Wednesday 19th February 2020
Fedora Project
Updated perl-Net-SSLeay (1.88) with some spec file clean-ups from Tom Stellard (PR#1)
Updated proftpd to 1.3.6c in F-30, F-31, F-32, Rawhide and EPEL-8:
Use-after-free vulnerability in memory pools during data transfer (CVE-2020-9273, GH#903)
Fix mod_tls compilation with LibreSSL 2.9.x (GH#810)
MaxClientsPerUser was not enforced for SFTP logins when mod_digest was enabled (GH#750)
mod_sftp now handles an OpenSSH-specific private key format; it detects such keys, and logs a hint about reformatting them to a supported format (GH#793)
Directory listing was slower compared to previous ProFTPD versions (GH#793)
mod_sftp crashed when using pubkey-auth with DSA keys (GH#866)
Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270, GH#859)
Leaking PAM handler and data in case of unsuccessful authentication (GH#870)
SSH authentication failed for many clients due to receiving of SSH_MSG_IGNORE packet (ProFTPD Bug#4385)
SFTP publickey authentication failed unexpectedly when user had no shadow password info. (GH#890)
ftpasswd failed to restore password file permissions in some cases (GH#898)
Out-of-bounds read in mod_cap getstateflags() function; this has been addressed by updating the bundled version of libcap (CVE-2020-9272, GH#902)
Note that the Fedora builds of ProFTPD uses the system version of libcap and not the bundled version, and are not vulnerable to this issue
Local Packages
Updated proftpd to 1.3.6c as per the Fedora version