Hello community, here is the log from the commit of package proftpd for openSUSE:Factory checked in at 2019-12-29 15:49:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/proftpd (Old) and /work/SRC/openSUSE:Factory/.proftpd.new.6675 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "proftpd" Sun Dec 29 15:49:58 2019 rev:37 rq:759879 version:1.3.6b Changes: -------- --- /work/SRC/openSUSE:Factory/proftpd/proftpd.changes 2019-11-10 22:52:56.394451604 +0100 +++ /work/SRC/openSUSE:Factory/.proftpd.new.6675/proftpd.changes 2019-12-29 15:50:18.759193068 +0100 @@ -1,0 +2,13 @@ +Sat Dec 28 20:45:30 UTC 2019 - chris@computersalat.de + +- fix changes file + * add missing info about boo#1155834 + * add missing info about boo#1154600 +- fix for boo#1156210 + * GeoIP has been discontinued by Maxmind + * remove module build for geoip + see https://support.maxmind.com/geolite-legacy-discontinuation-notice/ +- fix for boo#1157803 (CVE-2019-19269), boo#1157798 (CVE-2019-19270) + * add upstream patch proftpd-tls-crls-issue859.patch + +------------------------------------------------------------------- @@ -3,0 +17 @@ +- fix for boo#1154600 (CVE-2019-18217, gh#846) @@ -21,2 +35,3 @@ -- Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed -- Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed +- fix for boo#1155834 + * Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed + * Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed New: ---- proftpd-tls-crls-issue859.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ proftpd.spec ++++++ --- /var/tmp/diff_new_pack.b4EVLz/_old 2019-12-29 15:50:20.847194020 +0100 +++ /var/tmp/diff_new_pack.b4EVLz/_new 2019-12-29 15:50:20.851194022 +0100 @@ -1,7 +1,7 @@ # # spec file for package proftpd # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ Group: Productivity/Networking/Ftp/Servers Version: 1.3.6b Release: 0 -Url: http://www.proftpd.org/ +URL: http://www.proftpd.org/ Source0: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz Source1: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz.asc Source11: %{name}.init @@ -47,6 +47,8 @@ Patch104: %{name}-no_BuildDate.patch #RPMLINT-FIX-openSUSE: env-script-interpreter Patch105: %{name}_env-script-interpreter.patch +#PATCH-FIX-UPSTREAM: (CVE-2019-19269, CVE-2019-19270) +Patch200: %{name}-tls-crls-issue859.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #BuildRequires: gpg-offline BuildRequires: fdupes @@ -54,7 +56,7 @@ BuildRequires: libacl-devel BuildRequires: libattr-devel #BuildRequires: libmemcached-devel -BuildRequires: libGeoIP-devel +#BuildRequires: libGeoIP-devel BuildRequires: mysql-devel BuildRequires: ncurses-devel BuildRequires: openldap2-devel @@ -155,8 +157,11 @@ %patch104 %patch105 +%patch200 -p1 + %build rm contrib/mod_wrap.c +rm contrib/mod_geoip.c PROFTPD_SHARED_MODS="$(for spec_mod in $(find contrib -name mod_\*.c|sort); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')" export CFLAGS="%{optflags} -D_GNU_SOURCE -DLDAP_DEPRECATED" export CXXFLAGS="$CFLAGS" ++++++ proftpd-tls-crls-issue859.patch ++++++ commit 81cc5dce4fc0285629a1b08a07a109af10c208dd Author: TJ Saunders <tj@castaglia.org> Date: Sun Nov 24 14:03:54 2019 -0800 Issue #859, #861: Fix handling of CRL lookups by properly using issuer for lookups, and guarding against null pointers. (CVE-2019-19269, CVE-2019-19270) diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c index 4b74cf989..0e08b0399 100644 --- a/contrib/mod_tls.c +++ b/contrib/mod_tls.c @@ -9777,10 +9777,10 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ !defined(HAVE_LIBRESSL) - crls = X509_STORE_CTX_get1_crls(store_ctx, subject); + crls = X509_STORE_CTX_get1_crls(store_ctx, issuer); #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \ !defined(HAVE_LIBRESSL) - crls = X509_STORE_get1_crls(store_ctx, subject); + crls = X509_STORE_get1_crls(store_ctx, issuer); #else /* Your OpenSSL is before 1.0.0. You really need to upgrade. */ crls = NULL; @@ -9799,6 +9799,9 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) { ASN1_INTEGER *sn; revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j); + if (revoked == NULL) { + continue; + } #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ !defined(HAVE_LIBRESSL) sn = X509_REVOKED_get0_serialNumber(revoked);