_tls_memcache for using memcached servers + for caching information among different proftpd servers and/or across + sessions + - Utilities installed by default: ftpasswd, ftpmail, ftpquota + - New configuration directives: + - MaxCommandRate + - SQLNamedConnectInfo + - TraceOptions + - Changed configuration directives: + - BanOnEvent + - ExtendedLog + - LogFormat + - PathAllowFilter + - PathDenyFilter + - SFTPOptions + - SFTPPAMOptions + - SQLNamedQuery + - TLSSessionCache + - Trace + - New documentation for ConnectionACLs and utilities (ftpasswd etc.) +- Use the pcre regexp implementation (where possible) rather than the glibc one, + which isn't safe with untrusted regexps + (http://bugs.proftpd.org/3595, CVE-2010-4051, CVE-2010-4052, #673040) +- We need libmemcached 0.41 or later for memcached support +- We need pcre 7.0 or later for pcre regexp support +- Nobody else likes macros for commands + +* Tue Mar 22 2011 Paul Howarth 1.3.4-0.4.rc1 +- Rebuilt for new MySQL client library in Rawhide + +* Wed Feb 09 2011 Fedora Release Engineering - 1.3.4-0.3.rc1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 Paul Howarth 1.3.4-0.3.rc1 +- Update mod_vroot to 0.9.2 +- Get more of the integration tests working + +* Wed Jan 5 2011 Paul Howarth 1.3.4-0.2.rc1 +- Update mod_vroot to 0.9.1 +- Add upstream patches making unit tests work on systems where 127.0.0.1 + maps to localhost.localdomain rather than just localhost + +* Fri Dec 24 2010 Paul Howarth 1.3.4-0.1.rc1 +- Update to 1.3.4rc1 (see RELEASE_NOTES for full details) + - Added Japanese translation + - Many mod_sftp bugfixes + - Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + - Added support for SMTP authentication in ftpmail script + - Updated fnmatch implementation, using glibc-2.9 version + - New modules: mod_copy, mod_deflate, mod_ifversion, mod_qos + - New configuration directives: + - Protocols + - ScoreboardMutex + - SFTPClientAlive + - WrapOptions + - Changed configuration directives: + - BanOnEvent + - ListOptions + - LogFormat + - SFTPOptions + - TLSOptions + - UseSendfile + - Deprecated configuration directives: + - DisplayGoAway (support for this directive has been removed) +- Add %%check section, running the API tests by default +- BR: check-devel, needed for the API test suite +- Add upstream patch (http://bugs.proftpd.org/3568), modified slightly, to fix + the API tests +- Optionally run the perl-based integration test suite if the build option + --with integrationtests is supplied; this is off by default as it is not + fully maintained and is expected to fail in parts + (see http://bugs.proftpd.org/3568#c5) +- Bundle perl(Test::Unit) 0.14, needed to run the integration test suite + (version in Fedora is incompatible later version not from CPAN) +- BR: perl modules Compress::Zlib, IO::Socket::SSL, Net::FTPSSL, Net::SSLeay, + Net::Telnet, Test::Harness and Time::HiRes if building --with integrationtests +- New DSO modules: mod_copy, mod_deflate, mod_ifversion, mod_qos +- QoS support can be enabled in /etc/sysconfig/proftpd + +* Mon Dec 20 2010 Paul Howarth 1.3.3d-1 +- Update to 1.3.3d + - Fixed sql_prepare_where() buffer overflow (bug 3536, CVE-2010-4652) + - Fixed CPU spike when handling .ftpaccess files + - Fixed handling of SFTP uploads when compression is used + +* Fri Dec 10 2010 Paul Howarth 1.3.3c-3 +- Update mod_vroot to 0.9 (improvements to alias handling) +- Note that the previous default configuration is broken by this change; see + the new VRootAlias line in proftpd.conf +- Add Default-Stop LSB keyword in initscript (for runlevels 0, 1, and 6) + +* Wed Dec 1 2010 Paul Howarth 1.3.3c-2 +- Add /etc/tmpfiles.d/proftpd.conf for builds on Fedora 15 onwards to + support running with /var/run on tmpfs (#656675) + +* Mon Nov 1 2010 Paul Howarth 1.3.3c-1 +- Update to 1.3.3c (#647965) + - Fixed Telnet IAC stack overflow vulnerability (CVE-2010-4221) + - Fixed directory traversal bug in mod_site_misc (CVE-2010-3867) + - Fixed SQLite authentications using "SQLAuthType Backend" +- New DSO module: mod_geoip + +* Fri Sep 10 2010 Paul Howarth 1.3.3b-1 +- Update to 1.3.3b + - Fixed SFTP directory listing bug + - Avoid corrupting utmpx databases on FreeBSD + - Avoid null pointer dereferences during data transfers + - Fixed "AuthAliasOnly on" anonymous login + +* Fri Jul 2 2010 Paul Howarth 1.3.3a-1 +- Update to 1.3.3a + - Added Japanese translation + - Many mod_sftp bugfixes + - Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + - Fixed handling of utmp/utmpx format changes on FreeBSD + +* Thu Feb 25 2010 Paul Howarth 1.3.3-1 +- Update to 1.3.3 (see NEWS for list of fixed bugs) +- Update PID file location in initscript +- Drop upstreamed patches +- Upstream distribution now includes mod_exec, so drop unbundled source +- New DSO modules: + - mod_sftp + - mod_sftp_pam + - mod_sftp_sql + - mod_shaper + - mod_sql_passwd + - mod_tls_shmcache +- Configure script no longer appends "/proftpd" to --localstatedir option +- New utility ftpscrub for scrubbing the scoreboard file +- Include public key blacklist and Diffie-Hellman parameter files for mod_sftp + in %%{_sysconfdir} +- Remove IdentLookups from config file - disabled by default now + +* Mon Feb 15 2010 Paul Howarth 1.3.2d-1 +- Update to 1.3.2d, addressing the following issues: + - mod_tls doesn't compile with pre-0.9.7 openssl (bug 3358) + - Lack of PID protection in ScoreboardFile (bug 3370) + - Crash when retrying a failed login with mod_radius being used (bug 3372) + - RADIUS authentication broken on 64-bit platforms (bug 3381) + - SIGHUP eventually causes certain DSO modules to segfault (bug 3387) + +* Thu Dec 10 2009 Paul Howarth 1.3.2c-1 +- Update to 1.3.2c, addressing the following issues: + - SSL/TLS renegotiation vulnerability (CVE-2009-3555, bug 3324) + - Failed database transaction can cause mod_quotatab to loop (bug 3228) + - Segfault in mod_wrap (bug 3332) + - sections can have problems (bug 3337) + - mod_wrap2 segfaults when a valid user retries the USER command (bug 3341) + - mod_auth_file handles 'getgroups' request incorrectly (bug 3347) + - Segfault caused by scrubbing zero-length portion of memory (bug 3350) +- Drop upstreamed segfault patch + +* Thu Dec 10 2009 Paul Howarth 1.3.2b-3 +- Add patch for upstream bug 3350 - segfault on auth failures + +* Wed Dec 9 2009 Paul Howarth 1.3.2b-2 +- Reduce the mod_facts patch to the single commit addressing the issue with + directory names with glob characters (#521634), avoiding introducing a + further problem with (#544002) + +* Wed Oct 21 2009 Paul Howarth 1.3.2b-1 +- Update to 1.3.2b + - Fixed regression causing command-line define options not to work (bug 3221) + - Fixed SSL/TLS cert subjectAltName verification (bug 3275, CVE-2009-3639) + - Use correct cached user values with "SQLNegativeCache on" (bug 3282) + - Fix slower transfers of multiple small files (bug 3284) + - Support MaxTransfersPerHost, MaxTransfersPerUser properly (bug 3287) + - Handle symlinks to directories with trailing slashes properly (bug 3297) +- Drop upstreamed defines patch (bug 3221) + +* Thu Sep 17 2009 Paul Howarth 1.3.2a-7 +- Restore backward SRPM compatibility broken by previous change + +* Wed Sep 16 2009 Tomas Mraz 1.3.2a-6 +- Use password-auth common PAM configuration instead of system-auth + +* Mon Sep 7 2009 Paul Howarth 1.3.2a-5 +- Add upstream patch for MLSD with dirnames containing glob chars (#521634) + +* Wed Sep 2 2009 Paul Howarth 1.3.2a-4 +- New DSO module: mod_exec (#520214) + +* Fri Aug 21 2009 Tomas Mraz 1.3.2a-3.1 +- Rebuilt with new openssl + +* Wed Aug 19 2009 Paul Howarth 1.3.2a-3 +- Use mod_vroot to work around PAM/chroot issues (#477120, #506735) + +* Fri Jul 31 2009 Paul Howarth 1.3.2a-2 +- Add upstream patch to fix parallel build (http://bugs.proftpd.org/3189) + +* Mon Jul 27 2009 Paul Howarth 1.3.2a-1 +- Update to 1.3.2a +- Add patch to reinstate support for -DPARAMETER (http://bugs.proftpd.org/3221) +- Retain CAP_AUDIT_WRITE, needed for pam_loginuid (#506735, fixed upstream) +- Remove ScoreboardFile directive from configuration file - default value + works better with SELinux (#498375) +- Ship mod_quotatab_sql.so in the main package rather than the SQL backend + subpackages +- New DSO modules: + - mod_ctrls_admin + - mod_facl + - mod_load + - mod_quotatab_radius + - mod_radius + - mod_ratio + - mod_rewrite + - mod_site_misc + - mod_wrap2 + - mod_wrap2_file + - mod_wrap2_sql +- Enable mod_lang/nls support for RFC 2640 (and buildreq gettext) +- Add /etc/sysconfig/proftpd to set PROFTPD_OPTIONS and update initscript to + use this value so we can use a define to enable (e.g.) anonymous FTP support + rather than having a huge commented-out section in the config file +- Rewrite config file to remove most settings that don't change upstream + defaults, and add brief descriptions for all available loadable modules +- Move Umask and IdentLookups settings from server config to context + so that they apply to all servers, including virtual hosts (#509251) +- Ensure mod_ifsession is always the last one specified, which makes sure that + mod_ifsession's changes are seen properly by other modules +- Drop pam version requirement - all targets have sufficiently recent version +- Drop redundant explicit dependency on pam +- Subpackages don't need to own %%{_libexecdir}/proftpd directory +- Drop redundant krb5-devel buildreq +- Make SRPM back-compatible with EPEL-4 (TLS cert dirs, PAM config) +- Don't include README files for non-Linux platforms +- Recode ChangeLog as UTF-8 +- Don't ship the prxs tool for building custom DSO's since we don't ship the + headers either +- Prevent stripping of binaries in a slightly more robust way +- Fix release tag to be ready for future beta/rc versions +- Define RPM macros in global scope +- BuildRequire libcap-devel so that we use the system library rather than the + bundled one, and eliminate log messages like: + kernel: warning: `proftpd' uses 32-bit capabilities (legacy support in use) + +* Sun Jul 26 2009 Fedora Release Engineering 1.3.2-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Apr 9 2009 Matthias Saou 1.3.2-2.1 +- Update the tcp_wrappers BR to be just /usr/include/tcpd.h instead. + +* Thu Apr 9 2009 Matthias Saou 1.3.2-2 +- Fix tcp_wrappers-devel BR conditional. + +* Mon Apr 6 2009 Matthias Saou 1.3.2-1 +- Update to 1.3.2. +- Include mod_wrap (#479813). +- Tried to include mod_wrap2* modules but build failed. + +* Thu Feb 26 2009 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Jan 24 2009 Caolán McNamara 1.3.2-0.3.rc3 +- Rebuild for dependencies + +* Fri Jan 2 2009 Matthias Saou 1.3.2-0.2.rc3 +- Update default configuration to have a lit of available modules and more + example configuration for them. + +* Mon Dec 22 2008 Matthias Saou 1.3.2-0.1.rc3 +- Update to 1.3.2rc3 (fixes security issue #464127) +- Exclude new pkgconfig file, as we already exclude header files (if someone + ever needs to rebuild something against this proftpd, just ask and I'll split + out a devel package... but it seems pretty useless currently). +- Remove no longer needed find-umode_t patch. + +* Fri Aug 8 2008 Matthias Saou 1.3.1-6 +- Add mod_ban support (#457289, Philip Prindeville). + +* Tue Feb 19 2008 Fedora Release Engineering +- Autorebuild for GCC 4.3 + +* Wed Feb 13 2008 Matthias Saou 1.3.1-4 +- Pass --enable-shadow to also have it available, not just PAM (#378981). +- Add mod_ifsession as DSO (#432539). + +* Mon Dec 17 2007 Matthias Saou 1.3.1-3 +- Rebuild for new openssl, patch from Paul Howarth. + +* Mon Oct 22 2007 Matthias Saou 1.3.1-2 +- Include openldap schema file for quota support (Fran Taylor, #291891). +- Include FDS compatible LDIF file for quota support (converted). +- Prefix source welcome.msg for consistency. + +* Tue Oct 9 2007 Matthias Saou 1.3.1-1 +- Update to 1.3.1 final. +- Remove all patches (upstream). + +* Sun Aug 19 2007 Matthias Saou 1.3.1-0.2.rc3 +- Update to 1.3.1rc3 (the only version to fix #237533 aka CVE-2007-2165). +- Remove all patches, none are useful anymore. +- Patch sstrncpy.c for config.h not being included (reported upstream #2964). +- Patch mod_sql_mysql.c to fix a typo (already fixed in CVS upstream). +- Exclude new headers, at least until some first 3rd party module shows up. +- Clean up old leftover CVS strings from our extra files. +- LSB-ize the init script (#247033). +- Explicitly pass --enable-openssl since configure tells us "(default=no)". +- Include patch to fix open calls on F8. + +* Sun Aug 12 2007 Matthias Saou 1.3.0a-8 +- Fix logrotate entry to silence error when proftpd isn't running (#246392). + +* Mon Aug 6 2007 Matthias Saou 1.3.0a-7 +- Include patch to fix "open" calls with recent glibc. + +* Mon Aug 6 2007 Matthias Saou 1.3.0a-6 +- Update License field. + +* Fri Jun 15 2007 Matthias Saou 1.3.0a-5 +- Remove _smp_mflags to (hopefully) fix build failure. + +* Fri Jun 15 2007 Matthias Saou 1.3.0a-4 +- Fix PAM entry for F7+ (#244168). Still doesn't work with selinux, though. + +* Fri May 4 2007 Matthias Saou 1.3.0a-4 +- Fix auth bypass vulnerability (#237533, upstream #2922)... not! :-( + +* Tue Feb 6 2007 Matthias Saou 1.3.0a-3 +- Patch to fix local user buffer overflow in controls request handling, rhbz + bug #219938, proftpd bug #2867. + +* Mon Dec 11 2006 Matthias Saou 1.3.0a-2 +- Rebuild against new PostgreSQL. + +* Mon Nov 27 2006 Matthias Saou 1.3.0a-1 +- Update to 1.3.0a, which actually fixes CVE-2006-5815... yes, #214820!). + +* Thu Nov 16 2006 Matthias Saou 1.3.0-10 +- Fix cmdbufsize patch for missing CommandBufferSize case (#214820 once more). + +* Thu Nov 16 2006 Matthias Saou 1.3.0-9 +- Include mod_tls patch (#214820 too). + +* Mon Nov 13 2006 Matthias Saou 1.3.0-8 +- Include cmdbufsize patch (#214820). + +* Mon Aug 28 2006 Matthias Saou 1.3.0-7 +- FC6 rebuild. + +* Mon Aug 21 2006 Matthias Saou 1.3.0-6 +- Add mod_quotatab, _file, _ldap and _sql (#134291). + +* Mon Jul 3 2006 Matthias Saou 1.3.0-5 +- Disable sendfile by default since it breaks displaying the download speed in + ftptop and ftpwho (#196913). + +* Mon Jun 19 2006 Matthias Saou 1.3.0-4 +- Include ctrls restart patch, see #195884 (patch from proftpd.org #2792). + +* Wed May 10 2006 Matthias Saou 1.3.0-3 +- Add commented section about DSO loading to the default proftpd.conf. +- Update TLS cert paths in the default proftpd.conf to /etc/pki/tls. + +* Fri Apr 28 2006 Matthias Saou 1.3.0-2 +- Mark pam.d and logrotate.d config files as noreplace. +- Include patch to remove -rpath to DESTDIR/usr/sbin/ in the proftpd binary + when DSO is enabled (#190122). + +* Fri Apr 21 2006 Matthias Saou 1.3.0-1 +- Update to 1.3.0 final. +- Remove no longer needed PostgreSQL and OpenSSL detection workarounds. +- Remove explicit conflicts on wu-ftpd, anonftp and vsftpd to let people + install more than one ftp daemon (what for? hmm...) (#189023). +- Enable LDAP, MySQL and PostgreSQL as DSOs by default, and stuff them in + new sub-packages. This won't introduce any regression since they weren't + enabled by default. +- Remove useless explicit requirements. +- Rearrange scriplets requirements. +- Enable ctrls (controls via ftpdctl) and facl (POSIX ACLs). +- Using --disable-static makes the build fail, so exclude .a files in %%files. +- Silence harmless IPv6 failure message at startup when IPv6 isn't available. + +* Tue Mar 7 2006 Matthias Saou 1.3.0-0.2.rc4 +- Update to 1.3.0rc4 (bugfix release). + +* Mon Mar 6 2006 Matthias Saou 1.3.0-0.2.rc3 +- FC5 rebuild. + +* Thu Feb 9 2006 Matthias Saou 1.3.0-0.1.rc3 +- Update to 1.3.0rc3, which builds with the latest openssl. + +* Thu Nov 17 2005 Matthias Saou 1.2.10-7 +- Rebuild against new openssl library... not. + +* Wed Jul 13 2005 Matthias Saou 1.2.10-6 +- The provided pam.d file no longer works, use our own based on the one from + the vsftpd package (#163026). +- Rename the pam.d file we use from 'ftp' to 'proftpd'. +- Update deprecated AuthPAMAuthoritative in the config file (see README.PAM). + +* Tue May 10 2005 Matthias Saou 1.2.10-4 +- Disable stripping in order to get useful debuginfo packages. + +* Wed Apr 6 2005 Michael Schwendt 1.2.10-3 +- rebuilt + +* Tue Nov 16 2004 Matthias Saou 1.2.10-2 +- Bump release to provide Extras upgrade path. + +* Wed Sep 22 2004 Matthias Saou 1.2.10-1 +- Updated to release 1.2.10. + +* Tue Jun 22 2004 Matthias Saou 1.2.9-8 +- Added ncurses-devel build requires to fix the ftptop utility. + +* Thu Feb 26 2004 Magnus-swe 1.2.9-7 +- Fixed the scoreboard and pidfile issues. + +* Fri Jan 9 2004 Matthias Saou 1.2.9-6 +- Pass /var/run/proftpd as localstatedir to configure to fix pid and + scoreboard file problems. + +* Wed Dec 10 2003 Matthias Saou 1.2.9-4 +- Fixed the MySQL include path, thanks to Jim Richardson. +- Renamed the postgres conditional build to postgresql. + +* Tue Nov 11 2003 Matthias Saou 1.2.9-3 +- Renamed the xinetd service to xproftpd to avoid conflict. +- Only HUP the standalone proftpd through logrotate if it's running. + +* Fri Nov 7 2003 Matthias Saou 1.2.9-2 +- Rebuild for Fedora Core 1. +- Modified the init script to make it i18n aware. + +* Fri Oct 31 2003 Matthias Saou 1.2.9-1 +- Update to 1.2.9. + +* Wed Sep 24 2003 Matthias Saou +- Update to 1.2.8p to fix secutiry vulnerability. +- Fix the TLS build option at last, enable it by default. + +* Mon Aug 4 2003 Matthias Saou +- Minor fixes in included README files. + +* Mon Mar 31 2003 Matthias Saou +- Rebuilt for Red Hat Linux 9. + +* Thu Mar 13 2003 Matthias Saou +- Update to 1.2.8. +- Remove the renamed linuxprivs module. +- Added TLS module build option. + +* Fri Dec 13 2002 Matthias Saou +- Fix change for ScoreboardFile in the default conf, thanks to Sven Hoexter. + +* Mon Dec 9 2002 Matthias Saou +- Update to 1.2.7. + +* Thu Sep 26 2002 Matthias Saou +- Rebuilt for Red Hat Linux 8.0. + +* Tue Sep 17 2002 Matthias Saou +- Update to 1.2.6. +- Fixed typo in the config for "AllowForeignAddress" thanks to Michel Kraus. +- Removed obsolete user install patch. +- Added "modular" ldap, mysql and postgresql support. + +* Mon Jun 10 2002 Matthias Saou +- Update to 1.2.5. +- Changed the welcome.msg to config so that it doesn't get replaced. + +* Fri May 3 2002 Matthias Saou +- Rebuilt against Red Hat Linux 7.3. +- Added the %%{?_smp_mflags} expansion. + +* Tue Oct 23 2001 Matthias Saou +- Changed the default config file : Where the pid file is stored, addedd + an upload authorization in anon server, and separate anon logfiles. +- Updated welcome.msg to something nicer. + +* Fri Oct 19 2001 Matthias Saou +- Update to 1.2.4, since 1.2.3 had a nasty umask bug. + +* Sat Aug 18 2001 Matthias Saou +- Update to 1.2.2 final. +- Changed the default config file a lot. + +* Wed Apr 25 2001 Matthias Saou +- Update to 1.2.2rc2. + +* Mon Apr 2 2001 Matthias Saou +- Update to 1.2.2rc1. + +* Tue Mar 20 2001 Matthias Saou +- Added a DenyFilter to prevent a recently discovered DOS attack. + This is only useful for fresh installs since the config file is not + overwritten. + +* Fri Mar 2 2001 Matthias Saou +- Upgraded to 1.2.1. +- New init script (added condrestart). + +* Tue Feb 27 2001 Matthias Saou +- Upgraded to 1.2.0 final. + +* Tue Feb 6 2001 Matthias Saou +- Upgraded to 1.2.0rc3 (at last a new version!) +- Modified the spec file to support transparent upgrades + +* Wed Nov 8 2000 Matthias Saou +- Upgraded to the latest CVS to fix the "no PORT command" bug +- Fixed the ftpuser creation script +- Modified the default config file to easily change to an anonymous + server + +* Sun Oct 15 2000 Matthias Saou + [proftpd-1.2.0rc2-2] +- Updated the spec file and build process for RedHat 7.0 +- Added xinetd support +- Added logrotate.d support + +* Fri Jul 28 2000 Matthias Saou + [proftpd-1.2.0rc2-1] +- Upgraded to 1.2.0rc2 + +- Upgraded to 1.2.0rc1 +* Sat Jul 22 2000 Matthias Saou + [proftpd-1.2.0rc1-1] +- Upgraded to 1.2.0rc1 +- Re-did the whole spec file (it's hopefully cleaner now) +- Made a patch to be able to build the RPM as an other user than root +- Added default pam support (but without /etc/shells check) +- Rewrote the rc.d script (mostly exit levels and ftpshut stuff) +- Modified the default configuration file to not display a version number +- Changed the package to standalone in one single RPM easily changeable + to inetd (for not-so-newbie users) +- Fixed the ftpusers generating shell script (missing "nu"s for me...) +- Removed mod_ratio (usually used with databases modules anyway) +- Removed the prefix (relocations a rarely used on non-X packages) +- Gzipped the man pages + +* Thu Oct 07 1999 O.Elliyasa +- Multi package creation. + Created core, standalone, inetd (&doc) package creations. + Added startup script for init.d + Need to make the "standalone & inetd" packages being created as "noarch" +- Added URL. +- Added prefix to make the package relocatable. + +* Wed Sep 08 1999 O.Elliyasa +- Corrected inetd.conf line addition/change logic. + +* Sat Jul 24 1999 MacGyver +- Initial import of spec.