-
Tue Mar 18 2025 Paul Howarth <paul@city-fan.org> - 1.3.8d-1
- Update to 1.3.8d
- Use of HideNoAccess for SFTP sessions can lead to segfault and/or
unexpected behaviour (GH#1855)
- SFTP channel allocations can lead to high memory utilization over time
(GH#1876)
- Avoid NULL pointer dereferences in mod_ls (GH#1866, CVE-2024-57392)
-
Thu Feb 13 2025 Paul Howarth <paul@city-fan.org> - 1.3.8c-2
- Avoid NULL pointer dereferences in mod_ls (CVE-2024-57392)
- https://github.com/proftpd/proftpd/issues/1866
-
Thu Dec 12 2024 Paul Howarth <paul@city-fan.org> - 1.3.8c-1
- Update to 1.3.8c
- Using FTPS after upgrading from 1.3.8a to 1.3.8b lead to crash (GH#1770)
- Bad handling of lack of extended attributes lead to SFTP out of memory
error (GH#1785)
- mod_sftp_sql logged "header value too long" due to unexpected key header
text (GH#1529)
- SSH ECDSA host key algorithms were not used as expected despite configuring
appropriate key (GH#1839)
- RADIUS Message-Authenticator verification failed with ProFTPD mod_radius
(GH#1840)
- Supplemental group inheritance granted unintended access to GID 0 due to
lack of supplemental groups from mod_sql (GH#1830)
-
Tue Nov 19 2024 Paul Howarth <paul@city-fan.org> - 1.3.8b-4
- Fix RADIUS Message-Authenticator verification in mod_radius
- https://github.com/proftpd/proftpd/issues/1840
- https://bugzilla.redhat.com/show_bug.cgi?id=2325448
-
Sun Mar 31 2024 Paul Howarth <paul@city-fan.org> - 1.3.8b-3
- Add 'proxy' sub-package with unbundled mod_proxy (rhbz#2272051)
- Update fsio.c: if mkdir fails with EEXIST, also clear the cache (GH#1677)
-
Mon Jan 01 2024 Paul Howarth <paul@city-fan.org> - 1.3.8b-2
- Use libsodium to provide ed25519 key support for mod_sftp (#2256340)
- Update logrotate snippet to use try-reload-or-restart rather than reload
for distributions with systemd 229 or later (PR#3)
-
Wed Dec 20 2023 Paul Howarth <paul@city-fan.org> - 1.3.8b-1
- Update to 1.3.8b
- Compiling ProFTPD 1.3.8a mod_sftp, mod_tls using libressl 3.7.3 failed
(GH#1735)
- Build system failed for specific module names (GH#1756)
- "Terrapin" Prefix Truncation Attacks in SSH Specification affected mod_sftp
(CVE-2023-48795, GH#1760)
-
Mon Oct 09 2023 Paul Howarth <paul@city-fan.org> - 1.3.8a-1
- Update to 1.3.8a
- Fix mod_sftp failure to handle SFTP requests to truncate files to zero size
(GH#1581)
- Fix mod_sftp improperly handling SFTP WRITE requests for files opened for
appending (GH#1584)
- Build-time detection of Linux POSIX ACL support was broken since 1.3.8rc2
(GH#1568)
- Fix failure to load mod_rewrite as a dynamic module due to
incomplete/missing library linker flags (GH#1590)
- <Class> section is allowed to be in <Global>, but From directive is not
(GH#1597)
- ExtendedLog SSH, SFTP classes not working as expected (GH#1617)
- Fix mod_sftp not handling multiple concurrent open file handles/transfers
well for logging (GH#1646)
- "TLSRequired off" plus Protocols directive caused mod_tls to terminate the
session abruptly (GH#1679)
- Fix mod_tls failure to compile against OpenSSL 3.0.8 due to missing
ENGINE_METHOD_ flags (GH#1689)
- Unknown named connection error when using different SQL backends (GH#1659)
- Fix mod_sql not properly closing all named backend connections on session
exit (GH#1697)
- SSH key exchanges failed unexpectedly with "unable to write X bytes of raw
data" errors due to small ProFTPD buffer (GH#1694)
- Fix high session memory usage caused by SFTP outgoing data buffering
(GH#1678)
- Out-of-bounds buffer read when handling FTP commands (GH#1683,
CVE-2023-51713)
- SFTP algorithm settings in <Global> section were not being used (GH#1712)