Hello community, here is the log from the commit of package pure-ftpd for openSUSE:11.3 checked in at Tue Apr 12 10:33:35 CEST 2011. -------- --- old-versions/11.3/all/pure-ftpd/pure-ftpd.changes 2010-05-25 15:10:56.000000000 +0200 +++ 11.3/pure-ftpd/pure-ftpd.changes 2011-04-11 15:00:03.000000000 +0200 @@ -1,0 +2,7 @@ +Mon Apr 11 12:57:42 UTC 2011 - mvyskocil@suse.cz + +- fix bnc#686590 - VUL-0: new pure-ftpd version fix STARTTLS issues similar to + CVE-2011-0411 + * flush command buffer after switch to TLS + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/pure-ftpd Destination is old-versions/11.3/UPDATES/all/pure-ftpd calling whatdependson for 11.3-i586 New: ---- pure-ftpd-1.0.29-flush-cmd-after-tls.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pure-ftpd.spec ++++++ --- /var/tmp/diff_new_pack.H7tug0/_old 2011-04-12 10:32:56.000000000 +0200 +++ /var/tmp/diff_new_pack.H7tug0/_new 2011-04-12 10:32:56.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package pure-ftpd (Version 1.0.29) +# spec file for package pure-ftpd # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: pure-ftpd Version: 1.0.29 -Release: 1 +Release: 2.<RELEASE2> License: BSD3c Summary: A Lightweight, Fast, and Secure FTP Server Url: http://www.pureftpd.org @@ -40,6 +40,9 @@ Patch7: %{name}-1.0.22-default_tcp_sedrcv_buffer_size.patch # PATCH-FEATURE-OPENSUSE %{name}-1.0.21-portrange.patch -- Add PassivePortRange to "%numpairc_switch_for". Patch8: %{name}-1.0.21-portrange.patch +#PATCH-FIX-UPSTREAM: +#https://github.com/jedisct1/pure-ftpd/commit/65c4d4ad331e94661de763e9b5304d2... +Patch9: pure-ftpd-1.0.29-flush-cmd-after-tls.patch Patch100: %{name}-1.0.20-oes_remote_server.patch BuildRequires: mysql-devel BuildRequires: openldap2-devel @@ -69,6 +72,7 @@ %patch5 %patch7 %patch8 +%patch9 -p1 # uncomment this if you want to have the OES remote_server feature # %patch100 -p0 ++++++ pure-ftpd-1.0.29-flush-cmd-after-tls.patch ++++++ Index: pure-ftpd-1.0.29/src/ftp_parser.c =================================================================== --- pure-ftpd-1.0.29.orig/src/ftp_parser.c 2010-03-15 16:20:24.000000000 +0100 +++ pure-ftpd-1.0.29/src/ftp_parser.c 2011-04-11 14:58:58.189341827 +0200 @@ -56,6 +56,13 @@ * * -Frank. */ +static size_t scanned; +static size_t readnbd; + +static void flush_cmd(void) +{ + scanned = readnbd = (size_t) 0U; +} int sfgets(void) { @@ -63,8 +70,6 @@ int pollret; ssize_t readnb; signed char seen_r = 0; - static size_t scanned; - static size_t readnbd; if (scanned > (size_t) 0U) { /* support pipelining */ readnbd -= scanned; @@ -362,6 +367,7 @@ addreply_noformat(234, "AUTH TLS OK."); doreply(); if (tls_cnx == NULL) { + flush_cmd(); (void) tls_init_new_session(); } goto wayout; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org