#acl PaulHowarth:read,write,admin,revert,delete All:read === Wednesday 19th February 2020 === ==== Fedora Project ==== * Updated `perl-Net-SSLeay` (1.88) with some spec file clean-ups from Tom Stellard ([[https://src.fedoraproject.org/rpms/perl-Net-SSLeay/pull-request/1|PR#1]]) * Updated `proftpd` to 1.3.6c in F-30, F-31, F-32, Rawhide and EPEL-8: * Use-after-free vulnerability in memory pools during data transfer ([[CVE:2020-9273|CVE-2020-9273]], [[https://github.com/proftpd/proftpd/issues/903|GH#903]]) * Fix `mod_tls` compilation with LibreSSL 2.9.x ([[https://github.com/proftpd/proftpd/issues/810|GH#810]]) * `MaxClientsPerUser` was not enforced for SFTP logins when `mod_digest` was enabled ([[https://github.com/proftpd/proftpd/issues/750|GH#750]]) * `mod_sftp` now handles an OpenSSH-specific private key format; it detects such keys, and logs a hint about reformatting them to a supported format ([[https://github.com/proftpd/proftpd/issues/793|GH#793]]) * Directory listing was slower compared to previous ProFTPD versions ([[https://github.com/proftpd/proftpd/issues/793|GH#793]]) * `mod_sftp` crashed when using pubkey-auth with DSA keys ([[https://github.com/proftpd/proftpd/issues/866|GH#866]]) * Fix improper handling of TLS CRL lookups ([[CVE:2019-19269|CVE-2019-19269]], [[CVE:2019-19270|CVE-2019-19270]], [[https://github.com/proftpd/proftpd/issues/859|GH#859]]) * Leaking PAM handler and data in case of unsuccessful authentication ([[https://github.com/proftpd/proftpd/issues/870|GH#870]]) * SSH authentication failed for many clients due to receiving of `SSH_MSG_IGNORE` packet ([[ProftpdBugzilla:4385|ProFTPD Bug#4385]]) * SFTP publickey authentication failed unexpectedly when user had no shadow password info. ([[https://github.com/proftpd/proftpd/issues/890|GH#890]]) * `ftpasswd` failed to restore password file permissions in some cases ([[https://github.com/proftpd/proftpd/issues/898|GH#898]]) * Out-of-bounds read in `mod_cap` `getstateflags()` function; this has been addressed by updating the bundled version of `libcap` ([[CVE:2020-9272|CVE-2020-9272]], [[https://github.com/proftpd/proftpd/issues/902|GH#902]]) . Note that the Fedora builds of ProFTPD uses the system version of `libcap` and not the bundled version, and are not vulnerable to this issue ==== Local Packages ==== * Updated `proftpd` to 1.3.6c as per the Fedora version ----