This update for proftpd fixes the following issues :

  - GeoIP has been discontinued by Maxmind (boo#1156210)     This update removes module build for geoip see     https://support.maxmind.com/geolite-legacy-discontinuati     on-notice/

  - CVE-2019-19269: Fixed a NULL pointer dereference may     occur when validating the certificate of a client     connecting to the server (boo#1157803)

  - CVE-2019-19270: Fixed a Failure to check for the     appropriate field of a CRL entry prevents some valid     CRLs from being taken into account (boo#1157798)

  - CVE-2019-18217: Fixed remote unauthenticated     denial-of-service due to incorrect handling of overly     long commands (boo#1154600 gh#846)

Update to 1.3.6b

  - Fixed pre-authentication remote denial-of-service issue     (Issue #846).

  - Backported fix for building mod_sql_mysql using MySQL 8     (Issue #824).

Update to 1.3.6a :

  - Fixed symlink navigation (Bug#4332).

  - Fixed building of mod_sftp using OpenSSL 1.1.x releases     (Issue#674).

  - Fixed SITE COPY honoring of <Limit> restrictions     (Bug#4372).

  - Fixed segfault on login when using mod_sftp +     mod_sftp_pam (Issue#656).

  - Fixed restarts when using mod_facl as a static module

  - Add missing Requires(pre): group(ftp) for Leap 15 and     Tumbleweed (boo#1155834)

  - Add missing Requires(pre): user(ftp) for Leap 15 and     Tumbleweed (boo#1155834)

  - Use pam_keyinit.so (boo#1144056)

  - Reduce hard dependency on systemd to only that which is     necessary for building and installation.

update to 1.3.6 :

  - Support for using Redis for caching, logging; see the     doc/howto/Redis.html documentation.

  - Fixed mod_sql_postgres SSL support (Issue #415).

  - Support building against LibreSSL instead of OpenSSL     (Issue #361).

  - Better support on AIX for login restraictions (Bug     #4285).

  - TimeoutLogin (and other timeouts) were not working     properly for SFTP connections (Bug#4299).

  - Handling of the SIGILL and SIGINT signals, by the daemon     process, now causes the child processes to be terminated     as well (Issue #461).

  - RPM .spec file naming changed to conform to Fedora     guidelines.

  - Fix for 'AllowChrootSymlinks off' checking each     component for symlinks (CVE-2017-7418).

New Modules :

  - mod_redis, mod_tls_redis, mod_wrap2_redis With Redis now     supported as a caching mechanism, similar to Memcache,     there are now Redis-using modules: mod_redis (for     configuring the Redis connection information),     mod_tls_redis (for caching SSL sessions and OCSP     information using Redis), and mod_wrap2_redis (for using     ACLs stored in Redis).

Changed Modules :

  - mod_ban: The mod_ban module's BanCache directive can now     use Redis-based caching; see     doc/contrib/mod_ban.html#BanCache.

-New Configuration Directives

  - SQLPasswordArgon2, SQLPasswordScrypt

    The key lengths for Argon2 and Scrypt-based passwords     are now configurable via these new directives;
    previously, the key length had been hardcoded to be 32     bytes, which is not interoperable with all other     implementations (Issue #454).

Changed Configuration Directives

  - AllowChrootSymlinks When 'AllowChrootSymlinks off' was     used, only the last portion of the DefaultRoot path     would be checked to see if it was a symlink. Now, each     component of the DefaultRoot path will be checked to see     if it is a symlink when 'AllowChrootSymlinks off' is     used.

  - Include The Include directive can now be used within a     <Limit> section, e.g.: <Limit LOGIN> Include     /path/to/allowed.txt DenyAll </Limit> API Changes

  - A new JSON API has been added, for use by third-party     modules.

Detections

Analytics

openSUSE Security Update : proftpd (openSUSE-2020-31)

critical Nessus Plugin ID 132911

Version 1.3