<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-openembedded.git/meta-networking/recipes-daemons/proftpd, branch master-next</title>
<subtitle>Mirror of git.openembedded.org/meta-openembedded</subtitle>
<id>https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=master-next</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=master-next'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/'/>
<updated>2026-06-09T14:26:35+00:00</updated>
<entry>
<title>proftpd: upgrade 1.3.9a -&gt; 1.3.9b</title>
<updated>2026-06-09T14:26:35+00:00</updated>
<author>
<name>Wang Mingyu</name>
<email>wangmy@fujitsu.com</email>
</author>
<published>2026-06-09T10:28:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=88de7c14688c72ab90e300b2aafabd4293eb01c2'/>
<id>urn:sha1:88de7c14688c72ab90e300b2aafabd4293eb01c2</id>
<content type='text'>
Changelog:
==========
- Issue 2057 - SQL Injection in mod_wrap2_sql via reverse DNS
  hostname (CVE-2026-44331).
- Issue 2056 - Incomplete fix for session management with OpenSSL 3.2.x or
  later, when using TLSv1.2 or earlier.  This complements the fix for
  Issue #1963.
- Issue 2098 - Hard quota limits on uploads do not cause SFTP WRITE requests
  to fail as expected.
- Issue 2102 - SSH payload length underflow calculation for ETM/ChaChaPoly
  algorithms in mod_sftp.
- Issue 2104 - SSH packet with empty payload triggers null pointer dereference
  in mod_sftp.
- Issue 2106 - Bad DSA signatures can lead to out-of-bounds read of heap memory
  in mod_sftp.
- Issue 2108 - Mismatched RSA/DSA algorithm signatures can lead to null
  dereference in mod_sftp.
- Issue 2115 - SFTP request payload length underflow calculation in mod_sftp.
- Issue 2120 - Several modules fail to build using OpenSSL 4.0.

Signed-off-by: Wang Mingyu &lt;wangmy@fujitsu.com&gt;
Signed-off-by: Khem Raj &lt;khem.raj@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>proftpd: upgrade 1.3.9 -&gt; 1.3.9a</title>
<updated>2026-05-12T08:06:59+00:00</updated>
<author>
<name>Yi Zhao</name>
<email>yi.zhao@windriver.com</email>
</author>
<published>2026-05-03T04:35:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=7381ae9d2409bbf7c358db4834741651fd1e740d'/>
<id>urn:sha1:7381ae9d2409bbf7c358db4834741651fd1e740d</id>
<content type='text'>
Security fix: CVE-2026-42167

ChangeLog:
https://github.com/proftpd/proftpd/blob/1.3.9/NEWS

Signed-off-by: Yi Zhao &lt;yi.zhao@windriver.com&gt;
Signed-off-by: Khem Raj &lt;khem.raj@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>proftpd: ignore CVE-2021-47865</title>
<updated>2026-02-05T04:53:29+00:00</updated>
<author>
<name>Gyorgy Sarvari</name>
<email>skandigraun@gmail.com</email>
</author>
<published>2026-02-02T16:37:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=2865b67e293ebfc706a5531ef79bfb9826d8cc6d'/>
<id>urn:sha1:2865b67e293ebfc706a5531ef79bfb9826d8cc6d</id>
<content type='text'>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865

This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.

The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.

See also discussion in the Github issue.

It seems that it won't be fixed, because there is nothing to fix.

[1]: https://github.com/proftpd/proftpd/issues/1298

Signed-off-by: Gyorgy Sarvari &lt;skandigraun@gmail.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-openembedded/all: adapt to UNPACKDIR changes</title>
<updated>2025-06-25T13:44:52+00:00</updated>
<author>
<name>Alexander Kanavin</name>
<email>alex@linutronix.de</email>
</author>
<published>2025-06-20T14:06:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=fc78d37ff0ce9e0d60455465851dbe4e86d7a8b3'/>
<id>urn:sha1:fc78d37ff0ce9e0d60455465851dbe4e86d7a8b3</id>
<content type='text'>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.

I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.

Signed-off-by: Alexander Kanavin &lt;alex@linutronix.de&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>proftpd: upgrade to 1.3.9 to fix build with gcc-15</title>
<updated>2025-04-26T17:31:26+00:00</updated>
<author>
<name>Martin Jansa</name>
<email>martin.jansa@gmail.com</email>
</author>
<published>2025-04-26T11:56:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=181fea00cb5ef91971a2796161ceb7c2c4d73c91'/>
<id>urn:sha1:181fea00cb5ef91971a2796161ceb7c2c4d73c91</id>
<content type='text'>
* fixed in:
  https://github.com/proftpd/proftpd/commit/61be7eb14f200b97804a3cfa85fed51661067c62

Signed-off-by: Martin Jansa &lt;martin.jansa@gmail.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>proftpd: define suffix for CVE version comparison</title>
<updated>2025-01-15T20:04:53+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-01-15T18:12:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=20e3583f5691e31401ba0ab8041f8b9925f6314c'/>
<id>urn:sha1:20e3583f5691e31401ba0ab8041f8b9925f6314c</id>
<content type='text'>
Similarly to old openssl versions, proftpd has patch releases with
characters instead of numbers.

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>proftpd: upgrade 1.3.8b -&gt; 1.3.8c</title>
<updated>2025-01-15T20:04:53+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-01-15T18:12:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=7fce6b033bac3d442a266463dc66b2320b068a26'/>
<id>urn:sha1:7fce6b033bac3d442a266463dc66b2320b068a26</id>
<content type='text'>
See https://github.com/proftpd/proftpd/blob/1.3.8/RELEASE_NOTES

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>proftpd: define UPSTREAM_CHECK_GITTAGREGEX</title>
<updated>2025-01-15T20:04:53+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-01-15T18:11:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=92fe348b769bd038d3577f13bad78278891162c6'/>
<id>urn:sha1:92fe348b769bd038d3577f13bad78278891162c6</id>
<content type='text'>
Patch releases have character after version
devtool upgrade would currently downgrade 1.3.8b -&gt; 1.3.8
This will make it upgrade 1.3.8b -&gt; 1.3.8c

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>proftpd: set status of CVE-2001-0027</title>
<updated>2024-12-10T21:43:54+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-12-10T18:52:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=03a1b56bc7ce88a3b0ad6790606b0498899cc1e3'/>
<id>urn:sha1:03a1b56bc7ce88a3b0ad6790606b0498899cc1e3</id>
<content type='text'>
This ancient CVE [1] is unversioned ("*") in NVD DB.
"mod_sqlpw module in ProFTPD does not reset a cached password..."

Looking at history and changelog, the module was removed [2] around
the time when this CVE was published, likely as reaction to this CVE.
"mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the
distribution. They are currently unmaintained and have numerous bugs."

Note: It was later re-introduced as mod_sql when it got fixed under
new maintainer.

[1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027
[2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
<entry>
<title>proftpd: Upgrade to 1.3.8b</title>
<updated>2024-08-16T06:20:05+00:00</updated>
<author>
<name>Khem Raj</name>
<email>raj.khem@gmail.com</email>
</author>
<published>2024-08-15T06:38:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=0d6f463f020b70f4ed32ac15528df6665f350aef'/>
<id>urn:sha1:0d6f463f020b70f4ed32ac15528df6665f350aef</id>
<content type='text'>
Fix buildpaths QA Errors while here

Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
</feed>
