Package: lftp Version: 4.7.4-1 Severity: important Tags: upstream LFTP implements a certificate verification that can't handle cross-singing when the cross-sign CA expires. The result is that you can't use lftp to access ftp servers that use Let's Encrypt certificates, with the recent expiration of DST root CA X3.
All Debian versions are affected (don't mind my oldoldstable version). Fix is not ready, but is pending. It needs back-porting (in supported Debian versions). https://github.com/lavv17/lftp/issues/641 -- System Information: Debian Release: 9.13 APT prefers oldoldstable APT policy: (500, 'oldoldstable') Architecture: i386 (i686) Kernel: Linux 4.9.0-16-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages lftp depends on: ii libc6 2.24-11+deb9u4 ii libgcc1 1:6.3.0-18+deb9u1 ii libgnutls30 3.5.8-5+deb9u6 ii libidn11 1.33-1+deb9u1 ii libreadline7 7.0-3 ii libstdc++6 6.3.0-18+deb9u1 ii libtinfo5 6.0+20161126-1+deb9u2 ii netbase 5.4 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages lftp recommends: ii openssh-client [ssh-client] 1:7.4p1-10+deb9u7 lftp suggests no packages. -- debconf information:
