Your message dated Wed, 08 Jan 2020 21:47:10 +0000
with message-id <[email protected]>
and subject line Bug#946346: fixed in proftpd-dfsg 1.3.6-4+deb10u3
has caused the Debian Bug report #946346,
regarding proftpd-dfsg: CVE-2019-19270
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946346
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: proftpd-dfsg
Version: 1.3.6b-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/proftpd/proftpd/issues/859
Control: found -1 1.3.6-4+deb10u2
Hi,
The following vulnerability was published for proftpd-dfsg.
CVE-2019-19270[0]:
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b.
| Failure to check for the appropriate field of a CRL entry (checking
| twice for subject, rather than once for subject and once for issuer)
| prevents some valid CRLs from being taken into account, and can allow
| clients whose certificates have been revoked to proceed with a
| connection to the server.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19270
[1] https://github.com/proftpd/proftpd/issues/859
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.6-4+deb10u3
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preusse <[email protected]> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 31 Dec 2019 12:06:17 +0100
Source: proftpd-dfsg
Architecture: source
Version: 1.3.6-4+deb10u3
Distribution: buster
Urgency: medium
Maintainer: ProFTPD Maintainance Team
<[email protected]>
Changed-By: Hilmar Preusse <[email protected]>
Closes: 946345 946346
Changes:
proftpd-dfsg (1.3.6-4+deb10u3) buster; urgency=medium
.
* Cherry pick patch from upstream:
- for upstream 861 (CVE-2019-19269) (Closes: #946345)
- for upstream 859 (CVE-2019-19270) (Closes: #946346)
upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
Checksums-Sha1:
a40cdb52a312add50d652b46782aad2873747534 2969 proftpd-dfsg_1.3.6-4+deb10u3.dsc
5a21c5a8e99b9e197d91afcb7e2794d513a5345b 79232
proftpd-dfsg_1.3.6-4+deb10u3.debian.tar.xz
28c18be96e8d069220ec9e1d92ecae9431556014 13311
proftpd-dfsg_1.3.6-4+deb10u3_i386.buildinfo
Checksums-Sha256:
b84323f1fdc8bd08e761e64384be02db7c83ae292f3f0f0e064ec018886ae644 2969
proftpd-dfsg_1.3.6-4+deb10u3.dsc
9d1788dcfc2b27f28ed35db8fec6fbe17313a2aa3429da126899b984a2a208d8 79232
proftpd-dfsg_1.3.6-4+deb10u3.debian.tar.xz
fc41e735bfe6fa0edff8cd3326960584b816b1000b958f9359ec133abecd2403 13311
proftpd-dfsg_1.3.6-4+deb10u3_i386.buildinfo
Files:
9e8b086b92a620b3154872758774e8f1 2969 net optional
proftpd-dfsg_1.3.6-4+deb10u3.dsc
33359fa71cd335820dacb7f4b662040c 79232 net optional
proftpd-dfsg_1.3.6-4+deb10u3.debian.tar.xz
5da54ff61cf1731666001bb427c02104 13311 net optional
proftpd-dfsg_1.3.6-4+deb10u3_i386.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAl4LMz1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIv8rQ//Z4G11bEeD9/rjT4tNdyO8lvhST04DAJDvD9iMKEwrQSb3wNCPKgJNtou
+p0+z7Pp9O32JMTGRx+uTSNBaPSP/MrCzjplwSBu5pp5Ed0ActMncNO1i0sDasXj
vIO6UHNykd82iUyPALnaLmN5WMDzV2CtBnj9+q8D9PULFmCVhgJxvDf70z1ZtrwI
mKkHJZJJIJ9Y1PSl5iMHyrckCNLT7LAmVh3jcjgVlDgvcSknwJOgZ5bxUzCDoz8n
iQgfiPZti37tZ1iE/64tbrsneqEmH0awpZdAYFCDomQQp2RHQhv/rkPr/SbHOtIB
aMZ941rCGLh3W9IWuVq5N2m4ONLD0FPVO9WydODPrgXwUHg9RYPf0+6fxMFpp0qi
NTDCc/FYOGfPQdhiTbqG3N0yZWQ/Lyw3aE6B9BC7oGbVXXP1wrBe2qGVXWVqW6x9
49XjfS6xFCXW8vPMdKWVoVbfleXJtiBVgAbS8vUHWCWWigD3kxQQfQTQJa7jywgw
c84vJnJH9oTQkHWF/9+G2fUFMzEC/eUE5MxiyPMGz5C/kvvJzKabUHiyhptO9Y2N
GWAKuG4T7KTBx4NQy9ADD30A0+1quuvvqn2bzbph5zKQmiv29sF1W286uBXFkMfA
NmlnsrevDG8ETaqUhHIRNCxA2AdeuIubV657629hg3OvoPzyVAc=
=oryy
-----END PGP SIGNATURE-----
--- End Message ---
