diff --git a/CVE-2024-57392.patch b/CVE-2024-57392.patch deleted file mode 100644 index bec9794edf1899b7eec34728bbed127ccd248adb..0000000000000000000000000000000000000000 --- a/CVE-2024-57392.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 981a37916fdb7b73435c6d5cdb01428b2269427d Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Sun, 9 Feb 2025 12:14:25 -0800 -Subject: [PATCH] Issue #1866: Some of the fuzzing tests submitted in the - advisory ran into existing null pointer dereferences (not buffer overflows); - let's correct them. (#1867) - ---- - modules/mod_ls.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/modules/mod_ls.c b/modules/mod_ls.c -index 5458ccc..3a9688c 100644 ---- a/modules/mod_ls.c -+++ b/modules/mod_ls.c -@@ -2,7 +2,7 @@ - * ProFTPD - FTP server daemon - * Copyright (c) 1997, 1998 Public Flood Software - * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu -- * Copyright (c) 2001-2022 The ProFTPD Project -+ * Copyright (c) 2001-2025 The ProFTPD Project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt, ...) { - errno != 0) { - int xerrno = errno; - -- if (session.d != NULL) { -+ if (session.d != NULL && -+ session.d->outstrm != NULL) { - xerrno = PR_NETIO_ERRNO(session.d->outstrm); - } - -@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) { - return res; - } - -- tail->down = NULL; -+ if (tail != NULL) { -+ tail->down = NULL; -+ } - tail = NULL; - colwidth = (colwidth | 7) + 1; - if (opt_l || !opt_C) { --- -2.50.1 - diff --git a/harden_proftpd.service.patch b/harden_proftpd.service.patch index 00afa0afd19d90c0cc487f87dbdc2c637b491621..f6bc561a4a3d3d24346432e13bf3872db115f1ae 100644 --- a/harden_proftpd.service.patch +++ b/harden_proftpd.service.patch @@ -1,6 +1,8 @@ ---- proftpd-1.3.8c/contrib/dist/rpm/proftpd.service.orig 2025-01-30 17:41:50.858331800 +0800 -+++ proftpd-1.3.8c/contrib/dist/rpm/proftpd.service 2025-01-30 17:42:09.454713200 +0800 -@@ -4,6 +4,18 @@ +Index: proftpd-1.3.9/contrib/dist/rpm/proftpd.service +=================================================================== +--- proftpd-1.3.9/contrib/dist/rpm/proftpd.service.orig ++++ proftpd-1.3.9/contrib/dist/rpm/proftpd.service +@@ -4,6 +4,18 @@ Wants=network-online.target After=network-online.target nss-lookup.target local-fs.target remote-fs.target [Service] @@ -16,6 +18,7 @@ +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions - Type = simple + Type = forking Environment = PROFTPD_OPTIONS= EnvironmentFile = -/etc/sysconfig/proftpd + diff --git a/huawei-proftpd-service-add-restart.patch b/huawei-proftpd-service-add-restart.patch index 7ce062cd0cc48c31884896c2d17e31172b674641..c2b2519f9597b250f8a944feb131084ac5088a65 100644 --- a/huawei-proftpd-service-add-restart.patch +++ b/huawei-proftpd-service-add-restart.patch @@ -8,11 +8,11 @@ Subject: [PATCH] huawei-proftpd-service-add-restart 1 file changed, 1 insertion(+) diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service -index 6c81db3..14ae9e5 100644 +index 44c2943..5a101d5 100644 --- a/contrib/dist/rpm/proftpd.service +++ b/contrib/dist/rpm/proftpd.service @@ -11,6 +11,7 @@ ExecStartPre = /usr/sbin/proftpd --configtest - ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS + ExecStart = /usr/sbin/proftpd $PROFTPD_OPTIONS ExecReload = /bin/kill -HUP $MAINPID PIDFile = /run/proftpd/proftpd.pid +Restart=on-failure @@ -20,5 +20,5 @@ index 6c81db3..14ae9e5 100644 [Install] WantedBy = multi-user.target -- -2.33.0 +2.51.0 diff --git a/mod_proxy-certificate.patch b/mod_proxy-certificate.patch new file mode 100644 index 0000000000000000000000000000000000000000..714ab3613f66fd5dda458977338a39966195be71 --- /dev/null +++ b/mod_proxy-certificate.patch @@ -0,0 +1,11 @@ +--- contrib/mod_proxy/lib/proxy/tls.c ++++ contrib/mod_proxy/lib/proxy/tls.c +@@ -4532,7 +4532,7 @@ + ca_file = c->argv[0]; + + } else { +- ca_file = PR_CONFIG_DIR "/cacerts.pem"; ++ ca_file = PR_CONFIG_DIR "/pki/tls/cert.pem"; + if (!file_exists2(p, ca_file)) { + pr_trace_msg(trace_channel, 9, + "warning: no default ProxyTLSCACertificateFile found at '%s'", ca_file); diff --git a/modules.conf b/modules.conf index 3e343ae9cc518577faf065cec3df768b27c4ae25..524604ffe211f36a3bc6c0c35f96ced57ff2d760 100644 --- a/modules.conf +++ b/modules.conf @@ -82,11 +82,6 @@ LoadModule mod_ctrls_admin.c # (http://www.proftpd.org/docs/modules/mod_facl.html) # LoadModule mod_facl.c # -# Support for using the GeoIP library to look up geographical information on -# the connecting client and using that to set access controls for the server -# (http://www.castaglia.org/proftpd/modules/mod_geoip.html) -# LoadModule mod_geoip.c -# # Allow for version-specific configuration sections of the proftpd config file, # useful for using the same proftpd config across multiple servers where # different proftpd versions may be in use @@ -135,11 +130,6 @@ LoadModule mod_ctrls_admin.c # LoadModule mod_tls_memcache.c # # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny -# files, for IP-based access control -# (http://www.proftpd.org/docs/contrib/mod_wrap.html) -# LoadModule mod_wrap.c -# -# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny # files, as well as SQL-based access rules, for IP-based access control # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) # LoadModule mod_wrap2.c diff --git a/proftpd-1.3.6-no-mod-geoip.patch b/proftpd-1.3.6-no-mod-geoip.patch deleted file mode 100644 index 56e49cacb5dee7ab86be567bcf5971cbfe38a01c..0000000000000000000000000000000000000000 --- a/proftpd-1.3.6-no-mod-geoip.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- modules.conf -+++ modules.conf -@@ -82,11 +82,6 @@ LoadModule mod_ctrls_admin.c - # (http://www.proftpd.org/docs/modules/mod_facl.html) - # LoadModule mod_facl.c - # --# Support for using the GeoIP library to look up geographical information on --# the connecting client and using that to set access controls for the server --# (http://www.castaglia.org/proftpd/modules/mod_geoip.html) --# LoadModule mod_geoip.c --# - # Allow for version-specific configuration sections of the proftpd config file, - # useful for using the same proftpd config across multiple servers where - # different proftpd versions may be in use diff --git a/proftpd-1.3.6-no-mod-wrap.patch b/proftpd-1.3.6-no-mod-wrap.patch deleted file mode 100644 index 206d10215ea0797fbb56ac690756a995b33e6a96..0000000000000000000000000000000000000000 --- a/proftpd-1.3.6-no-mod-wrap.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- modules.conf -+++ modules.conf -@@ -135,11 +135,6 @@ LoadModule mod_ctrls_admin.c - # LoadModule mod_tls_shmcache.c - # - # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny --# files, for IP-based access control --# (http://www.proftpd.org/docs/contrib/mod_wrap.html) --# LoadModule mod_wrap.c --# --# Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny - # files, as well as SQL-based access rules, for IP-based access control - # (http://www.proftpd.org/docs/contrib/mod_wrap2.html) - # LoadModule mod_wrap2.c diff --git a/proftpd-1.3.7rc3-logging-not-systemd.patch b/proftpd-1.3.7rc3-logging-not-systemd.patch deleted file mode 100644 index c7bd00bcd0278beb23bf511a00f8e38ef88e6624..0000000000000000000000000000000000000000 --- a/proftpd-1.3.7rc3-logging-not-systemd.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- proftpd.conf -+++ proftpd.conf -@@ -114,9 +114,6 @@ UseSendfile off - LogFormat default "%h %l %u %t \"%r\" %s %b" - LogFormat auth "%v [%P] %h %t \"%r\" %s" - --# Don't log hostname or timestamps because systemd will do that for us --LogOptions -Timestamp -Hostname +RoleBasedProcessLabels -- - # Enable basic controls via ftpdctl - # (http://www.proftpd.org/docs/modules/mod_ctrls.html) - ControlsEngine on diff --git a/proftpd-1.3.8-add-optnone-in-ctrls.c.patch b/proftpd-1.3.8-add-optnone-in-ctrls.c.patch deleted file mode 100644 index 75380ca6e8551d51bcad1212ea7d70c4452e9145..0000000000000000000000000000000000000000 --- a/proftpd-1.3.8-add-optnone-in-ctrls.c.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 01460bb723d5bcd87f55ccfec9035ef8c32d4bce Mon Sep 17 00:00:00 2001 -From: yuncang123 <1050706328@qq.com> -Date: Fri, 25 Oct 2024 16:22:07 +0800 -Subject: [PATCH] pt - ---- - src/ctrls.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/ctrls.c b/src/ctrls.c -index 5af5eb4..7fe8dee 100644 ---- a/src/ctrls.c -+++ b/src/ctrls.c -@@ -539,7 +539,7 @@ int pr_ctrls_parse_msg(pool *msg_pool, char *msg, unsigned int *msgargc, - return 0; - } - --int pr_ctrls_recv_request(pr_ctrls_cl_t *cl) { -+int __attribute__((optnone)) pr_ctrls_recv_request(pr_ctrls_cl_t *cl) { - pr_ctrls_t *ctrl = NULL, *next_ctrl = NULL; - char reqaction[128] = {'\0'}, *reqarg = NULL; - size_t reqargsz = 0; --- -2.43.0 - diff --git a/proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch b/proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch index 5620f80e5f4fdc17794caa4edc8935b69c7de175..2f7ed39adc2cadb5df0d394c859ab6d55a7b8730 100644 --- a/proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch +++ b/proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch @@ -5,101 +5,83 @@ Subject: [PATCH] proftpd-1.3.8-fix-environment-sensitive-tests-failure --- tests/api/netacl.c | 8 ++++++++ - tests/api/netaddr.c | 6 ++++++ - 2 files changed, 14 insertions(+) + tests/api/netaddr.c | 4 ++++ + 2 files changed, 12 insertions(+) diff --git a/tests/api/netacl.c b/tests/api/netacl.c -index e4b0431..b91ecdb 100644 +index b8bc224..07d3506 100644 --- a/tests/api/netacl.c +++ b/tests/api/netacl.c -@@ -775,8 +775,10 @@ START_TEST (netacl_match_test) { +@@ -773,8 +773,10 @@ START_TEST (netacl_match_test) { + res = pr_netacl_match(acl, addr); - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { + if (getenv("CI") == NULL) { ++ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { ck_assert_msg(res == 1, "Failed to positively match ACL to addr: %s", strerror(errno)); -+ } ++ } } - if (!have_localdomain) { -@@ -793,8 +795,10 @@ START_TEST (netacl_match_test) { + if (have_localdomain == TRUE) { +@@ -790,8 +792,10 @@ START_TEST (netacl_match_test) { + res = pr_netacl_match(acl, addr); - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { + if (getenv("CI") == NULL) { ++ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { ck_assert_msg(res == -1, "Failed to negatively match ACL to addr: %s", strerror(errno)); -+ } ++ } } acl_str = "!www.google.com"; -@@ -820,8 +824,10 @@ START_TEST (netacl_match_test) { +@@ -816,8 +820,10 @@ START_TEST (netacl_match_test) { + res = pr_netacl_match(acl, addr); - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { + if (getenv("CI") == NULL) { ++ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { ck_assert_msg(res == 1, "Failed to positively match ACL to addr: %s", strerror(errno)); -+ } ++ } } - if (!have_localdomain) { -@@ -838,8 +844,10 @@ START_TEST (netacl_match_test) { + if (have_localdomain == TRUE) { +@@ -833,8 +839,10 @@ START_TEST (netacl_match_test) { + res = pr_netacl_match(acl, addr); - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { + if (getenv("CI") == NULL) { ++ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { ck_assert_msg(res == -1, "Failed to negatively match ACL to addr: %s", strerror(errno)); -+ } ++ } } acl_str = "!www.g*g.com"; diff --git a/tests/api/netaddr.c b/tests/api/netaddr.c -index e79b06c..b7dbeaf 100644 +index a7c44cd..5ac9fe0 100644 --- a/tests/api/netaddr.c +++ b/tests/api/netaddr.c -@@ -424,8 +424,10 @@ START_TEST (netaddr_fnmatch_test) { +@@ -424,7 +424,9 @@ START_TEST (netaddr_fnmatch_test) { res = pr_netaddr_fnmatch(addr, "LOCAL*", flags); - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { + if (getenv("CI") == NULL) { /* This test is sensitive the environment. */ ++ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { ck_assert_msg(res == TRUE, "Expected TRUE, got %d", res); + } } flags = PR_NETADDR_MATCH_IP; -@@ -887,10 +889,12 @@ START_TEST (netaddr_get_dnsstr_test) { +@@ -886,9 +888,11 @@ START_TEST (netaddr_get_dnsstr_test) { */ - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { + if (getenv("CI") == NULL) { /* This test is sensitive the environment. */ ++ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { ck_assert_msg(strcmp(res, "localhost") == 0 || strcmp(res, "localhost.localdomain") == 0, "Expected '%s', got '%s'", "localhost or localhost.localdomain", res); -+ } - } - } - END_TEST -@@ -1011,6 +1015,7 @@ START_TEST (netaddr_get_dnsstr_ipv6_test) { - */ - if (getenv("CI") == NULL && - getenv("TRAVIS") == NULL) { -+ if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) { - ck_assert_msg(strcmp(res, "localhost") == 0 || - strcmp(res, "localhost.localdomain") == 0 || - strcmp(res, "localhost6") == 0 || -@@ -1019,6 +1024,7 @@ START_TEST (netaddr_get_dnsstr_ipv6_test) { - strcmp(res, "ip6-loopback") == 0 || - strcmp(res, ip) == 0, - "Expected '%s', got '%s'", "localhost, localhost.localdomain et al", res); -+ } ++ } } } END_TEST -- -2.39.1 +2.51.0 diff --git a/proftpd-1.3.8c.tar.gz b/proftpd-1.3.9.tar.gz similarity index 32% rename from proftpd-1.3.8c.tar.gz rename to proftpd-1.3.9.tar.gz index 368879fa70cf3c3b3fa8e178a9ef863417702125..41b711fcfb9d577f62f5618038fb56c3f3a71979 100644 --- a/proftpd-1.3.8c.tar.gz +++ b/proftpd-1.3.9.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2a48f2ca338456e750d2373bf671025ed799e04e0baa16c7bb8dbfd67d8734d2 -size 19751847 +oid sha256:4a5f13b666226813b4da0ade34535d325e204ab16cf8008c7353b1b5a972f74b +size 19837398 diff --git a/proftpd.conf-no-memcached.patch b/proftpd.conf-no-memcached.patch deleted file mode 100644 index 947c0d155b725527888e66efca0756e25dedf14e..0000000000000000000000000000000000000000 --- a/proftpd.conf-no-memcached.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- modules.conf -+++ modules.conf -@@ -130,10 +130,6 @@ - # (contrib/mod_tls_shmcache.html) - # LoadModule mod_tls_shmcache.c - # --# Provide a memcached-based implementation of an external SSL session cache --# (contrib/mod_tls_memcache.html) --# LoadModule mod_tls_memcache.c --# - # Use the /etc/hosts.allow and /etc/hosts.deny files, or other allow/deny - # files, for IP-based access control - # (http://www.proftpd.org/docs/contrib/mod_wrap.html) diff --git a/proftpd.rpmlintrc b/proftpd.rpmlintrc index 336bc451bb2b9a82d9dc6c346775c2db1eb25547..f1378b141bc600647df87358df1eb637ce229c16 100644 --- a/proftpd.rpmlintrc +++ b/proftpd.rpmlintrc @@ -1,22 +1,11 @@ -from Config import * - -# Technical terms spelled correctly -addFilter("spelling-error %description -l en_US customizable -> ") -addFilter("spelling-error %description -l en_US passwd -> ") -addFilter("spelling-error %description -l en_US systemd -> ") -addFilter("spelling-error %description -l en_US virtualhost -> ") -addFilter("spelling-error %description -l en_US xinetd -> ") - # Proftpd allows specification of ciphers; mod_tls.conf specifies system default +# Similarly with mod_proxy addFilter("crypto-policy-non-compliance-openssl /usr/sbin/proftpd SSL_CTX_set_cipher_list") +addFilter("crypto-policy-non-compliance-openssl /usr/libexec/proftpd/mod_proxy.so SSL_CTX_set_cipher_list") # All FTP daemons provide this addFilter("unversioned-explicit-provides ftpserver") -# This is the correct place for tmpfiles snippets -addFilter("hardcoded-library-path in %{_prefix}/lib/tmpfiles.d") -addFilter("only-non-binary-in-usr-lib") - # These modes are intentional addFilter("non-readable /etc/proftpd.conf 640") addFilter("non-readable /etc/proftpd/anonftp.conf 640") @@ -27,29 +16,34 @@ addFilter("non-readable /etc/proftpd/modules.conf 640") addFilter("non-standard-dir-perm /var/ftp/uploads 331") addFilter("non-standard-dir-perm /var/log/proftpd 750") -# /var/run/proftpd maintained by tmpfiles snippet too -# Owning the directories in the package allows the daemon to run immediately after install, with no reboot -addFilter("dir-or-file-in-var-run /var/run/proftpd") -addFilter("non-ghost-in-run /run/proftpd") - # File should exist but have no default content addFilter("zero-length /etc/ftpusers") # Same manpage as proftpd addFilter("no-manual-page-for-binary in.proftpd") -# This is normal for libtool projects -addFilter("hidden-file-or-dir /usr/src/debug/proftpd-.*/\.libs") - # Upstream does not provide documentation for devel tools/API yet addFilter("no-documentation") addFilter("no-manual-page-for-binary prxs") -# https://github.com/proftpd/proftpd/pull/493 -# https://github.com/proftpd/proftpd/commit/75ed08ffe309b75b78dfcdeb4164d88ced4b0888 -# These should be fixed in 1.3.7 -addFilter("incorrect-fsf-address /usr/src/debug/proftpd-.*/modules/mod_geoip.c") -addFilter("incorrect-fsf-address /usr/include/proftpd/ident.h") -addFilter("incorrect-fsf-address /usr/include/proftpd/utf8.h") -addFilter("incorrect-fsf-address /usr/include/proftpd/lastlog.h") +# This is documentation as far as the packaging is concerned +addFilter("potential-bashisms /usr/share/doc/proftpd/sample-configurations/PFTEST.install") + +# Package uses alternative approach of owning the tmpfile +addFilter("post-without-tmpfile-creation /usr/lib/tmpfiles.d/proftpd.conf") + +# Not that huge really +addFilter("package-with-huge-docs ") + +# Most ftp daemons are packaged to use /var/ftp +addFilter("non-standard-dir-in-var ftp") + +# /var/log is owned by filesystem, no need to own it ourselves +addFilter("logrotate-log-dir-not-packaged /var/log") + +# Technical terms +addFilter("spelling-error \('(passwd|proxying|systemd)',") + +# Should be OK because it honors SOURCE_DATE_EPOCH +addFilter("file-contains-date-and-time /usr/include/proftpd/buildstamp.h") diff --git a/proftpd.spec b/proftpd.spec index d64ebb9f62ad6ffd9164150833856e1bdd2471cd..3ed67dc412d3c7a9a9cb7f17ff32c85fc5d27033 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -1,11 +1,4 @@ -# With systemd, the runtime directory is /run on tmpfs rather than /var/run on persistent storage -%global use_systemd 1 %global rundir /run -%global rundir_tmpfs 1 - -%global systemd_units systemd - -%global preset_support 1 %global mysql_lib mariadb %global mysql_devel_pkg mariadb-connector-c-devel @@ -17,15 +10,16 @@ %undefine _strict_symbol_defs_build %global mod_vroot_version 0.9.12 +%global mod_proxy_version 0.9.5 Name: proftpd -Version: 1.3.8c -Release: 2 +Version: 1.3.9 +Release: 1 Summary: Flexible, stable and highly-configurable FTP server License: GPL-2.0-or-later URL: http://www.proftpd.org/ -Source0: https://github.com/proftpd/proftpd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: https://github.com/proftpd/proftpd/archive/v%{version}/%{name}-%{version}.tar.gz Source1: proftpd.conf Source2: modules.conf Source3: mod_tls.conf @@ -35,18 +29,14 @@ Source6: anonftp.conf Source8: proftpd-welcome.msg Source9: proftpd.sysconfig Source10: http://github.com/Castaglia/proftpd-mod_vroot/archive/v%{mod_vroot_version}.tar.gz +Source11: http://github.com/Castaglia/proftpd-mod_proxy/archive/v%{mod_proxy_version}.tar.gz Patch1: proftpd-1.3.8-shellbang.patch -Patch2: proftpd.conf-no-memcached.patch +Patch2: mod_proxy-certificate.patch Patch3: proftpd-1.3.4rc1-mod_vroot-test.patch -Patch4: proftpd-1.3.6-no-mod-wrap.patch -Patch5: proftpd-1.3.6-no-mod-geoip.patch -Patch6: proftpd-1.3.7rc3-logging-not-systemd.patch -Patch7: proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch -Patch8: huawei-proftpd-service-add-restart.patch -Patch9: harden_proftpd.service.patch -Patch10: proftpd-1.3.8-add-optnone-in-ctrls.c.patch -Patch11: CVE-2024-57392.patch +Patch4: proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch +Patch5: huawei-proftpd-service-add-restart.patch +Patch6: harden_proftpd.service.patch BuildRequires: coreutils BuildRequires: gcc @@ -59,7 +49,6 @@ BuildRequires: ncurses-devel BuildRequires: openldap-devel BuildRequires: openssl-devel BuildRequires: pam-devel -BuildRequires: pcre-devel >= 7.0 BuildRequires: perl-generators BuildRequires: perl-interpreter BuildRequires: pkgconfig @@ -67,14 +56,14 @@ BuildRequires: pkgconfig BuildRequires: postgresql-devel %endif BuildRequires: sed -BuildRequires: sqlite-devel +BuildRequires: sqlite-devel >= 3.8.5 BuildRequires: tar BuildRequires: zlib-devel BuildRequires: chrpath BuildRequires: libidn2-devel BuildRequires: libmemcached-devel >= 0.41 +BuildRequires: libsodium-devel >= 1.0 BuildRequires: pcre2-devel >= 10.30 -BuildRequires: tcp_wrappers-devel # Test suite requirements BuildRequires: check-devel @@ -93,24 +82,16 @@ BuildRequires: perl(Test::Unit) >= 0.25 BuildRequires: perl(Time::HiRes) %endif -# Need %%{systemd_units} for ownership of /usr/lib/tmpfiles.d directory -%if %{rundir_tmpfs} -Requires: %{systemd_units} -%endif +# Need systemd for ownership of /usr/lib/tmpfiles.d directory +Requires: systemd # Logs should be rotated periodically Requires: logrotate # Scriptlet dependencies Requires(preun): coreutils, findutils -%if %{use_systemd} -BuildRequires: %{systemd_units} +BuildRequires: systemd %{?systemd_requires} -%else -Requires(post): chkconfig -Requires(preun): chkconfig, initscripts -Requires(postun): initscripts -%endif Provides: ftpserver @@ -120,13 +101,8 @@ and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. -%if %{use_systemd} This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. -%else -This package defaults to the standalone behavior of ProFTPD, but all the -needed scripts to have it run by xinetd instead are included. -%endif %package devel Summary: ProFTPD - Tools and header files for developers @@ -141,7 +117,6 @@ Requires: ncurses-devel Requires: openldap-devel Requires: openssl-devel Requires: pam-devel -Requires: pcre-devel Requires: pkgconfig %if %{?openEuler:1}0 Requires: postgresql-devel @@ -149,8 +124,8 @@ Requires: postgresql-devel Requires: sqlite-devel Requires: zlib-devel Requires: libmemcached-devel >= 0.41 +Requires: libsodium-devel >= 1.0 Requires: pcre2-devel >= 10.30 -Requires: tcp_wrappers-devel %description devel @@ -179,6 +154,13 @@ Requires: %{name} = %{version}-%{release} Module to add PostgreSQL support to the ProFTPD FTP server. %endif +%package proxy +Summary: Module to add proxying support to the ProFTPD FTP server +Requires: %{name} = %{version}-%{release} + +%description proxy +Module to add proxying support to the ProFTPD FTP server. + %package sqlite Summary: Module to add SQLite support to the ProFTPD FTP server Requires: %{name} = %{version}-%{release} @@ -190,7 +172,7 @@ Module to add SQLite support to the ProFTPD FTP server. Summary: ProFTPD - Additional utilities Requires: %{name} = %{version}-%{release} Requires: perl-interpreter - +# ftpasswd --use-cracklib requires Crypt::Cracklib BuildRequires: perl(Crypt::Cracklib) Requires: perl(Crypt::Cracklib) @@ -208,11 +190,13 @@ ProFTPD server: %prep %setup -q -n %{name}-%{version}%{?prever} -# Extract mod_vroot source into contrib/ -# Directory must be named mod_vroot for configure script to find it +# Extract mod_proxy and mod_vroot source into contrib/ +# Directories must be named mod_{proxy,vroot} for configure script to find them cd contrib tar xfz %{SOURCE10} +tar xfz %{SOURCE11} mv proftpd-mod_vroot-%{mod_vroot_version} mod_vroot +mv proftpd-mod_proxy-%{mod_proxy_version} mod_proxy cd - # Default config files @@ -229,33 +213,19 @@ mv contrib/README contrib/README.contrib # Change shellbangs /usr/bin/env perl ⇒ /usr/bin/perl %patch 1 -# If we don't have libmemcached support, remove the mod_tls_memcache -# snippet from the config file -%patch 2 +# Use the system-wide CA certificate file rather than the one bundled with mod_proxy +%patch -P 2 -b .proxy-ca-cert # If we're running the full test suite, include the mod_vroot test %patch 3 -p1 -b .test_vroot -# Remove references to mod_wrap from the configuration file if necessary -%patch 4 -b .nowrappers - -# Remove references to mod_geoip from the configuration file if necessary -%patch 5 -b .nogeoip - -%if %{use_systemd} # Tweak logrotate script for systemd compatibility (#802178) -sed -i -e '/killall/s/test.*/systemctl reload proftpd.service/' \ +sed -i -e '/killall/s/test.*/systemctl try-reload-or-restart proftpd.service/' \ contrib/dist/rpm/proftpd.logrotate -%else -# Not using systemd, so we want hostname and timestamp in log messages -%patch 6 -%endif -%patch 7 -p1 -%patch 8 -p1 -%patch 9 -p1 -%patch 10 -p1 -%patch 11 -p1 +%patch 4 -p1 +%patch 5 -p1 +%patch 6 -p1 # Avoid docfile dependencies chmod -c -x contrib/xferstats.holger-preiss @@ -277,8 +247,8 @@ SMOD2=mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_q SMOD3=mod_ldap:mod_ban:mod_ctrls_admin:mod_facl:mod_load:mod_vroot SMOD4=mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper SMOD5=mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_copy:mod_deflate:mod_ifversion:mod_qos -SMOD6=mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache -SMOD7=mod_unique_id +SMOD6=mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache:mod_tls_memcache +SMOD7=mod_proxy:mod_unique_id %configure \ --libexecdir="%{_libexecdir}/proftpd" \ @@ -286,6 +256,7 @@ SMOD7=mod_unique_id --disable-static \ --disable-strip \ --enable-memcache \ + --enable-sodium \ --enable-pcre2 \ --enable-ctrls \ --enable-dso \ @@ -315,19 +286,12 @@ install -D -p -m 640 mod_qos.conf %{buildroot}%{_sysconfdir}/proftpd/mod_qos.con install -D -p -m 640 mod_tls.conf %{buildroot}%{_sysconfdir}/proftpd/mod_tls.conf install -D -p -m 644 contrib/dist/rpm/proftpd.pam \ %{buildroot}%{_sysconfdir}/pam.d/proftpd -%if %{use_systemd} install -D -p -m 644 contrib/dist/rpm/proftpd.service \ %{buildroot}%{_unitdir}/proftpd.service install -D -p -m 644 contrib/dist/systemd/proftpd.socket \ %{buildroot}%{_unitdir}/proftpd.socket install -D -p -m 644 contrib/dist/systemd/proftpd@.service \ %{buildroot}%{_unitdir}/proftpd@.service -%else -install -D -p -m 755 contrib/dist/rpm/proftpd.init.d \ - %{buildroot}%{_sysconfdir}/rc.d/init.d/proftpd -install -D -p -m 644 contrib/dist/rpm/xinetd \ - %{buildroot}%{_sysconfdir}/xinetd.d/xproftpd -%endif install -D -p -m 644 contrib/dist/rpm/proftpd.logrotate \ %{buildroot}%{_sysconfdir}/logrotate.d/proftpd install -D -p -m 644 %{SOURCE8} %{buildroot}%{_localstatedir}/ftp/welcome.msg @@ -335,12 +299,13 @@ install -D -p -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/sysconfig/proftpd mkdir -p %{buildroot}%{_localstatedir}/{ftp/{pub,uploads},log/proftpd} touch %{buildroot}%{_sysconfdir}/ftpusers +# We'll be using the system certificate database, not the one provided by mod_proxy +rm %{buildroot}%{_sysconfdir}/cacerts.pem + # Make sure %%{rundir}/proftpd exists at boot time for systems where it's on tmpfs (#656675) -%if %{rundir_tmpfs} install -d -m 755 %{buildroot}%{_prefix}/lib/tmpfiles.d install -p -m 644 contrib/dist/rpm/proftpd-tmpfs.conf \ %{buildroot}%{_prefix}/lib/tmpfiles.d/proftpd.conf -%endif chrpath -d %{buildroot}%{_sbindir}/proftpd @@ -365,17 +330,10 @@ fi %endif %post -%if %{use_systemd} systemctl daemon-reload &>/dev/null || : -%endif if [ $1 -eq 1 ]; then # Initial installation -%if ! %{use_systemd} - chkconfig --add proftpd || : -%endif -%if %{preset_support} systemctl preset proftpd.service &>/dev/null || : -%endif IFS=":"; cat /etc/passwd | \ while { read username nu nu gid nu nu nu nu; }; do \ if [ $gid -lt 100 -a "$username" != "ftp" ]; then @@ -387,37 +345,23 @@ fi %preun if [ $1 -eq 0 ]; then # Package removal, not upgrade -%if %{use_systemd} systemctl --no-reload disable proftpd.service &>/dev/null || : systemctl stop proftpd.service &>/dev/null || : -%else - service proftpd stop &>/dev/null || : - chkconfig --del proftpd || : -%endif find %{rundir}/proftpd -depth -mindepth 1 | xargs rm -rf &>/dev/null || : fi %postun -%if %{use_systemd} systemctl daemon-reload &>/dev/null || : -%endif if [ $1 -ge 1 ]; then # Package upgrade, not uninstall -%if %{use_systemd} systemctl try-restart proftpd.service &>/dev/null || : -%else - service proftpd condrestart &>/dev/null || : -else - # Package removal, not upgrade - service xinetd reload &>/dev/null || : -%endif fi %files -f proftpd.lang %license COPYING %doc CREDITS ChangeLog NEWS README.md -%doc README.modules contrib/README.contrib contrib/README.ratio +%doc contrib/README.contrib contrib/README.ratio %doc doc/* sample-configurations/ %dir %{_localstatedir}/ftp/ %dir %{_localstatedir}/ftp/pub/ @@ -438,17 +382,10 @@ fi %config(noreplace) %{_sysconfdir}/proftpd/mod_qos.conf %config(noreplace) %{_sysconfdir}/proftpd/mod_tls.conf %config(noreplace) %{_sysconfdir}/sysconfig/proftpd -%if %{use_systemd} %{_unitdir}/proftpd.service %{_unitdir}/proftpd.socket %{_unitdir}/proftpd@.service -%else -%config(noreplace) %{_sysconfdir}/xinetd.d/xproftpd -%{_sysconfdir}/rc.d/init.d/proftpd -%endif -%if %{rundir_tmpfs} %{_prefix}/lib/tmpfiles.d/proftpd.conf -%endif %{_bindir}/ftpdctl %{_sbindir}/ftpscrub %{_sbindir}/ftpshut @@ -486,6 +423,7 @@ fi %{_libexecdir}/proftpd/mod_site_misc.so %{_libexecdir}/proftpd/mod_sql.so %{_libexecdir}/proftpd/mod_sql_passwd.so +%{_libexecdir}/proftpd/mod_tls_memcache.so %{_libexecdir}/proftpd/mod_tls_shmcache.so %{_libexecdir}/proftpd/mod_vroot.so %{_libexecdir}/proftpd/mod_wrap2.so @@ -500,7 +438,7 @@ fi %{_libdir}/pkgconfig/proftpd.pc %files ldap -%doc README.LDAP contrib/mod_quotatab_ldap.ldif contrib/mod_quotatab_ldap.schema +%doc contrib/mod_quotatab_ldap.ldif contrib/mod_quotatab_ldap.schema %{_libexecdir}/proftpd/mod_ldap.so %{_libexecdir}/proftpd/mod_quotatab_ldap.so @@ -512,6 +450,10 @@ fi %{_libexecdir}/proftpd/mod_sql_postgres.so %endif +%files proxy +%doc contrib/mod_proxy/README.md +%{_libexecdir}/proftpd/mod_proxy.so + %files sqlite %{_libexecdir}/proftpd/mod_sql_sqlite.so @@ -531,6 +473,13 @@ fi %{_mandir}/man1/ftpwho.1* %changelog +* Thu Sep 18 2025 wangkai <13474090681@163.com> - 1.3.9-1 +- Update to 1.3.9 +- Add 'proxy' sub-package with unbundled mod_proxy +- Use libsodium to provide ed25519 key support for mod_sftp +- Update logrotate snippet to use try-reload-or-restart rather than reload + for distributions with systemd 229 or later + * Tue Jul 29 2025 yaoxin <1024769339@qq.com> - 1.3.8c-2 - Fix CVE-2024-57392 diff --git a/v0.9.5.tar.gz b/v0.9.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..73281016da85d495db354d9cea5acec8411143b0 --- /dev/null +++ b/v0.9.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:85f1aeae37ab76b35972d3ddd64c4338cf36cca0b5ba3b93e39335259796cd86 +size 651129