I hope I am following the proper procedures for security patches, as I am new to Ubuntu development and did my best to follow the packaging guide. The following debdiff patch fixes this issue by disabling SSLv3 using the -S flag included with the TLSCipherSuite parameter. You can verify the bug by running ./testssl.sh --starttls ftp localhost:21 (script from http://testssl.sh/testssl.sh) and checking that SSLv3 is enabled in the output. To test, the patch below was applied and the package rebuilt using pbuilder in a clean environment. The output deb file was applied over the currently available trusty version on a virtual machine without issue. The filezilla client was used to ensure normal operation of the ftp server. Re-running ./testssl.sh --starttls ftp localhost:21 then showed SSLv3 to be disabled. This issue was fixed in Debian version 1.0.36-3 meaning no future versions of Ubuntu are affected. I chose to use the -S flag rather than the Debian fix of including !SSLv3 in TLSCipherSuite because that also disables TLSv1 and TLSv1.1 (all 3 share the same cipher suites). I can also submit a branch merge request if that method is preferred.
** Patch added: "pure-ftpd_1.0.36-1.1ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/pure-ftpd/+bug/1381840/+attachment/4663553/+files/pure-ftpd_1.0.36-1.1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381840 Title: Wrapper doesn't include TLSCipherSuite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pure-ftpd/+bug/1381840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs