Package: lftp
Version: 4.7.4-1
Severity: important
Tags: upstream
LFTP implements a certificate verification that can't handle
cross-singing when the cross-sign CA expires. The result is that you
can't use lftp to access ftp servers that use Let's Encrypt
certificates, with the recent expiration of DST root CA X3.
All Debian versions are affected (don't mind my oldoldstable version).
Fix is not ready, but is pending. It needs back-porting (in supported
Debian versions).
https://github.com/lavv17/lftp/issues/641
-- System Information:
Debian Release: 9.13
APT prefers oldoldstable
APT policy: (500, 'oldoldstable')
Architecture: i386 (i686)
Kernel: Linux 4.9.0-16-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default
locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages lftp depends on:
ii libc6 2.24-11+deb9u4
ii libgcc1 1:6.3.0-18+deb9u1
ii libgnutls30 3.5.8-5+deb9u6
ii libidn11 1.33-1+deb9u1
ii libreadline7 7.0-3
ii libstdc++66.3.0-18+deb9u1
ii libtinfo5 6.0+20161126-1+deb9u2
ii netbase 5.4
ii zlib1g1:1.2.8.dfsg-5
Versions of packages lftp recommends:
ii openssh-client [ssh-client] 1:7.4p1-10+deb9u7
lftp suggests no packages.
-- debconf information: