Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
@comment $NetBSD: PLIST,v 1.29 2021/10/16 19:46:42 tm Exp $
|
2013-03-15 14:34:32 +01:00
|
|
|
bin/ftpasswd
|
2001-10-22 16:26:45 +02:00
|
|
|
bin/ftpcount
|
Update to version 1.2.10. From PR 27012 by pancake at phreaker dot net.
1.2.10 - Released 04-Sep-2004
--------------------------------
- Bug 2440 - Unable to use PAM authentication properly. Use a "*" after
the module name in an AuthOrder directive to indicate that an auth
module is authoritative.
- Bug 2441 - AIX5 portability bug with mod_auth_unix, mod_auth_file.
- Bug 2442 - Segfault in FreeBSD PAM library with long login names.
- Bug 2445 - AuthUserFile in <Global> context overrides <VirtualHost> setting.
- Bug 2444 - Use of sendfile() does not interoperate well with RFC2228
security mechanisms. Using sendfile(2) to send data bypasses the handling
of the data by RFC2228 security mechanisms (such as those provided by
mod_tls). So if security mechanisms are detected, do not use sendfile().
- Scrub the ScoreboardFile for stale sessions in inetd mode.
- Bug 2427 - proftpd gets a memory fault when run from ssh batch mode.
1.2.10rc3 - Released 13-Jul-2004
--------------------------------
- Fixed typo that prevented 1.2.10rc2 from compiling.
1.2.10rc2 - Released 13-Jul-2004
---------------------------------
- Bug 2396 - NLST command doesn't understand options. This was caused by
the solution for Bug 2322. However, it is not a popular solution, so
NLST will once again handle options, but only the relevant options.
- Bug 2034 - Add support for a "graceful shutdown" signal. See
contrib/mod_ctrls_admin.html#shutdown for details.
- Bug 2400 - <Class> search order is wrong. The documentation correctly
stated that <Class> sections are matched in order of definition, but the
code has the match order in the reverse order of definition.
- Bug 2401 - MaxClientsPerClass only checks first directive in config file.
- Bug 2399 - Rename start/stop control actions to up/down.
- Bug 2082 - Add mod_rewrite "replaceall" builtin function. See the
RewriteMap documentation for more details.
- Bug 2403 - Sending SIGHUP to proftpd stops it when using Classes. The fix
for Bug #2400 could result in an infinite loop during a SIGHUP.
- Bug 2405 - "LIST *" should not list dotfiles.
- Bug 2366 - Add support for -h list option.
- Bug 2332 - SO_OOBINLINE error after upgrading proftpd from 1.2.6 to 1.2.9.
This is due mostly to a change in the logging; a check for error values
and logging of them was added. The setting of this particular socket option
has been moved earlier in the session, as it was found that short-lived
TCP connections, as from monitoring systems, would cause this error.
- Bug 2407 - mod_auth_file does not allow for proper cascading of "end" and
"set" auth requests.
- Bug 2410 - CreateHome always copies skel directory.
- Bug 2336 - Use of /dev/log on Solaris leads to kernel memory leak.
ProFTPD's use of the /dev/log device on Solaris was tickling a Solaris
kernel bug that caused the Solaris kernel to leak memory.
- Added a TimeoutLinger directive to complement the --enable-timeout-linger
configure option.
- Bug 2125 - -vv command line switch should list versions of modules.
- Bug 2420 - Name field is not escaped before querying database.
The mod_quotatab module was not properly escaping the name string it
used when looking up records from SQL databases.
- Bug 2424 - SQLDefaultHomedir overrides column value.
- Bug 2411 - Caching effects cause RNTO to fail if AllowOverwrite is off and
target path does not exist.
- Bug 2422 - %v not working in SQLNamedQuery.
- Bug 2418 - chmod returns 550 with filename containing multiple spaces.
- Bug 2431 - mod_sql does not use UID/GID properly in cache lookups.
- Bug 2303 - Problem evaluating multiple <Class> rules.
- Bug 2419 - Ability to disable TLSRequired on per-user basis (e.g. for
anonymous logins).
- Bug 2438 - Display variable %z not expanded properly.
- Bug 2439 - <Limit CWD> doesn't work.
1.2.10rc1 - Released 28-Apr-2004
---------------------------------
- Bug 2135 - Add ability to handle passphrase-protected server keys. mod_tls
can now properly prompt for passphrases for protected server certificate
keys when the daemon is starting up.
- Bug 2086 - Add limits for PORT, PASV. This means that now one can use
<Limit> to place access controls on the PORT and PASV commands. This
applies to the EPRT and EPSV commands as well.
- Bug 2174 - mod_auth_unix should not act authoritatively. This was causing
problems when using mod_auth_unix.c and the AuthOrder configuration
directive.
- Bug 2098 - Added SetEnv and UnsetEnv configuration directives.
- Bug 2271 - Improper autoconf check for getaddrinfo() on Tru64 UNIX 5.1.
The getaddrinfo symbol is a macro, not a function, on that platform.
- Bug 2255 - RADIUS Service-Type should reflect attribute expectations.
- Added Event API.
- Bug 2272 - Address/port collision check needs to handle DefaultAddress.
- Bug 2072 - Add Controls API.
This API includes a new program, ftpdctl, that is used to communicate
directly with the proftpd daemon via a new core module, mod_ctrls. For
this new functionality to be used, proftpd must be configured using the
added --enable-ctrls option.
- Bug 2015 - Add AND, OR keywords to Allow/DenyUser directives.
The AllowUser, DenyUser, AllowGroup, and DenyGroup directives now take
an optional keyword that indicates what type of expression they are:
AND, OR, or regex. By default, AllowUser and DenyUser are OR expressions,
and AllowGroup and DenyGroup are AND expressions. For example:
AllowUser regex ^ftp
DenyUser AND dave,bob
AllowGroup OR web,doc
These demonstrate that the optional keyword modifier must be the first
parameter in the configuration directive.
- Bug 2046 - Change RFNR and RNTO logging class to WRITE. This means that
ExtendedLogs that use the WRITE logging class will now include the
RNFR and RNTO commands.
- Mac OS X 10.3 portability fixes.
- Bug 2274 - Default server only binds to one IP address of host if
the --enable-ipv6 configure option is used. ProFTPD will now properly
bind to all addresses for the default "server config" server.
- Bug 2048 - Add ability to get configuration file values from environment.
For example, you can now have the following in your proftpd.conf:
DefaultAddress %{env:PR_DEFAULT_ADDR}
which indicates to ProFTPD's configuration parser to get the value of
the PR_DEFAULT_ADDR environment variable, and substitute it in, e.g.:
PR_DEFAULT_ADDR=1.2.3.4 ./proftpd ...
If the indicated environment variable is not present, the value is
substituted with the empty string.
- Bug 1635 - Older systems' chown(1) does not support -h option. The solution
is to prevent this error from stopping the 'make install' process, as it
is a harmless error on such systems.
- Bug 2290 - gmtime() static storage may be overwritten by modules.
- Bug 2288 - ServerFQDN set to 255.255.255.255 and not hostname.
- Added mod_quotatab to the contrib area.
- Bug 2300 - poll() returns 1 and read returns 0, resulting in an inifinite
loop. The actual bug was caused by a goto that was being inappropriately
used; a return value was not being checked to see if it was an error value.
- Bug 2305 - Compile Problems since > 1.2.9
Fix the build under Solaris - ftpdctl needs to be linked against libsocket
and libnsl.
- Bug 2267 - Broken IP subnet matching. Added new ACL parsing/matching code.
- Bug 2307 - MySQL 4.1.1 API change causes mod_sql_mysql compilation failure.
- Bug 2319 - Build scripts have owner-only execute permission. This was
causing problems whenever a user other than the owner of the files
attempted to build proftpd.
- Bug 2320 - autoconf check for socklen_t doesn't work on FreeBSD 4.8-RELEASE.
The fix is to include <sys/types.h>, if present, sooner in the check.
- Bug 1925 - Clean up of Class code. The Class and Classes directives are
now deprecated. See README.classes for more details.
- Bug 2295 - mod_tls returns multiline response to AUTH commands.
- Bug 2322 - NLST -a returns listing formatted for LIST -a. RFC959 does not
explicitly allow dash-style options for LIST or NLST, although many clients
attempt to use them. De facto FTP server behaviors handle options for LIST;
options for NLST will be explicitly rejected.
- Bug 2315 - Overlapping virtual server causes error. If a <VirtualHost>
was configured to handle the same IP address and port as the "server config"
server, the wrong server configuration was being removed.
- Bug 2324 - Directories whose names contain whitespace are inaccessible.
- Bug 2306 - ftpcount output should handle case of no users. When no clients
are connected, ftpcount now displays "0 users".
- Bug 2337 - TLSRenegotiate parameters not processed correctly.
- Bug 2340 - Problem with parallel builds. Proper dependencies added when
building ftpwho and ftptop.
- Bug 2327 - SQLNegativeCache causes unnecessary errors in server logging.
- Bug 2237 - HiddenStores does not check for existing file in edge case.
- Bug 2171 - Add delete options to ftpasswd. The ftpasswd script now
supports the --delete-user and --delete-group options.
- Bug 2105 - Remove Authoritative directives. The AuthPAMAuthoritative
directive, and the "*" syntax of SQLAuthenticate, have been deprecated.
- Bug 1696 - Include directive should support directories. The Include
directive now functions just like Apache's Include directive, including
handling glob characters.
- Bug 2311 - MaxClients counts unauthenticated users. According to the
documentation, the MaxClients configuration directive should only count
authenticated clients.
- Bug 2339 - STAT command doesn't follow RFC959. Previously, ProFTPD did
not support use of the STAT command during file transfers. This
functionality is now implemented. Sites wishing to prevent this can
limit use of the STAT command by using <Limit STAT>.
- Bug 2257 - Add SITE SYMLINK command to mod_site. Rather than adding
this command to the mod_site module, a new module, mod_site_misc, has
been added to the contrib area. The mod_site_misc module implements
SITE SYMLINK, and a few other SITE commands. See contrib/mod_site_misc.html
for details.
- Bug 2355 - Send error message to client when 'TLSRequired on' is in effect.
Previously, if SSL/TLS was configured to be required for both control
and data channels, if the client did not perform the SSL/TLS handshake for
a data transfer, the connection would hang. Now, an error message is sent
to the client if no handshake is done.
- Bug 2353 - REST doesn't handle offsets greater than 2 GB.
- Bug 2357 - ftptop should use COLS for determining display width.
- Bug 2321 - FTP permission checks inconsistent for DELE and RMD/XRMD when
symlink is in directory path. This bug affected the RNFR command as well.
- Bug 2361 - Second USER command causes problems with chrooted session.
- Bug 2363 - ABOR response RFC 959 compliance. The 226 response was being
sent before closing the data connection; RFC 959 implies that the data
connection is closed first.
- Bug 2369 - EPSV should not send network address when MasqueradeAddress is
used. RFC 2428 does not address the case where a server may wish to
return an address in the EPSV response that differs from the control
connection address, as is done in a PASV response for forwarding devices
(e.g. NAT, firewall). Until the proper behavior can be determined,
do not honor MasqueradeAddress for EPSV.
- Bug 2367 - LIST *.* strange behaviour. The builtin listing mechanism
was inadvertently recursing into globbed directories when recursion was
not actually requested.
- Bug 2371 - ftpasswd should have option to compare password against value
in passwd file. ftpasswd now supports a --not-previous-password option.
- Added a `howto' directory under `doc/', for mini-HOWTOs.
- Bug 2221 - proftpd on hp-ux 11.22. The default data type of socklen_t
on HP-UX 11 is problematic; many system calls expect an int, and the
default type is a size_t. This mismatch causes problems for 64-bit
builds.
- Bug 2385 - Renames fail with error "Invalid cross-device link".
- Bug 2383 - mod_ctrls.c: ctrls_listen(): Invalid size in bind() argument.
The size of struct sockaddr_un is not consistent across platforms.
- Bug 2387 - PRIVS_USER macro should set effective GID to user's primary GID.
- Added a `modules/' directory under `doc/', for core module documentation.
Currently there are HTML docs for mod_auth_file, mod_cap, and mod_ctrls.
- Bug 2317 - Wrong order of privs calls on HP generates "unable to setregid()"
error.
2004-09-21 15:10:18 +02:00
|
|
|
bin/ftpdctl
|
2013-03-15 14:34:32 +01:00
|
|
|
bin/ftpmail
|
|
|
|
bin/ftpquota
|
2002-12-31 10:19:04 +01:00
|
|
|
bin/ftptop
|
2005-06-23 00:43:37 +02:00
|
|
|
bin/ftpwho
|
2008-10-03 08:52:03 +02:00
|
|
|
bin/prxs
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
include/proftpd/acconfig.h
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
include/proftpd/ascii.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/auth.h
|
|
|
|
include/proftpd/bindings.h
|
|
|
|
include/proftpd/buildstamp.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/ccan-json.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/child.h
|
|
|
|
include/proftpd/class.h
|
2010-03-21 22:24:25 +01:00
|
|
|
include/proftpd/cmd.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/compat.h
|
|
|
|
include/proftpd/conf.h
|
|
|
|
include/proftpd/config.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/configdb.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/ctrls.h
|
|
|
|
include/proftpd/data.h
|
|
|
|
include/proftpd/default_paths.h
|
|
|
|
include/proftpd/dirtree.h
|
|
|
|
include/proftpd/display.h
|
2008-10-03 08:52:03 +02:00
|
|
|
include/proftpd/encode.h
|
2007-01-13 10:47:38 +01:00
|
|
|
include/proftpd/env.h
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
include/proftpd/error.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/event.h
|
2008-10-03 08:52:03 +02:00
|
|
|
include/proftpd/expr.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/feat.h
|
2010-03-21 22:24:25 +01:00
|
|
|
include/proftpd/filter.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/fsio.h
|
|
|
|
include/proftpd/ftp.h
|
|
|
|
include/proftpd/glibc-glob.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/hanson-tpl.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/help.h
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
include/proftpd/ident.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/inet.h
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
include/proftpd/jot.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/json.h
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
include/proftpd/lastlog.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/libsupp.h
|
|
|
|
include/proftpd/log.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/logfmt.h
|
2013-03-15 14:34:32 +01:00
|
|
|
include/proftpd/memcache.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/mkhome.h
|
|
|
|
include/proftpd/mod_ctrls.h
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
include/proftpd/mod_dnsbl.h
|
|
|
|
include/proftpd/mod_load.h
|
|
|
|
include/proftpd/mod_quotatab.h
|
|
|
|
include/proftpd/mod_sftp.h
|
|
|
|
include/proftpd/mod_sql.h
|
|
|
|
include/proftpd/mod_tls.h
|
|
|
|
include/proftpd/mod_wrap2.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/modules.h
|
|
|
|
include/proftpd/netacl.h
|
|
|
|
include/proftpd/netaddr.h
|
|
|
|
include/proftpd/netio.h
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
include/proftpd/openbsd-blowfish.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/options.h
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
include/proftpd/os.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/parser.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/pfilter.h
|
2007-01-13 10:47:38 +01:00
|
|
|
include/proftpd/pidfile.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/pool.h
|
|
|
|
include/proftpd/pr-syslog.h
|
|
|
|
include/proftpd/privs.h
|
2007-01-13 10:47:38 +01:00
|
|
|
include/proftpd/proctitle.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/proftpd.h
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
include/proftpd/random.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/redis.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/regexp.h
|
|
|
|
include/proftpd/response.h
|
Update to version 1.3.5a.
Pkgsrc changes:
* adapt one patch to changes upstream.
* adapt PLIST to newly installed files.
* rename and adapt patch to Makefile.in.
Upstream changes:
1.3.5a - Released 27-May-2015
--------------------------------
- Bug 4055 - "error setting listen fd IPV6_TCLASS: Protocol not available" log
message.
- Bug 3944 - Session closed if active data transfer fails due to "Address
already in use" error.
- Bug 4068 - MaxClients directive doesn't work for <Anonymous> sessions.
- Bug 4069 - NLST -a shows / directory instead of the current directory.
- Bug 4063 - Unable to create directory on NFS/CIFS partition: Permission
denied.
- Bug 4073 - Polycom VOIP phones unable to use FTPS data transfers.
- Bug 4077 - ShaperLog not closed/reopened on SIGHUP, causing log rotation
problems.
- Bug 4079 - Invalid response encoding for SFTP space-available request.
- Bug 4083 - Using SQLDefaultHomedir with null home results in "No such user".
- Bug 4087 - mod_sftp does not handle "MaxLoginAttempts none" properly.
- Bug 4089 - mod_sftp does not allow multiple attempts using a given
authentication method.
- Bug 4090 - mod_wrap2_file does not support IPv6 addresses properly.
- Bug 4091 - Log "Operation not permitted" privs errors at NOTICE rather than
ERROR.
- Bug 4094 - Available space on file system using %f displays wrong value.
- Bug 4108 - SSL handshakes for data connections sometimes stall for 3-30
seconds.
- Bug 4109 - setsockopt() call for IPV6_TCLASS should use IPPROTO_IPV6.
- Bug 4112 - Failure to connect using mod_sftp sometimes due to too-small
buffers.
- Bug 4114 - mod_tls should not support SSLv3 by default.
- Bug 4116 - Report exact SSL/TLS protocol version used in client connections.
- Bug 4124 - DeleteAbortedStores defaults to "on" for all transfers, not just
HiddenStores.
- Bug 4129 - mod_sql caches incorrect UID/GID when name cannot be retrieved.
- Bug 4131 - mod_sftp's autoconf script does not detect OpenSSL SHA2 support.
- Bug 4133 - LDAPUsers directive does not honor uid-number-filter-template
parameter.
- Bug 4137 - GeoIPDenyFilter incorrectly takes precedence over GeoIPAllowFilter.
- Bug 4140 - SFTP READLINK requests to symlinks to directories fail.
- Bug 4143 - HTTPS/FTPS protocol confusion leads to XSS.
- Bug 4145 - Segfault if AuthUserFile is a relative symlink.
- Bug 4152 - Reduce logging of non-fatal "unable to open incoming connection"
errors.
- Bug 4155 - SSH keys with too-long Comment headers aren't recognized by
mod_sftp_sql.
- Bug 4156 - Segfault handling LIST/NLST FTP command on Mac OS X.
- Bug 4160 - Malformed response to SSH_FXP_REALPATH with SFTP version 6.
- Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by
mod_copy.
- Bug 4178 - TLS session reuse requirement for data connections not properly
enforced.
1.3.5 - Released 15-May-2014
--------------------------------
- Bug 4018 - Implement checks for sensitive directories when chrooted.
- Bug 4022 - "Directory not empty" error when creating directory is misleading.
- Bug 4025 - <IfClass> sections do not work for multiple SQLLog directives.
- Bug 4029 - TLSOptions EnableDiags logs "unknown version (771)" for
TLS 1.1/1.2 connections.
- Bug 3938 - mod_wrap2 uses reverse DNS regardless "UseReverseDNS off".
- Bug 4032 - Restarting proftpd with mod_sftp fails due to permissions on
SFTPHostKey file.
- Bug 4033 - mod_sftp fails to create SSH2 session using 'none' cipher.
- Bug 4034 - SSH publickey authentication fails with "MaxLoginAttempts 1".
- Bug 4024 - TLS 1.1/1.2 configurable, but not properly implemented.
- Bug 4046 - ALLO command failed because of bad size check.
- Bug 4048 - Race condition in mod_ban can lead to segfault of all new
connections.
- Bug 4049 - mod_exec should include supplemental groups when running commands
as logged-in user.
- Bug 4042 - MIC command between RNFR and RNTO should not be rejected.
- Bug 4044 - mod_facl prevents a normal SIGHUP reload.
- Bug 4052 - Enhance SQLPasswordPBKDF2 to support per-user query for settings.
1.3.5rc4 - Released 28-Jan-2014
--------------------------------
- Bug 3945 - Spurious log messages at session close.
- Bug 3946 - Null pointer dereference causes segfault when logging
%{transfer-status}, %{transfer-failure} LogFormat variables on EXIT.
- Bug 3947 - LogFormat %f variable not resolved properly for SFTP renames.
- Bug 3950 - LogFormat %d/%D variables not resolved properly for directory
listings.
- Bug 3949 - RNFR/RNTO not logged as expected for SFTP EXTENDED
posix-rename@openssh.com requests.
- Bug 3948 - Support FTP response codes in ExtendedLog for SFTP data transfers.
- Bug 3858 - mod_delay allows too-large values, leading to client hang on
authentication.
- Bug 3951 - Null pointer dereference for mod_ldap logins when
LDAPDefaultAuthScheme not configured.
- Bug 3954 - scp downloads result in segfault.
- Bug 3957 - ProFTPD configuration with thousands of <Directory>/<Limit>
sections leads to slow logins.
- Bug 3959 - mod_sftp does not honor <Directory>/<Limit> sections when symlinks
are involved.
- Bug 3958 - Directory creation does not honor single-parameter Umask setting.
- Bug 3960 - Support the CAP_FSETID Linux capability, for preserving directory
SGID bit.
- Bug 3962 - Directory creation fails (chmod(2) EPERM) when root privs are used
in some cases.
- Bug 3955 - Support secure FXP (site-to-site) transfers using SSCN.
- Bug 3966 - LogFormat %f variable not resolved for some commands.
- Bug 3971 - Support SQLOption for ignoring client library config files when
needed.
- Bug 3972 - Authentication error on Cygwin due to bad code.
- Bug 3973 - mod_sftp can be forced to allocate too much memory for
keyboard-interactive authentication.
- Bug 3974 - PathDenyFilter directive does not work as expected for SFTP
sessions.
- Bug 3963 - Improve permission setting when creating directories.
- Bug 3975 - Error printed to stderr when loading GeoIP Lite country database
using IndexCache flag.
- Bug 3976 - ProFTPD terminating (signal 11) crash for GeoLiteCity-20130903
database lookup.
- Bug 3964 - Support running ExecOnEvent actions with logged-in user's
permissions.
- Bug 3979 - mod_sql_odbc compiler warnings on 64-bit systems using unixODBC.
- Bug 3952 - Make PersistentPasswd default to 'off'.
- Bug 3981 - Null pointer dereference in mod_exec with ExecOption useStdin.
- Bug 3982 - Normalize log messages and levels.
- Bug 3888 - Add LDAPLog directive to mod_ldap.
- Bug 3982 - Normalize log messages and levels.
- Bug 3986 - Support filesystems which do not support chmod(2)/chown(2),
e.g. FAT/ExFAT.
- Bug 3991 - SSL session caching modules use incorrect OpenSSL cache mode flags,
breaking session caching.
- Bug 3987 - LogFormat variable for just the filename.
- Bug 3965 - Timeout directives have inconsistent maximum values.
- Bug 3998 - Support IgnoreSCPUploadTimes SFTPOption.
- Bug 3995 - ftpasswd utility should prevent concurrent modification of files.
- Bug 3994 - ftpasswd utility should support --lock/--unlock options.
- Bug 3970 - ProFTPD should not use fd 2 (stderr) for files.
- Bug 3772 - Support Elliptic Curve Cryptography (ECC) certs for
FTPS connections.
- Bug 3992 - RSA signature issue when connecting using PuTTY/WinSCP.
- Bug 3996 - Handling ALLO command can result in wrong response when chrooted.
- Bug 3876 - ExecOnEvent should be configurable per <VirtualHost>/<Global>.
- Bug 4001 - mod_sftp fails key exchange for 8192-bit DH group.
- Bug 4002 - Add 7680-bit DH parameter to mod_sftp bundled dhparams.pem file.
A 3072-bit DH group was also added.
- Bug 4004 - IgnoreSCPUploadPerms SFTPOption not honored properly for SCP
directory upload.
- Bug 4006 - RADIUS "service-type" attribute encoded with wrong length on
64-bit system.
- Bug 4011 - NLST ../ shows current directory contents rather than parent
directory.
- Bug 4013 - SCP upload of shorter file does not completely overwrite existing
file of same name.
- Bug 4014 - CommandBufferSize should override PR_DEFAULT_CMD_BUFSZ.
1.3.5rc3 - Released 14-Jun-2013
--------------------------------
- Bug 3910 - Clang's scan-build warns on set[u][g]id unchecked return value.
- Bug 3914 - 1.3.5rc2 fails to build on Solaris 10.
- Bug 3917 - Make DeleteAbortedStores on by default when HiddenStores enabled.
- Bug 3918 - mod_sftp segfault after SIGHUP when evaluating client banner.
- Bug 3864 - Support SQL query to lookup/use primary key for logged-in
user/group.
- Bug 3920 - Support umac-64@openssh.com digest for mod_sftp.
- Bug 3921 - Single failed keyboard-interactive login attempt causes SSH
connection to close prematurely.
- Bug 3923 - mod_cap does not revoke root privileges properly for SFTP
connections.
- Bug 3926 - Support OpenSSH fsync SFTP extension.
- Bug 3925 - SFTP directory listings are sensitive to locale environment
variables.
- Bug 3924 - HideFiles does not filter symlinks.
- Bug 3929 - pam_session_close() requires root privs on some platforms.
- Bug 3932 - SQLAuthType Backend returns "password mismatch" for MySQL
PASSWORD().
- Bug 3934 - HideUser/HideGroup do not work as expected for virtual users.
- Bug 3935 - scp download of nonexistent file results in client hang.
- Bug 3927 - Default ControlsSocket created despite custom ControlsSocket path.
- Bug 3937 - Segfault when retrieving SSH public key from LDAP directory.
- Added new mod_snmp contrib module.
- Bug 3939 - Disable Controls for "ServerType inetd" servers.
- Bug 3942 - mod_sftp_sql should support multiple keys concatenated together
in a single column.
- Bug 3943 - Support for PBKDF2 passwords in mod_sql_passwd.
- Bug 3941 - RLimitProcesses causes problems with setuid/setreuid.
1.3.5rc2 - Released 06-Mar-2013
--------------------------------
- Bug 3859 - MLSD fails to show symlinks when ShowSymlinks is not configured.
- Bug 3860 - Add a default deny option for mod_geoip.
- Bug 3862 - Support for FTPS-specific MasqueradeAddress functionality. A
new TLSMasqueradeAddress directive has been added to mod_tls.
- Bug 3863 - mod_sftp does not handle MaxLoginAttempts properly.
- Bug 3865 - BanEngine not set in "server config" results in "mod_ban not
enabled" ftpdctl error.
- Bug 3866 - Issuing invalid 'ftpdctl ban' request causes segfault.
- Bug 3867 - ftpasswd fails with "Permission denied" when adding subsequent
passwd/group entries.
- Bug 3868 - Only first DH param in TLSDHParamFile is used, regardless of
requested keylength.
- Bug 3870 - Handling of OPTS command can lead to crash.
- Bug 3779 - Generate new DH parameters for mod_tls and mod_sftp.
- Bug 3871 - REALPATH SFTP request not properly handled by <Limit DIRS>
configuration.
- Bug 3872 - Use HiddenStores directive to customise suffix.
- Bug 3873 - Provide FTP response code in ExtendedLog for failed SFTP REMOVE
request.
- Bug 3869 - Use longer SSL session cache expiration by default.
- Bug 3874 - Use of O_EXCL flag on HiddenStores files might break for NFS
filesystems.
- Bug 3878 - QuotaExcludeFilter not honored for uploads when 'hard' limits are
used.
- Bug 3879 - Allow additional columns in SQLNamedQuery queries used for quota
limits and tallies.
- Bug 3882 - DisplayLogin with an absolute path does not work properly within
an <IfGroup> section.
- Added new mod_log_forensic contrib module.
- Bug 3881 - <Directory> sections within <IfGroup> sections not applied as
expected.
- Bug 3884 - Configure script not detecting MySQL make_scrambled_password
functions.
- Bug 3887 - <Limit ALL> erroneously blocks the PROT command used for FTPS.
- Bug 3819 - Second and subsequent LIST of directory with many files is very
slow.
- Bug 3889 - Support millisecond timestamp LogFormat variable.
- Bug 3891 - Allow TLSProtocol directive in <VirtualHost> and <Global> sections.
- Bug 3753 - Support SFTP request names in <Limit> sections better.
- Bug 3892 - mod_auth_file should have strict permission checks of configured
files.
- Bug 3893 - Add SQLLogOnEvent directive, for performing SQL query on
configurable event.
- Bug 3894 - ftptop doesn't work with --enable-nls.
- Bug 3895 - Missing TransferLog entry under some out-of-space conditions.
- Bug 3897 - mod_sftp does not handle a REALPATH request properly for SFTP
protocol version 6.
- Bug 3896 - Warn when world-writable config files are used.
- Bug 3899 - Support authentication of users based on SSL/TLS client
certificate.
- Bug 3903 - With mod_log_forensic enabled, SSH connections fail randomly.
- Bug 3905 - Handle the Linux-specific PAM_RADIO_TYPE message properly.
- Bug 3709 - Support download-triggered emails in the ftpmail script.
- Bug 3904 - scp downloads using glob pattern sometimes fails.
- Bug 3900 - ProFTPD terminating (signal 11) on some sftp connections.
- Bug 3906 - Support ban rule for clients which perform SSL/TLS handshakes too
frequently.
1.3.5rc1 - Released 04-Jan-2013
--------------------------------
- Bug 3712 - mod_wrap2/mod_load build errors: missing config.h.
- Bug 3713 - mod_tls cannot be compiled using Openssl 0.9.6.
- Bug 3646 - Debug logging to stderr should include timestamps and PID.
- Bug 3714 - ftpwho/ftptop are not showing command arguments (e.g. downloaded
file name).
- Bug 3715 - MLSD/MLST fail when "DirFakeUser off" or "DirFakeGroup off" used.
- Bug 3717 - proftpd fails to run with "Abort trap" error message.
- Bug 3719 - LIST -R can loop endlessly if bad directory symlink exists.
- Bug 3720 - Various module logfile permissions are 0600 instead of 0640.
- Bug 3723 - mod_memcache segfault on server restart.
- Bug 3721 - mod_rewrite does not replace characters if there are more than
8 occurrences. To handle this situation, a new RewriteMaxReplace directive
has been added for configuring this limit.
- Bug 3724 - Unloading mod_quotatab causes segfault.
- Bug 3686 - Support SHA2 digests in mod_sftp. See the SFTPDigests directive
documentation for more information.
- Bug 3629 - Support <IfAuthenticated> conditional config section.
- Bug 3682 - Configure does not detect libiconv under Gentoo FreeBSD.
- Bug 3726 - mod_exec does not always capture stdout/stderr output from
executed command.
- Bug 3727 - mod_wrap2 causes unexpected LogFormat %u expansion for SFTP
connections.
- Bug 3729 - mod_ldap can segfault when LDAPUsers is used with no optional
filters.
- Bug 3728 - Build failure in wtmp.c on Gentoo/FreeBSD on sparc.
- Bug 3734 - DirFakeUser/DirFakeGroup off with name causes SIGSEGV for
MLSD/MLST commands.
- Bug 3739 - Allow for configurable SSH version identifiers in mod_sftp. The
SSH version identifier can now be configured for mod_sftp via the
ServerIdent directive.
- Bug 3718 - ftptop fails to build on OpenSUSE.
- Bug 3699 - ProFTPD crash on start up on Mac OSX Lion with NLS enabled.
- Bug 3744 - Support ls(1) -1 option for LIST command.
- Bug 3746 - Support applying ListOptions only to NLST or to LIST commands.
- Bug 3747 - Support option for displaying symlinks via MLSD using syntax
preferred by FileZilla. The new FactsOptions directive can be used for
this purpose.
- Bug 3745 - Reject PASV command if no IPv4 address available.
- Bug 3701 - Modify ScoreboardFile directive to support disabling scoreboarding.
- Bug 3742 - Improper handling of self-signed certificate in client-sent cert
list when "TLSVerifyClient on" is used.
- Bug 3749 - Compile of src/netacl.c fails on Tru64 UNIX (OSF/1) due to
conflict with system header.
- Bug 3743 - Random stalls/segfaults seen when transferring large files
via SFTP.
- Bug 3752 - proftpd process exit status is zero for "Failed binding to
address, port N: Address already in use" startup failure.
- Bug 3751 - mod_ban does not close/reopen the BanLog/BanTable file descriptors
on restart, causing a file descriptor leak.
- Bug 3707 - Add request/transfer ID to the logging of the initial and closing
commands for SFTP file transfers. This can now be accomplished using a
LogFormat variable of '%{note:sftp.file-handle}'.
- Bug 3757 - Support SFTPOption for ignoring requests to modify file ownership.
- Bug 3756 - mod_ctrls no longer listens on ControlsSocket after restart.
- Bug 3731 - Support active data transfers while RootRevoke is in effect.
- Bug 3737 - Allow UTF8 when UseEncoding is used.
- Bug 3573 - Support Elliptic Curve Cryptography (ECC) in SSH.
- Bug 3758 - ProFTPD crashes when handling mod_gss authentication due to null
pointer.
- Ability to load SSH host keys from an SSH agent, in addition to files on
disk. See doc/contrib/mod_sftp.html#SFTPHostKey for more information.
- Bug 3761 - SSH2 key exchange fails if client sends certain SSH message before
NEWKEYS.
- Bug 3763 - Ensure that mod_sftp operates properly when OpenSSL FIPS mode is
enabled.
- Bug 3764 - mod_sftp does not correctly handle a 'guess' KEX message when the
client guesses correctly.
- Bug 3765 - mod_sftp should honor the GroupOwner directive for MKDIR requests.
- Bug 3626 - Display variable %f off by a factor of 1024 on 64-bit platforms.
- Bug 3673 - Support date/timestamp variables in mod_rewrite.
- Bug 3754 - ProFTPD refuses to delete/rename a symlink pointing outside a
writable directory.
- Bug 3766 - Support a QuotaDefault directive, for configuring default limits.
- Bug 3767 - mod_rewrite segfault when handling SITE CHGRP without a parameter.
- Bug 3768 - ExecTimeout 0 (zero) not treated as infinite.
- Added new mod_geoip contrib module.
- Bug 3769 - Ensure that encoded strings are NUL-terminated.
- Bug 3732 - AIX build error: undefined symbol: .alloca.
- Bug 3782 - SQLShowInfo does not work properly for error responses.
- Bug 3780 - AIX gives "error setting listen fd IP_TOS: Invalid argument".
- Bug 3736 - Trying to re-authenticate an existing FTP connection causes invalid
503 response.
- Bug 3785 - Support resolution of tilde (~) within a chrooted session.
- Bug 3787 - Read-only SFTP OPEN request permissions not properly ignored.
- Bug 3740 - Overwrite permission denied when reloading multiple times and
multiple <VirtualHost> sections in proftpd.conf.
- Bug 3791 - Invalid handling of SCP control messages fragmented over multiple
SSH packets.
- Bug 3794 - Cygwin build failure in lib/tpl.c due to wrong include of mman.h.
- Bug 3795 - ProFTPD needs to use -pthread linker option if linking against
OpenSSL with thread support.
- Bug 3790 - Logfile timestamps change to GMT after MFMT command.
- Bug 3798 - Downloading nonexistent file via SCP results in timeout rather
than error.
- Bug 3800 - Multiple *Options directives should be handled properly.
- Bug 3801 - mod_tls should have directive like Apache mod_ssl's
SSLHonorCipherOrder. The mod_tls module now supports a
TLSServerCipherPreference directive.
- Bug 3804 - ioctl(RPROTDIS) code no longer needed on Solaris 11.
- Bug 3808 - Segfault in mod_tls when mod_tls_shmcache used.
- Bug 3809 - Segfaults in mod_radius when configured with RadiusGroupInfo.
- Bug 3811 - ExtendedLog entries not written if MaxClients limit reached.
- Bug 3814 - Support "configtest" command for contrib init.d script.
- Bug 3816 - Installation of ftpasswd does not honor DESTDIR environment
variable.
- Bug 3813 - Ability to use CreateHome to create parent directories as
non-root user, for better interoperability with NFS.
- Bug 3806 - Support reverse DNS resolution for IPv6 addresses when
gethostbyname2(3) is not available.
- Bug 3820 - Support device/interface names in <VirtualHost>, MasqueradeAddress,
and DefaultAddress.
- Bug 3822 - Resolving %U/%u LogFormat variables inconsistent between
mod_log/mod_sql in certain cases.
- Bug 3824 - Use RFC compliant address/port for data transfer if FTP client has
not sent PORT/PASV/EPRT/EPSV commands.
- Bug 3825 - Handle RFC 1918 IP addresses in PORT/EPRT commands.
- Bug 3827 - Use non-filesystem based SFTP handle generator instead of
mktemp(3).
- Bug 3828 - Certain sequences of FTP data transfer commands lead to NULL
pointer dereferences in mod_deflate.
- Bug 3830 - MFF/MFMT command segfaults due to insufficient parameter checks.
- Bug 3829 - RNFR without following RNTO can lead to NULL pointer dereference.
- Bug 3832 - Support disabling of system logging on per-connection basis.
- Bug 3792 - Recursive SCP uploads using preserve-time (-p) option may not work.
- Bug 3831 - Sporadic "451 Insufficient memory or file locked" failure when
downloading.
- Bug 3833 - Enable TCP keepalive by default, with configurable SocketOption.
- Bug 3837 - mod_tls unable to read certificate files after SIGHUP.
- Bug 3842 - Incorrect handling of REALPATH requests for symlink paths in
mod_sftp.
- Bug 3843 - ProFTPD should not fail when starting up due to loading same
module multiple times.
- Bug 3845 - mod_sftp does not provide response codes for %s LogFormat variable
for AUTH ExtendedLog.
- Bug 3846 - Avoid scanning ScoreboardFile needlessly on login if limits are
not configured.
- Bug 3850 - ftpasswd should support generating SHA-256, SHA-512 hashes where
possible.
- Bug 3851 - SFTPPassPhraseProvider fails due to incorrect pointer.
- Bug 3852 - Support directive for ignoring symlink DefaultRoot directories.
See the new AllowChrootSymlinks directive.
- Bug 3839 - Enhance mod_cap to support dropping root privs entirely.
- Bug 3841 - Possible symlink race when applying UserOwner to newly created
directory.
- Bug 3855 - Restarting proftpd may cause Include files not to be parsed.
2015-07-13 17:39:27 +02:00
|
|
|
include/proftpd/rlimit.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/scoreboard.h
|
2010-03-21 22:24:25 +01:00
|
|
|
include/proftpd/session.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/sets.h
|
2019-10-07 21:29:47 +02:00
|
|
|
include/proftpd/signals.h
|
2013-03-15 14:34:32 +01:00
|
|
|
include/proftpd/stash.h
|
2008-10-03 08:52:03 +02:00
|
|
|
include/proftpd/str.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/support.h
|
|
|
|
include/proftpd/table.h
|
2008-10-03 08:52:03 +02:00
|
|
|
include/proftpd/throttle.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/timers.h
|
|
|
|
include/proftpd/trace.h
|
Update to version 1.3.5a.
Pkgsrc changes:
* adapt one patch to changes upstream.
* adapt PLIST to newly installed files.
* rename and adapt patch to Makefile.in.
Upstream changes:
1.3.5a - Released 27-May-2015
--------------------------------
- Bug 4055 - "error setting listen fd IPV6_TCLASS: Protocol not available" log
message.
- Bug 3944 - Session closed if active data transfer fails due to "Address
already in use" error.
- Bug 4068 - MaxClients directive doesn't work for <Anonymous> sessions.
- Bug 4069 - NLST -a shows / directory instead of the current directory.
- Bug 4063 - Unable to create directory on NFS/CIFS partition: Permission
denied.
- Bug 4073 - Polycom VOIP phones unable to use FTPS data transfers.
- Bug 4077 - ShaperLog not closed/reopened on SIGHUP, causing log rotation
problems.
- Bug 4079 - Invalid response encoding for SFTP space-available request.
- Bug 4083 - Using SQLDefaultHomedir with null home results in "No such user".
- Bug 4087 - mod_sftp does not handle "MaxLoginAttempts none" properly.
- Bug 4089 - mod_sftp does not allow multiple attempts using a given
authentication method.
- Bug 4090 - mod_wrap2_file does not support IPv6 addresses properly.
- Bug 4091 - Log "Operation not permitted" privs errors at NOTICE rather than
ERROR.
- Bug 4094 - Available space on file system using %f displays wrong value.
- Bug 4108 - SSL handshakes for data connections sometimes stall for 3-30
seconds.
- Bug 4109 - setsockopt() call for IPV6_TCLASS should use IPPROTO_IPV6.
- Bug 4112 - Failure to connect using mod_sftp sometimes due to too-small
buffers.
- Bug 4114 - mod_tls should not support SSLv3 by default.
- Bug 4116 - Report exact SSL/TLS protocol version used in client connections.
- Bug 4124 - DeleteAbortedStores defaults to "on" for all transfers, not just
HiddenStores.
- Bug 4129 - mod_sql caches incorrect UID/GID when name cannot be retrieved.
- Bug 4131 - mod_sftp's autoconf script does not detect OpenSSL SHA2 support.
- Bug 4133 - LDAPUsers directive does not honor uid-number-filter-template
parameter.
- Bug 4137 - GeoIPDenyFilter incorrectly takes precedence over GeoIPAllowFilter.
- Bug 4140 - SFTP READLINK requests to symlinks to directories fail.
- Bug 4143 - HTTPS/FTPS protocol confusion leads to XSS.
- Bug 4145 - Segfault if AuthUserFile is a relative symlink.
- Bug 4152 - Reduce logging of non-fatal "unable to open incoming connection"
errors.
- Bug 4155 - SSH keys with too-long Comment headers aren't recognized by
mod_sftp_sql.
- Bug 4156 - Segfault handling LIST/NLST FTP command on Mac OS X.
- Bug 4160 - Malformed response to SSH_FXP_REALPATH with SFTP version 6.
- Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by
mod_copy.
- Bug 4178 - TLS session reuse requirement for data connections not properly
enforced.
1.3.5 - Released 15-May-2014
--------------------------------
- Bug 4018 - Implement checks for sensitive directories when chrooted.
- Bug 4022 - "Directory not empty" error when creating directory is misleading.
- Bug 4025 - <IfClass> sections do not work for multiple SQLLog directives.
- Bug 4029 - TLSOptions EnableDiags logs "unknown version (771)" for
TLS 1.1/1.2 connections.
- Bug 3938 - mod_wrap2 uses reverse DNS regardless "UseReverseDNS off".
- Bug 4032 - Restarting proftpd with mod_sftp fails due to permissions on
SFTPHostKey file.
- Bug 4033 - mod_sftp fails to create SSH2 session using 'none' cipher.
- Bug 4034 - SSH publickey authentication fails with "MaxLoginAttempts 1".
- Bug 4024 - TLS 1.1/1.2 configurable, but not properly implemented.
- Bug 4046 - ALLO command failed because of bad size check.
- Bug 4048 - Race condition in mod_ban can lead to segfault of all new
connections.
- Bug 4049 - mod_exec should include supplemental groups when running commands
as logged-in user.
- Bug 4042 - MIC command between RNFR and RNTO should not be rejected.
- Bug 4044 - mod_facl prevents a normal SIGHUP reload.
- Bug 4052 - Enhance SQLPasswordPBKDF2 to support per-user query for settings.
1.3.5rc4 - Released 28-Jan-2014
--------------------------------
- Bug 3945 - Spurious log messages at session close.
- Bug 3946 - Null pointer dereference causes segfault when logging
%{transfer-status}, %{transfer-failure} LogFormat variables on EXIT.
- Bug 3947 - LogFormat %f variable not resolved properly for SFTP renames.
- Bug 3950 - LogFormat %d/%D variables not resolved properly for directory
listings.
- Bug 3949 - RNFR/RNTO not logged as expected for SFTP EXTENDED
posix-rename@openssh.com requests.
- Bug 3948 - Support FTP response codes in ExtendedLog for SFTP data transfers.
- Bug 3858 - mod_delay allows too-large values, leading to client hang on
authentication.
- Bug 3951 - Null pointer dereference for mod_ldap logins when
LDAPDefaultAuthScheme not configured.
- Bug 3954 - scp downloads result in segfault.
- Bug 3957 - ProFTPD configuration with thousands of <Directory>/<Limit>
sections leads to slow logins.
- Bug 3959 - mod_sftp does not honor <Directory>/<Limit> sections when symlinks
are involved.
- Bug 3958 - Directory creation does not honor single-parameter Umask setting.
- Bug 3960 - Support the CAP_FSETID Linux capability, for preserving directory
SGID bit.
- Bug 3962 - Directory creation fails (chmod(2) EPERM) when root privs are used
in some cases.
- Bug 3955 - Support secure FXP (site-to-site) transfers using SSCN.
- Bug 3966 - LogFormat %f variable not resolved for some commands.
- Bug 3971 - Support SQLOption for ignoring client library config files when
needed.
- Bug 3972 - Authentication error on Cygwin due to bad code.
- Bug 3973 - mod_sftp can be forced to allocate too much memory for
keyboard-interactive authentication.
- Bug 3974 - PathDenyFilter directive does not work as expected for SFTP
sessions.
- Bug 3963 - Improve permission setting when creating directories.
- Bug 3975 - Error printed to stderr when loading GeoIP Lite country database
using IndexCache flag.
- Bug 3976 - ProFTPD terminating (signal 11) crash for GeoLiteCity-20130903
database lookup.
- Bug 3964 - Support running ExecOnEvent actions with logged-in user's
permissions.
- Bug 3979 - mod_sql_odbc compiler warnings on 64-bit systems using unixODBC.
- Bug 3952 - Make PersistentPasswd default to 'off'.
- Bug 3981 - Null pointer dereference in mod_exec with ExecOption useStdin.
- Bug 3982 - Normalize log messages and levels.
- Bug 3888 - Add LDAPLog directive to mod_ldap.
- Bug 3982 - Normalize log messages and levels.
- Bug 3986 - Support filesystems which do not support chmod(2)/chown(2),
e.g. FAT/ExFAT.
- Bug 3991 - SSL session caching modules use incorrect OpenSSL cache mode flags,
breaking session caching.
- Bug 3987 - LogFormat variable for just the filename.
- Bug 3965 - Timeout directives have inconsistent maximum values.
- Bug 3998 - Support IgnoreSCPUploadTimes SFTPOption.
- Bug 3995 - ftpasswd utility should prevent concurrent modification of files.
- Bug 3994 - ftpasswd utility should support --lock/--unlock options.
- Bug 3970 - ProFTPD should not use fd 2 (stderr) for files.
- Bug 3772 - Support Elliptic Curve Cryptography (ECC) certs for
FTPS connections.
- Bug 3992 - RSA signature issue when connecting using PuTTY/WinSCP.
- Bug 3996 - Handling ALLO command can result in wrong response when chrooted.
- Bug 3876 - ExecOnEvent should be configurable per <VirtualHost>/<Global>.
- Bug 4001 - mod_sftp fails key exchange for 8192-bit DH group.
- Bug 4002 - Add 7680-bit DH parameter to mod_sftp bundled dhparams.pem file.
A 3072-bit DH group was also added.
- Bug 4004 - IgnoreSCPUploadPerms SFTPOption not honored properly for SCP
directory upload.
- Bug 4006 - RADIUS "service-type" attribute encoded with wrong length on
64-bit system.
- Bug 4011 - NLST ../ shows current directory contents rather than parent
directory.
- Bug 4013 - SCP upload of shorter file does not completely overwrite existing
file of same name.
- Bug 4014 - CommandBufferSize should override PR_DEFAULT_CMD_BUFSZ.
1.3.5rc3 - Released 14-Jun-2013
--------------------------------
- Bug 3910 - Clang's scan-build warns on set[u][g]id unchecked return value.
- Bug 3914 - 1.3.5rc2 fails to build on Solaris 10.
- Bug 3917 - Make DeleteAbortedStores on by default when HiddenStores enabled.
- Bug 3918 - mod_sftp segfault after SIGHUP when evaluating client banner.
- Bug 3864 - Support SQL query to lookup/use primary key for logged-in
user/group.
- Bug 3920 - Support umac-64@openssh.com digest for mod_sftp.
- Bug 3921 - Single failed keyboard-interactive login attempt causes SSH
connection to close prematurely.
- Bug 3923 - mod_cap does not revoke root privileges properly for SFTP
connections.
- Bug 3926 - Support OpenSSH fsync SFTP extension.
- Bug 3925 - SFTP directory listings are sensitive to locale environment
variables.
- Bug 3924 - HideFiles does not filter symlinks.
- Bug 3929 - pam_session_close() requires root privs on some platforms.
- Bug 3932 - SQLAuthType Backend returns "password mismatch" for MySQL
PASSWORD().
- Bug 3934 - HideUser/HideGroup do not work as expected for virtual users.
- Bug 3935 - scp download of nonexistent file results in client hang.
- Bug 3927 - Default ControlsSocket created despite custom ControlsSocket path.
- Bug 3937 - Segfault when retrieving SSH public key from LDAP directory.
- Added new mod_snmp contrib module.
- Bug 3939 - Disable Controls for "ServerType inetd" servers.
- Bug 3942 - mod_sftp_sql should support multiple keys concatenated together
in a single column.
- Bug 3943 - Support for PBKDF2 passwords in mod_sql_passwd.
- Bug 3941 - RLimitProcesses causes problems with setuid/setreuid.
1.3.5rc2 - Released 06-Mar-2013
--------------------------------
- Bug 3859 - MLSD fails to show symlinks when ShowSymlinks is not configured.
- Bug 3860 - Add a default deny option for mod_geoip.
- Bug 3862 - Support for FTPS-specific MasqueradeAddress functionality. A
new TLSMasqueradeAddress directive has been added to mod_tls.
- Bug 3863 - mod_sftp does not handle MaxLoginAttempts properly.
- Bug 3865 - BanEngine not set in "server config" results in "mod_ban not
enabled" ftpdctl error.
- Bug 3866 - Issuing invalid 'ftpdctl ban' request causes segfault.
- Bug 3867 - ftpasswd fails with "Permission denied" when adding subsequent
passwd/group entries.
- Bug 3868 - Only first DH param in TLSDHParamFile is used, regardless of
requested keylength.
- Bug 3870 - Handling of OPTS command can lead to crash.
- Bug 3779 - Generate new DH parameters for mod_tls and mod_sftp.
- Bug 3871 - REALPATH SFTP request not properly handled by <Limit DIRS>
configuration.
- Bug 3872 - Use HiddenStores directive to customise suffix.
- Bug 3873 - Provide FTP response code in ExtendedLog for failed SFTP REMOVE
request.
- Bug 3869 - Use longer SSL session cache expiration by default.
- Bug 3874 - Use of O_EXCL flag on HiddenStores files might break for NFS
filesystems.
- Bug 3878 - QuotaExcludeFilter not honored for uploads when 'hard' limits are
used.
- Bug 3879 - Allow additional columns in SQLNamedQuery queries used for quota
limits and tallies.
- Bug 3882 - DisplayLogin with an absolute path does not work properly within
an <IfGroup> section.
- Added new mod_log_forensic contrib module.
- Bug 3881 - <Directory> sections within <IfGroup> sections not applied as
expected.
- Bug 3884 - Configure script not detecting MySQL make_scrambled_password
functions.
- Bug 3887 - <Limit ALL> erroneously blocks the PROT command used for FTPS.
- Bug 3819 - Second and subsequent LIST of directory with many files is very
slow.
- Bug 3889 - Support millisecond timestamp LogFormat variable.
- Bug 3891 - Allow TLSProtocol directive in <VirtualHost> and <Global> sections.
- Bug 3753 - Support SFTP request names in <Limit> sections better.
- Bug 3892 - mod_auth_file should have strict permission checks of configured
files.
- Bug 3893 - Add SQLLogOnEvent directive, for performing SQL query on
configurable event.
- Bug 3894 - ftptop doesn't work with --enable-nls.
- Bug 3895 - Missing TransferLog entry under some out-of-space conditions.
- Bug 3897 - mod_sftp does not handle a REALPATH request properly for SFTP
protocol version 6.
- Bug 3896 - Warn when world-writable config files are used.
- Bug 3899 - Support authentication of users based on SSL/TLS client
certificate.
- Bug 3903 - With mod_log_forensic enabled, SSH connections fail randomly.
- Bug 3905 - Handle the Linux-specific PAM_RADIO_TYPE message properly.
- Bug 3709 - Support download-triggered emails in the ftpmail script.
- Bug 3904 - scp downloads using glob pattern sometimes fails.
- Bug 3900 - ProFTPD terminating (signal 11) on some sftp connections.
- Bug 3906 - Support ban rule for clients which perform SSL/TLS handshakes too
frequently.
1.3.5rc1 - Released 04-Jan-2013
--------------------------------
- Bug 3712 - mod_wrap2/mod_load build errors: missing config.h.
- Bug 3713 - mod_tls cannot be compiled using Openssl 0.9.6.
- Bug 3646 - Debug logging to stderr should include timestamps and PID.
- Bug 3714 - ftpwho/ftptop are not showing command arguments (e.g. downloaded
file name).
- Bug 3715 - MLSD/MLST fail when "DirFakeUser off" or "DirFakeGroup off" used.
- Bug 3717 - proftpd fails to run with "Abort trap" error message.
- Bug 3719 - LIST -R can loop endlessly if bad directory symlink exists.
- Bug 3720 - Various module logfile permissions are 0600 instead of 0640.
- Bug 3723 - mod_memcache segfault on server restart.
- Bug 3721 - mod_rewrite does not replace characters if there are more than
8 occurrences. To handle this situation, a new RewriteMaxReplace directive
has been added for configuring this limit.
- Bug 3724 - Unloading mod_quotatab causes segfault.
- Bug 3686 - Support SHA2 digests in mod_sftp. See the SFTPDigests directive
documentation for more information.
- Bug 3629 - Support <IfAuthenticated> conditional config section.
- Bug 3682 - Configure does not detect libiconv under Gentoo FreeBSD.
- Bug 3726 - mod_exec does not always capture stdout/stderr output from
executed command.
- Bug 3727 - mod_wrap2 causes unexpected LogFormat %u expansion for SFTP
connections.
- Bug 3729 - mod_ldap can segfault when LDAPUsers is used with no optional
filters.
- Bug 3728 - Build failure in wtmp.c on Gentoo/FreeBSD on sparc.
- Bug 3734 - DirFakeUser/DirFakeGroup off with name causes SIGSEGV for
MLSD/MLST commands.
- Bug 3739 - Allow for configurable SSH version identifiers in mod_sftp. The
SSH version identifier can now be configured for mod_sftp via the
ServerIdent directive.
- Bug 3718 - ftptop fails to build on OpenSUSE.
- Bug 3699 - ProFTPD crash on start up on Mac OSX Lion with NLS enabled.
- Bug 3744 - Support ls(1) -1 option for LIST command.
- Bug 3746 - Support applying ListOptions only to NLST or to LIST commands.
- Bug 3747 - Support option for displaying symlinks via MLSD using syntax
preferred by FileZilla. The new FactsOptions directive can be used for
this purpose.
- Bug 3745 - Reject PASV command if no IPv4 address available.
- Bug 3701 - Modify ScoreboardFile directive to support disabling scoreboarding.
- Bug 3742 - Improper handling of self-signed certificate in client-sent cert
list when "TLSVerifyClient on" is used.
- Bug 3749 - Compile of src/netacl.c fails on Tru64 UNIX (OSF/1) due to
conflict with system header.
- Bug 3743 - Random stalls/segfaults seen when transferring large files
via SFTP.
- Bug 3752 - proftpd process exit status is zero for "Failed binding to
address, port N: Address already in use" startup failure.
- Bug 3751 - mod_ban does not close/reopen the BanLog/BanTable file descriptors
on restart, causing a file descriptor leak.
- Bug 3707 - Add request/transfer ID to the logging of the initial and closing
commands for SFTP file transfers. This can now be accomplished using a
LogFormat variable of '%{note:sftp.file-handle}'.
- Bug 3757 - Support SFTPOption for ignoring requests to modify file ownership.
- Bug 3756 - mod_ctrls no longer listens on ControlsSocket after restart.
- Bug 3731 - Support active data transfers while RootRevoke is in effect.
- Bug 3737 - Allow UTF8 when UseEncoding is used.
- Bug 3573 - Support Elliptic Curve Cryptography (ECC) in SSH.
- Bug 3758 - ProFTPD crashes when handling mod_gss authentication due to null
pointer.
- Ability to load SSH host keys from an SSH agent, in addition to files on
disk. See doc/contrib/mod_sftp.html#SFTPHostKey for more information.
- Bug 3761 - SSH2 key exchange fails if client sends certain SSH message before
NEWKEYS.
- Bug 3763 - Ensure that mod_sftp operates properly when OpenSSL FIPS mode is
enabled.
- Bug 3764 - mod_sftp does not correctly handle a 'guess' KEX message when the
client guesses correctly.
- Bug 3765 - mod_sftp should honor the GroupOwner directive for MKDIR requests.
- Bug 3626 - Display variable %f off by a factor of 1024 on 64-bit platforms.
- Bug 3673 - Support date/timestamp variables in mod_rewrite.
- Bug 3754 - ProFTPD refuses to delete/rename a symlink pointing outside a
writable directory.
- Bug 3766 - Support a QuotaDefault directive, for configuring default limits.
- Bug 3767 - mod_rewrite segfault when handling SITE CHGRP without a parameter.
- Bug 3768 - ExecTimeout 0 (zero) not treated as infinite.
- Added new mod_geoip contrib module.
- Bug 3769 - Ensure that encoded strings are NUL-terminated.
- Bug 3732 - AIX build error: undefined symbol: .alloca.
- Bug 3782 - SQLShowInfo does not work properly for error responses.
- Bug 3780 - AIX gives "error setting listen fd IP_TOS: Invalid argument".
- Bug 3736 - Trying to re-authenticate an existing FTP connection causes invalid
503 response.
- Bug 3785 - Support resolution of tilde (~) within a chrooted session.
- Bug 3787 - Read-only SFTP OPEN request permissions not properly ignored.
- Bug 3740 - Overwrite permission denied when reloading multiple times and
multiple <VirtualHost> sections in proftpd.conf.
- Bug 3791 - Invalid handling of SCP control messages fragmented over multiple
SSH packets.
- Bug 3794 - Cygwin build failure in lib/tpl.c due to wrong include of mman.h.
- Bug 3795 - ProFTPD needs to use -pthread linker option if linking against
OpenSSL with thread support.
- Bug 3790 - Logfile timestamps change to GMT after MFMT command.
- Bug 3798 - Downloading nonexistent file via SCP results in timeout rather
than error.
- Bug 3800 - Multiple *Options directives should be handled properly.
- Bug 3801 - mod_tls should have directive like Apache mod_ssl's
SSLHonorCipherOrder. The mod_tls module now supports a
TLSServerCipherPreference directive.
- Bug 3804 - ioctl(RPROTDIS) code no longer needed on Solaris 11.
- Bug 3808 - Segfault in mod_tls when mod_tls_shmcache used.
- Bug 3809 - Segfaults in mod_radius when configured with RadiusGroupInfo.
- Bug 3811 - ExtendedLog entries not written if MaxClients limit reached.
- Bug 3814 - Support "configtest" command for contrib init.d script.
- Bug 3816 - Installation of ftpasswd does not honor DESTDIR environment
variable.
- Bug 3813 - Ability to use CreateHome to create parent directories as
non-root user, for better interoperability with NFS.
- Bug 3806 - Support reverse DNS resolution for IPv6 addresses when
gethostbyname2(3) is not available.
- Bug 3820 - Support device/interface names in <VirtualHost>, MasqueradeAddress,
and DefaultAddress.
- Bug 3822 - Resolving %U/%u LogFormat variables inconsistent between
mod_log/mod_sql in certain cases.
- Bug 3824 - Use RFC compliant address/port for data transfer if FTP client has
not sent PORT/PASV/EPRT/EPSV commands.
- Bug 3825 - Handle RFC 1918 IP addresses in PORT/EPRT commands.
- Bug 3827 - Use non-filesystem based SFTP handle generator instead of
mktemp(3).
- Bug 3828 - Certain sequences of FTP data transfer commands lead to NULL
pointer dereferences in mod_deflate.
- Bug 3830 - MFF/MFMT command segfaults due to insufficient parameter checks.
- Bug 3829 - RNFR without following RNTO can lead to NULL pointer dereference.
- Bug 3832 - Support disabling of system logging on per-connection basis.
- Bug 3792 - Recursive SCP uploads using preserve-time (-p) option may not work.
- Bug 3831 - Sporadic "451 Insufficient memory or file locked" failure when
downloading.
- Bug 3833 - Enable TCP keepalive by default, with configurable SocketOption.
- Bug 3837 - mod_tls unable to read certificate files after SIGHUP.
- Bug 3842 - Incorrect handling of REALPATH requests for symlink paths in
mod_sftp.
- Bug 3843 - ProFTPD should not fail when starting up due to loading same
module multiple times.
- Bug 3845 - mod_sftp does not provide response codes for %s LogFormat variable
for AUTH ExtendedLog.
- Bug 3846 - Avoid scanning ScoreboardFile needlessly on login if limits are
not configured.
- Bug 3850 - ftpasswd should support generating SHA-256, SHA-512 hashes where
possible.
- Bug 3851 - SFTPPassPhraseProvider fails due to incorrect pointer.
- Bug 3852 - Support directive for ignoring symlink DefaultRoot directories.
See the new AllowChrootSymlinks directive.
- Bug 3839 - Enhance mod_cap to support dropping root privs entirely.
- Bug 3841 - Possible symlink race when applying UserOwner to newly created
directory.
- Bug 3855 - Restarting proftpd may cause Include files not to be parsed.
2015-07-13 17:39:27 +02:00
|
|
|
include/proftpd/utf8.h
|
2006-12-14 12:19:46 +01:00
|
|
|
include/proftpd/var.h
|
|
|
|
include/proftpd/version.h
|
|
|
|
include/proftpd/xferlog.h
|
2008-10-03 08:52:03 +02:00
|
|
|
lib/pkgconfig/proftpd.pc
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
libexec/proftpd/mod_ban.la
|
|
|
|
libexec/proftpd/mod_copy.la
|
|
|
|
libexec/proftpd/mod_ctrls_admin.la
|
|
|
|
libexec/proftpd/mod_deflate.la
|
|
|
|
libexec/proftpd/mod_dnsbl.la
|
|
|
|
libexec/proftpd/mod_dynmasq.la
|
|
|
|
libexec/proftpd/mod_exec.la
|
|
|
|
libexec/proftpd/mod_ifsession.la
|
|
|
|
libexec/proftpd/mod_ifversion.la
|
|
|
|
libexec/proftpd/mod_load.la
|
|
|
|
libexec/proftpd/mod_qos.la
|
|
|
|
libexec/proftpd/mod_quotatab.la
|
|
|
|
libexec/proftpd/mod_quotatab_file.la
|
|
|
|
libexec/proftpd/mod_quotatab_radius.la
|
|
|
|
libexec/proftpd/mod_quotatab_sql.la
|
|
|
|
libexec/proftpd/mod_radius.la
|
|
|
|
libexec/proftpd/mod_ratio.la
|
|
|
|
libexec/proftpd/mod_readme.la
|
|
|
|
libexec/proftpd/mod_rewrite.la
|
|
|
|
libexec/proftpd/mod_sftp.la
|
|
|
|
${PLIST.pam}libexec/proftpd/mod_sftp_pam.la
|
|
|
|
libexec/proftpd/mod_sftp_sql.la
|
|
|
|
libexec/proftpd/mod_shaper.la
|
|
|
|
libexec/proftpd/mod_site_misc.la
|
|
|
|
libexec/proftpd/mod_sql.la
|
|
|
|
libexec/proftpd/mod_sql_passwd.la
|
|
|
|
libexec/proftpd/mod_tls.la
|
|
|
|
libexec/proftpd/mod_tls_shmcache.la
|
|
|
|
libexec/proftpd/mod_unique_id.la
|
|
|
|
libexec/proftpd/mod_wrap2.la
|
|
|
|
libexec/proftpd/mod_wrap2_file.la
|
|
|
|
libexec/proftpd/mod_wrap2_sql.la
|
2013-03-15 14:34:32 +01:00
|
|
|
man/man1/ftpasswd.1
|
2001-10-22 16:26:45 +02:00
|
|
|
man/man1/ftpcount.1
|
2013-03-15 14:34:32 +01:00
|
|
|
man/man1/ftpmail.1
|
|
|
|
man/man1/ftpquota.1
|
2003-12-07 14:53:34 +01:00
|
|
|
man/man1/ftptop.1
|
2001-10-22 16:26:45 +02:00
|
|
|
man/man1/ftpwho.1
|
Update to version 1.3.5a.
Pkgsrc changes:
* adapt one patch to changes upstream.
* adapt PLIST to newly installed files.
* rename and adapt patch to Makefile.in.
Upstream changes:
1.3.5a - Released 27-May-2015
--------------------------------
- Bug 4055 - "error setting listen fd IPV6_TCLASS: Protocol not available" log
message.
- Bug 3944 - Session closed if active data transfer fails due to "Address
already in use" error.
- Bug 4068 - MaxClients directive doesn't work for <Anonymous> sessions.
- Bug 4069 - NLST -a shows / directory instead of the current directory.
- Bug 4063 - Unable to create directory on NFS/CIFS partition: Permission
denied.
- Bug 4073 - Polycom VOIP phones unable to use FTPS data transfers.
- Bug 4077 - ShaperLog not closed/reopened on SIGHUP, causing log rotation
problems.
- Bug 4079 - Invalid response encoding for SFTP space-available request.
- Bug 4083 - Using SQLDefaultHomedir with null home results in "No such user".
- Bug 4087 - mod_sftp does not handle "MaxLoginAttempts none" properly.
- Bug 4089 - mod_sftp does not allow multiple attempts using a given
authentication method.
- Bug 4090 - mod_wrap2_file does not support IPv6 addresses properly.
- Bug 4091 - Log "Operation not permitted" privs errors at NOTICE rather than
ERROR.
- Bug 4094 - Available space on file system using %f displays wrong value.
- Bug 4108 - SSL handshakes for data connections sometimes stall for 3-30
seconds.
- Bug 4109 - setsockopt() call for IPV6_TCLASS should use IPPROTO_IPV6.
- Bug 4112 - Failure to connect using mod_sftp sometimes due to too-small
buffers.
- Bug 4114 - mod_tls should not support SSLv3 by default.
- Bug 4116 - Report exact SSL/TLS protocol version used in client connections.
- Bug 4124 - DeleteAbortedStores defaults to "on" for all transfers, not just
HiddenStores.
- Bug 4129 - mod_sql caches incorrect UID/GID when name cannot be retrieved.
- Bug 4131 - mod_sftp's autoconf script does not detect OpenSSL SHA2 support.
- Bug 4133 - LDAPUsers directive does not honor uid-number-filter-template
parameter.
- Bug 4137 - GeoIPDenyFilter incorrectly takes precedence over GeoIPAllowFilter.
- Bug 4140 - SFTP READLINK requests to symlinks to directories fail.
- Bug 4143 - HTTPS/FTPS protocol confusion leads to XSS.
- Bug 4145 - Segfault if AuthUserFile is a relative symlink.
- Bug 4152 - Reduce logging of non-fatal "unable to open incoming connection"
errors.
- Bug 4155 - SSH keys with too-long Comment headers aren't recognized by
mod_sftp_sql.
- Bug 4156 - Segfault handling LIST/NLST FTP command on Mac OS X.
- Bug 4160 - Malformed response to SSH_FXP_REALPATH with SFTP version 6.
- Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by
mod_copy.
- Bug 4178 - TLS session reuse requirement for data connections not properly
enforced.
1.3.5 - Released 15-May-2014
--------------------------------
- Bug 4018 - Implement checks for sensitive directories when chrooted.
- Bug 4022 - "Directory not empty" error when creating directory is misleading.
- Bug 4025 - <IfClass> sections do not work for multiple SQLLog directives.
- Bug 4029 - TLSOptions EnableDiags logs "unknown version (771)" for
TLS 1.1/1.2 connections.
- Bug 3938 - mod_wrap2 uses reverse DNS regardless "UseReverseDNS off".
- Bug 4032 - Restarting proftpd with mod_sftp fails due to permissions on
SFTPHostKey file.
- Bug 4033 - mod_sftp fails to create SSH2 session using 'none' cipher.
- Bug 4034 - SSH publickey authentication fails with "MaxLoginAttempts 1".
- Bug 4024 - TLS 1.1/1.2 configurable, but not properly implemented.
- Bug 4046 - ALLO command failed because of bad size check.
- Bug 4048 - Race condition in mod_ban can lead to segfault of all new
connections.
- Bug 4049 - mod_exec should include supplemental groups when running commands
as logged-in user.
- Bug 4042 - MIC command between RNFR and RNTO should not be rejected.
- Bug 4044 - mod_facl prevents a normal SIGHUP reload.
- Bug 4052 - Enhance SQLPasswordPBKDF2 to support per-user query for settings.
1.3.5rc4 - Released 28-Jan-2014
--------------------------------
- Bug 3945 - Spurious log messages at session close.
- Bug 3946 - Null pointer dereference causes segfault when logging
%{transfer-status}, %{transfer-failure} LogFormat variables on EXIT.
- Bug 3947 - LogFormat %f variable not resolved properly for SFTP renames.
- Bug 3950 - LogFormat %d/%D variables not resolved properly for directory
listings.
- Bug 3949 - RNFR/RNTO not logged as expected for SFTP EXTENDED
posix-rename@openssh.com requests.
- Bug 3948 - Support FTP response codes in ExtendedLog for SFTP data transfers.
- Bug 3858 - mod_delay allows too-large values, leading to client hang on
authentication.
- Bug 3951 - Null pointer dereference for mod_ldap logins when
LDAPDefaultAuthScheme not configured.
- Bug 3954 - scp downloads result in segfault.
- Bug 3957 - ProFTPD configuration with thousands of <Directory>/<Limit>
sections leads to slow logins.
- Bug 3959 - mod_sftp does not honor <Directory>/<Limit> sections when symlinks
are involved.
- Bug 3958 - Directory creation does not honor single-parameter Umask setting.
- Bug 3960 - Support the CAP_FSETID Linux capability, for preserving directory
SGID bit.
- Bug 3962 - Directory creation fails (chmod(2) EPERM) when root privs are used
in some cases.
- Bug 3955 - Support secure FXP (site-to-site) transfers using SSCN.
- Bug 3966 - LogFormat %f variable not resolved for some commands.
- Bug 3971 - Support SQLOption for ignoring client library config files when
needed.
- Bug 3972 - Authentication error on Cygwin due to bad code.
- Bug 3973 - mod_sftp can be forced to allocate too much memory for
keyboard-interactive authentication.
- Bug 3974 - PathDenyFilter directive does not work as expected for SFTP
sessions.
- Bug 3963 - Improve permission setting when creating directories.
- Bug 3975 - Error printed to stderr when loading GeoIP Lite country database
using IndexCache flag.
- Bug 3976 - ProFTPD terminating (signal 11) crash for GeoLiteCity-20130903
database lookup.
- Bug 3964 - Support running ExecOnEvent actions with logged-in user's
permissions.
- Bug 3979 - mod_sql_odbc compiler warnings on 64-bit systems using unixODBC.
- Bug 3952 - Make PersistentPasswd default to 'off'.
- Bug 3981 - Null pointer dereference in mod_exec with ExecOption useStdin.
- Bug 3982 - Normalize log messages and levels.
- Bug 3888 - Add LDAPLog directive to mod_ldap.
- Bug 3982 - Normalize log messages and levels.
- Bug 3986 - Support filesystems which do not support chmod(2)/chown(2),
e.g. FAT/ExFAT.
- Bug 3991 - SSL session caching modules use incorrect OpenSSL cache mode flags,
breaking session caching.
- Bug 3987 - LogFormat variable for just the filename.
- Bug 3965 - Timeout directives have inconsistent maximum values.
- Bug 3998 - Support IgnoreSCPUploadTimes SFTPOption.
- Bug 3995 - ftpasswd utility should prevent concurrent modification of files.
- Bug 3994 - ftpasswd utility should support --lock/--unlock options.
- Bug 3970 - ProFTPD should not use fd 2 (stderr) for files.
- Bug 3772 - Support Elliptic Curve Cryptography (ECC) certs for
FTPS connections.
- Bug 3992 - RSA signature issue when connecting using PuTTY/WinSCP.
- Bug 3996 - Handling ALLO command can result in wrong response when chrooted.
- Bug 3876 - ExecOnEvent should be configurable per <VirtualHost>/<Global>.
- Bug 4001 - mod_sftp fails key exchange for 8192-bit DH group.
- Bug 4002 - Add 7680-bit DH parameter to mod_sftp bundled dhparams.pem file.
A 3072-bit DH group was also added.
- Bug 4004 - IgnoreSCPUploadPerms SFTPOption not honored properly for SCP
directory upload.
- Bug 4006 - RADIUS "service-type" attribute encoded with wrong length on
64-bit system.
- Bug 4011 - NLST ../ shows current directory contents rather than parent
directory.
- Bug 4013 - SCP upload of shorter file does not completely overwrite existing
file of same name.
- Bug 4014 - CommandBufferSize should override PR_DEFAULT_CMD_BUFSZ.
1.3.5rc3 - Released 14-Jun-2013
--------------------------------
- Bug 3910 - Clang's scan-build warns on set[u][g]id unchecked return value.
- Bug 3914 - 1.3.5rc2 fails to build on Solaris 10.
- Bug 3917 - Make DeleteAbortedStores on by default when HiddenStores enabled.
- Bug 3918 - mod_sftp segfault after SIGHUP when evaluating client banner.
- Bug 3864 - Support SQL query to lookup/use primary key for logged-in
user/group.
- Bug 3920 - Support umac-64@openssh.com digest for mod_sftp.
- Bug 3921 - Single failed keyboard-interactive login attempt causes SSH
connection to close prematurely.
- Bug 3923 - mod_cap does not revoke root privileges properly for SFTP
connections.
- Bug 3926 - Support OpenSSH fsync SFTP extension.
- Bug 3925 - SFTP directory listings are sensitive to locale environment
variables.
- Bug 3924 - HideFiles does not filter symlinks.
- Bug 3929 - pam_session_close() requires root privs on some platforms.
- Bug 3932 - SQLAuthType Backend returns "password mismatch" for MySQL
PASSWORD().
- Bug 3934 - HideUser/HideGroup do not work as expected for virtual users.
- Bug 3935 - scp download of nonexistent file results in client hang.
- Bug 3927 - Default ControlsSocket created despite custom ControlsSocket path.
- Bug 3937 - Segfault when retrieving SSH public key from LDAP directory.
- Added new mod_snmp contrib module.
- Bug 3939 - Disable Controls for "ServerType inetd" servers.
- Bug 3942 - mod_sftp_sql should support multiple keys concatenated together
in a single column.
- Bug 3943 - Support for PBKDF2 passwords in mod_sql_passwd.
- Bug 3941 - RLimitProcesses causes problems with setuid/setreuid.
1.3.5rc2 - Released 06-Mar-2013
--------------------------------
- Bug 3859 - MLSD fails to show symlinks when ShowSymlinks is not configured.
- Bug 3860 - Add a default deny option for mod_geoip.
- Bug 3862 - Support for FTPS-specific MasqueradeAddress functionality. A
new TLSMasqueradeAddress directive has been added to mod_tls.
- Bug 3863 - mod_sftp does not handle MaxLoginAttempts properly.
- Bug 3865 - BanEngine not set in "server config" results in "mod_ban not
enabled" ftpdctl error.
- Bug 3866 - Issuing invalid 'ftpdctl ban' request causes segfault.
- Bug 3867 - ftpasswd fails with "Permission denied" when adding subsequent
passwd/group entries.
- Bug 3868 - Only first DH param in TLSDHParamFile is used, regardless of
requested keylength.
- Bug 3870 - Handling of OPTS command can lead to crash.
- Bug 3779 - Generate new DH parameters for mod_tls and mod_sftp.
- Bug 3871 - REALPATH SFTP request not properly handled by <Limit DIRS>
configuration.
- Bug 3872 - Use HiddenStores directive to customise suffix.
- Bug 3873 - Provide FTP response code in ExtendedLog for failed SFTP REMOVE
request.
- Bug 3869 - Use longer SSL session cache expiration by default.
- Bug 3874 - Use of O_EXCL flag on HiddenStores files might break for NFS
filesystems.
- Bug 3878 - QuotaExcludeFilter not honored for uploads when 'hard' limits are
used.
- Bug 3879 - Allow additional columns in SQLNamedQuery queries used for quota
limits and tallies.
- Bug 3882 - DisplayLogin with an absolute path does not work properly within
an <IfGroup> section.
- Added new mod_log_forensic contrib module.
- Bug 3881 - <Directory> sections within <IfGroup> sections not applied as
expected.
- Bug 3884 - Configure script not detecting MySQL make_scrambled_password
functions.
- Bug 3887 - <Limit ALL> erroneously blocks the PROT command used for FTPS.
- Bug 3819 - Second and subsequent LIST of directory with many files is very
slow.
- Bug 3889 - Support millisecond timestamp LogFormat variable.
- Bug 3891 - Allow TLSProtocol directive in <VirtualHost> and <Global> sections.
- Bug 3753 - Support SFTP request names in <Limit> sections better.
- Bug 3892 - mod_auth_file should have strict permission checks of configured
files.
- Bug 3893 - Add SQLLogOnEvent directive, for performing SQL query on
configurable event.
- Bug 3894 - ftptop doesn't work with --enable-nls.
- Bug 3895 - Missing TransferLog entry under some out-of-space conditions.
- Bug 3897 - mod_sftp does not handle a REALPATH request properly for SFTP
protocol version 6.
- Bug 3896 - Warn when world-writable config files are used.
- Bug 3899 - Support authentication of users based on SSL/TLS client
certificate.
- Bug 3903 - With mod_log_forensic enabled, SSH connections fail randomly.
- Bug 3905 - Handle the Linux-specific PAM_RADIO_TYPE message properly.
- Bug 3709 - Support download-triggered emails in the ftpmail script.
- Bug 3904 - scp downloads using glob pattern sometimes fails.
- Bug 3900 - ProFTPD terminating (signal 11) on some sftp connections.
- Bug 3906 - Support ban rule for clients which perform SSL/TLS handshakes too
frequently.
1.3.5rc1 - Released 04-Jan-2013
--------------------------------
- Bug 3712 - mod_wrap2/mod_load build errors: missing config.h.
- Bug 3713 - mod_tls cannot be compiled using Openssl 0.9.6.
- Bug 3646 - Debug logging to stderr should include timestamps and PID.
- Bug 3714 - ftpwho/ftptop are not showing command arguments (e.g. downloaded
file name).
- Bug 3715 - MLSD/MLST fail when "DirFakeUser off" or "DirFakeGroup off" used.
- Bug 3717 - proftpd fails to run with "Abort trap" error message.
- Bug 3719 - LIST -R can loop endlessly if bad directory symlink exists.
- Bug 3720 - Various module logfile permissions are 0600 instead of 0640.
- Bug 3723 - mod_memcache segfault on server restart.
- Bug 3721 - mod_rewrite does not replace characters if there are more than
8 occurrences. To handle this situation, a new RewriteMaxReplace directive
has been added for configuring this limit.
- Bug 3724 - Unloading mod_quotatab causes segfault.
- Bug 3686 - Support SHA2 digests in mod_sftp. See the SFTPDigests directive
documentation for more information.
- Bug 3629 - Support <IfAuthenticated> conditional config section.
- Bug 3682 - Configure does not detect libiconv under Gentoo FreeBSD.
- Bug 3726 - mod_exec does not always capture stdout/stderr output from
executed command.
- Bug 3727 - mod_wrap2 causes unexpected LogFormat %u expansion for SFTP
connections.
- Bug 3729 - mod_ldap can segfault when LDAPUsers is used with no optional
filters.
- Bug 3728 - Build failure in wtmp.c on Gentoo/FreeBSD on sparc.
- Bug 3734 - DirFakeUser/DirFakeGroup off with name causes SIGSEGV for
MLSD/MLST commands.
- Bug 3739 - Allow for configurable SSH version identifiers in mod_sftp. The
SSH version identifier can now be configured for mod_sftp via the
ServerIdent directive.
- Bug 3718 - ftptop fails to build on OpenSUSE.
- Bug 3699 - ProFTPD crash on start up on Mac OSX Lion with NLS enabled.
- Bug 3744 - Support ls(1) -1 option for LIST command.
- Bug 3746 - Support applying ListOptions only to NLST or to LIST commands.
- Bug 3747 - Support option for displaying symlinks via MLSD using syntax
preferred by FileZilla. The new FactsOptions directive can be used for
this purpose.
- Bug 3745 - Reject PASV command if no IPv4 address available.
- Bug 3701 - Modify ScoreboardFile directive to support disabling scoreboarding.
- Bug 3742 - Improper handling of self-signed certificate in client-sent cert
list when "TLSVerifyClient on" is used.
- Bug 3749 - Compile of src/netacl.c fails on Tru64 UNIX (OSF/1) due to
conflict with system header.
- Bug 3743 - Random stalls/segfaults seen when transferring large files
via SFTP.
- Bug 3752 - proftpd process exit status is zero for "Failed binding to
address, port N: Address already in use" startup failure.
- Bug 3751 - mod_ban does not close/reopen the BanLog/BanTable file descriptors
on restart, causing a file descriptor leak.
- Bug 3707 - Add request/transfer ID to the logging of the initial and closing
commands for SFTP file transfers. This can now be accomplished using a
LogFormat variable of '%{note:sftp.file-handle}'.
- Bug 3757 - Support SFTPOption for ignoring requests to modify file ownership.
- Bug 3756 - mod_ctrls no longer listens on ControlsSocket after restart.
- Bug 3731 - Support active data transfers while RootRevoke is in effect.
- Bug 3737 - Allow UTF8 when UseEncoding is used.
- Bug 3573 - Support Elliptic Curve Cryptography (ECC) in SSH.
- Bug 3758 - ProFTPD crashes when handling mod_gss authentication due to null
pointer.
- Ability to load SSH host keys from an SSH agent, in addition to files on
disk. See doc/contrib/mod_sftp.html#SFTPHostKey for more information.
- Bug 3761 - SSH2 key exchange fails if client sends certain SSH message before
NEWKEYS.
- Bug 3763 - Ensure that mod_sftp operates properly when OpenSSL FIPS mode is
enabled.
- Bug 3764 - mod_sftp does not correctly handle a 'guess' KEX message when the
client guesses correctly.
- Bug 3765 - mod_sftp should honor the GroupOwner directive for MKDIR requests.
- Bug 3626 - Display variable %f off by a factor of 1024 on 64-bit platforms.
- Bug 3673 - Support date/timestamp variables in mod_rewrite.
- Bug 3754 - ProFTPD refuses to delete/rename a symlink pointing outside a
writable directory.
- Bug 3766 - Support a QuotaDefault directive, for configuring default limits.
- Bug 3767 - mod_rewrite segfault when handling SITE CHGRP without a parameter.
- Bug 3768 - ExecTimeout 0 (zero) not treated as infinite.
- Added new mod_geoip contrib module.
- Bug 3769 - Ensure that encoded strings are NUL-terminated.
- Bug 3732 - AIX build error: undefined symbol: .alloca.
- Bug 3782 - SQLShowInfo does not work properly for error responses.
- Bug 3780 - AIX gives "error setting listen fd IP_TOS: Invalid argument".
- Bug 3736 - Trying to re-authenticate an existing FTP connection causes invalid
503 response.
- Bug 3785 - Support resolution of tilde (~) within a chrooted session.
- Bug 3787 - Read-only SFTP OPEN request permissions not properly ignored.
- Bug 3740 - Overwrite permission denied when reloading multiple times and
multiple <VirtualHost> sections in proftpd.conf.
- Bug 3791 - Invalid handling of SCP control messages fragmented over multiple
SSH packets.
- Bug 3794 - Cygwin build failure in lib/tpl.c due to wrong include of mman.h.
- Bug 3795 - ProFTPD needs to use -pthread linker option if linking against
OpenSSL with thread support.
- Bug 3790 - Logfile timestamps change to GMT after MFMT command.
- Bug 3798 - Downloading nonexistent file via SCP results in timeout rather
than error.
- Bug 3800 - Multiple *Options directives should be handled properly.
- Bug 3801 - mod_tls should have directive like Apache mod_ssl's
SSLHonorCipherOrder. The mod_tls module now supports a
TLSServerCipherPreference directive.
- Bug 3804 - ioctl(RPROTDIS) code no longer needed on Solaris 11.
- Bug 3808 - Segfault in mod_tls when mod_tls_shmcache used.
- Bug 3809 - Segfaults in mod_radius when configured with RadiusGroupInfo.
- Bug 3811 - ExtendedLog entries not written if MaxClients limit reached.
- Bug 3814 - Support "configtest" command for contrib init.d script.
- Bug 3816 - Installation of ftpasswd does not honor DESTDIR environment
variable.
- Bug 3813 - Ability to use CreateHome to create parent directories as
non-root user, for better interoperability with NFS.
- Bug 3806 - Support reverse DNS resolution for IPv6 addresses when
gethostbyname2(3) is not available.
- Bug 3820 - Support device/interface names in <VirtualHost>, MasqueradeAddress,
and DefaultAddress.
- Bug 3822 - Resolving %U/%u LogFormat variables inconsistent between
mod_log/mod_sql in certain cases.
- Bug 3824 - Use RFC compliant address/port for data transfer if FTP client has
not sent PORT/PASV/EPRT/EPSV commands.
- Bug 3825 - Handle RFC 1918 IP addresses in PORT/EPRT commands.
- Bug 3827 - Use non-filesystem based SFTP handle generator instead of
mktemp(3).
- Bug 3828 - Certain sequences of FTP data transfer commands lead to NULL
pointer dereferences in mod_deflate.
- Bug 3830 - MFF/MFMT command segfaults due to insufficient parameter checks.
- Bug 3829 - RNFR without following RNTO can lead to NULL pointer dereference.
- Bug 3832 - Support disabling of system logging on per-connection basis.
- Bug 3792 - Recursive SCP uploads using preserve-time (-p) option may not work.
- Bug 3831 - Sporadic "451 Insufficient memory or file locked" failure when
downloading.
- Bug 3833 - Enable TCP keepalive by default, with configurable SocketOption.
- Bug 3837 - mod_tls unable to read certificate files after SIGHUP.
- Bug 3842 - Incorrect handling of REALPATH requests for symlink paths in
mod_sftp.
- Bug 3843 - ProFTPD should not fail when starting up due to loading same
module multiple times.
- Bug 3845 - mod_sftp does not provide response codes for %s LogFormat variable
for AUTH ExtendedLog.
- Bug 3846 - Avoid scanning ScoreboardFile needlessly on login if limits are
not configured.
- Bug 3850 - ftpasswd should support generating SHA-256, SHA-512 hashes where
possible.
- Bug 3851 - SFTPPassPhraseProvider fails due to incorrect pointer.
- Bug 3852 - Support directive for ignoring symlink DefaultRoot directories.
See the new AllowChrootSymlinks directive.
- Bug 3839 - Enhance mod_cap to support dropping root privs entirely.
- Bug 3841 - Possible symlink race when applying UserOwner to newly created
directory.
- Bug 3855 - Restarting proftpd may cause Include files not to be parsed.
2015-07-13 17:39:27 +02:00
|
|
|
man/man5/proftpd.conf.5
|
2001-10-22 16:26:45 +02:00
|
|
|
man/man5/xferlog.5
|
Update to version 1.2.10. From PR 27012 by pancake at phreaker dot net.
1.2.10 - Released 04-Sep-2004
--------------------------------
- Bug 2440 - Unable to use PAM authentication properly. Use a "*" after
the module name in an AuthOrder directive to indicate that an auth
module is authoritative.
- Bug 2441 - AIX5 portability bug with mod_auth_unix, mod_auth_file.
- Bug 2442 - Segfault in FreeBSD PAM library with long login names.
- Bug 2445 - AuthUserFile in <Global> context overrides <VirtualHost> setting.
- Bug 2444 - Use of sendfile() does not interoperate well with RFC2228
security mechanisms. Using sendfile(2) to send data bypasses the handling
of the data by RFC2228 security mechanisms (such as those provided by
mod_tls). So if security mechanisms are detected, do not use sendfile().
- Scrub the ScoreboardFile for stale sessions in inetd mode.
- Bug 2427 - proftpd gets a memory fault when run from ssh batch mode.
1.2.10rc3 - Released 13-Jul-2004
--------------------------------
- Fixed typo that prevented 1.2.10rc2 from compiling.
1.2.10rc2 - Released 13-Jul-2004
---------------------------------
- Bug 2396 - NLST command doesn't understand options. This was caused by
the solution for Bug 2322. However, it is not a popular solution, so
NLST will once again handle options, but only the relevant options.
- Bug 2034 - Add support for a "graceful shutdown" signal. See
contrib/mod_ctrls_admin.html#shutdown for details.
- Bug 2400 - <Class> search order is wrong. The documentation correctly
stated that <Class> sections are matched in order of definition, but the
code has the match order in the reverse order of definition.
- Bug 2401 - MaxClientsPerClass only checks first directive in config file.
- Bug 2399 - Rename start/stop control actions to up/down.
- Bug 2082 - Add mod_rewrite "replaceall" builtin function. See the
RewriteMap documentation for more details.
- Bug 2403 - Sending SIGHUP to proftpd stops it when using Classes. The fix
for Bug #2400 could result in an infinite loop during a SIGHUP.
- Bug 2405 - "LIST *" should not list dotfiles.
- Bug 2366 - Add support for -h list option.
- Bug 2332 - SO_OOBINLINE error after upgrading proftpd from 1.2.6 to 1.2.9.
This is due mostly to a change in the logging; a check for error values
and logging of them was added. The setting of this particular socket option
has been moved earlier in the session, as it was found that short-lived
TCP connections, as from monitoring systems, would cause this error.
- Bug 2407 - mod_auth_file does not allow for proper cascading of "end" and
"set" auth requests.
- Bug 2410 - CreateHome always copies skel directory.
- Bug 2336 - Use of /dev/log on Solaris leads to kernel memory leak.
ProFTPD's use of the /dev/log device on Solaris was tickling a Solaris
kernel bug that caused the Solaris kernel to leak memory.
- Added a TimeoutLinger directive to complement the --enable-timeout-linger
configure option.
- Bug 2125 - -vv command line switch should list versions of modules.
- Bug 2420 - Name field is not escaped before querying database.
The mod_quotatab module was not properly escaping the name string it
used when looking up records from SQL databases.
- Bug 2424 - SQLDefaultHomedir overrides column value.
- Bug 2411 - Caching effects cause RNTO to fail if AllowOverwrite is off and
target path does not exist.
- Bug 2422 - %v not working in SQLNamedQuery.
- Bug 2418 - chmod returns 550 with filename containing multiple spaces.
- Bug 2431 - mod_sql does not use UID/GID properly in cache lookups.
- Bug 2303 - Problem evaluating multiple <Class> rules.
- Bug 2419 - Ability to disable TLSRequired on per-user basis (e.g. for
anonymous logins).
- Bug 2438 - Display variable %z not expanded properly.
- Bug 2439 - <Limit CWD> doesn't work.
1.2.10rc1 - Released 28-Apr-2004
---------------------------------
- Bug 2135 - Add ability to handle passphrase-protected server keys. mod_tls
can now properly prompt for passphrases for protected server certificate
keys when the daemon is starting up.
- Bug 2086 - Add limits for PORT, PASV. This means that now one can use
<Limit> to place access controls on the PORT and PASV commands. This
applies to the EPRT and EPSV commands as well.
- Bug 2174 - mod_auth_unix should not act authoritatively. This was causing
problems when using mod_auth_unix.c and the AuthOrder configuration
directive.
- Bug 2098 - Added SetEnv and UnsetEnv configuration directives.
- Bug 2271 - Improper autoconf check for getaddrinfo() on Tru64 UNIX 5.1.
The getaddrinfo symbol is a macro, not a function, on that platform.
- Bug 2255 - RADIUS Service-Type should reflect attribute expectations.
- Added Event API.
- Bug 2272 - Address/port collision check needs to handle DefaultAddress.
- Bug 2072 - Add Controls API.
This API includes a new program, ftpdctl, that is used to communicate
directly with the proftpd daemon via a new core module, mod_ctrls. For
this new functionality to be used, proftpd must be configured using the
added --enable-ctrls option.
- Bug 2015 - Add AND, OR keywords to Allow/DenyUser directives.
The AllowUser, DenyUser, AllowGroup, and DenyGroup directives now take
an optional keyword that indicates what type of expression they are:
AND, OR, or regex. By default, AllowUser and DenyUser are OR expressions,
and AllowGroup and DenyGroup are AND expressions. For example:
AllowUser regex ^ftp
DenyUser AND dave,bob
AllowGroup OR web,doc
These demonstrate that the optional keyword modifier must be the first
parameter in the configuration directive.
- Bug 2046 - Change RFNR and RNTO logging class to WRITE. This means that
ExtendedLogs that use the WRITE logging class will now include the
RNFR and RNTO commands.
- Mac OS X 10.3 portability fixes.
- Bug 2274 - Default server only binds to one IP address of host if
the --enable-ipv6 configure option is used. ProFTPD will now properly
bind to all addresses for the default "server config" server.
- Bug 2048 - Add ability to get configuration file values from environment.
For example, you can now have the following in your proftpd.conf:
DefaultAddress %{env:PR_DEFAULT_ADDR}
which indicates to ProFTPD's configuration parser to get the value of
the PR_DEFAULT_ADDR environment variable, and substitute it in, e.g.:
PR_DEFAULT_ADDR=1.2.3.4 ./proftpd ...
If the indicated environment variable is not present, the value is
substituted with the empty string.
- Bug 1635 - Older systems' chown(1) does not support -h option. The solution
is to prevent this error from stopping the 'make install' process, as it
is a harmless error on such systems.
- Bug 2290 - gmtime() static storage may be overwritten by modules.
- Bug 2288 - ServerFQDN set to 255.255.255.255 and not hostname.
- Added mod_quotatab to the contrib area.
- Bug 2300 - poll() returns 1 and read returns 0, resulting in an inifinite
loop. The actual bug was caused by a goto that was being inappropriately
used; a return value was not being checked to see if it was an error value.
- Bug 2305 - Compile Problems since > 1.2.9
Fix the build under Solaris - ftpdctl needs to be linked against libsocket
and libnsl.
- Bug 2267 - Broken IP subnet matching. Added new ACL parsing/matching code.
- Bug 2307 - MySQL 4.1.1 API change causes mod_sql_mysql compilation failure.
- Bug 2319 - Build scripts have owner-only execute permission. This was
causing problems whenever a user other than the owner of the files
attempted to build proftpd.
- Bug 2320 - autoconf check for socklen_t doesn't work on FreeBSD 4.8-RELEASE.
The fix is to include <sys/types.h>, if present, sooner in the check.
- Bug 1925 - Clean up of Class code. The Class and Classes directives are
now deprecated. See README.classes for more details.
- Bug 2295 - mod_tls returns multiline response to AUTH commands.
- Bug 2322 - NLST -a returns listing formatted for LIST -a. RFC959 does not
explicitly allow dash-style options for LIST or NLST, although many clients
attempt to use them. De facto FTP server behaviors handle options for LIST;
options for NLST will be explicitly rejected.
- Bug 2315 - Overlapping virtual server causes error. If a <VirtualHost>
was configured to handle the same IP address and port as the "server config"
server, the wrong server configuration was being removed.
- Bug 2324 - Directories whose names contain whitespace are inaccessible.
- Bug 2306 - ftpcount output should handle case of no users. When no clients
are connected, ftpcount now displays "0 users".
- Bug 2337 - TLSRenegotiate parameters not processed correctly.
- Bug 2340 - Problem with parallel builds. Proper dependencies added when
building ftpwho and ftptop.
- Bug 2327 - SQLNegativeCache causes unnecessary errors in server logging.
- Bug 2237 - HiddenStores does not check for existing file in edge case.
- Bug 2171 - Add delete options to ftpasswd. The ftpasswd script now
supports the --delete-user and --delete-group options.
- Bug 2105 - Remove Authoritative directives. The AuthPAMAuthoritative
directive, and the "*" syntax of SQLAuthenticate, have been deprecated.
- Bug 1696 - Include directive should support directories. The Include
directive now functions just like Apache's Include directive, including
handling glob characters.
- Bug 2311 - MaxClients counts unauthenticated users. According to the
documentation, the MaxClients configuration directive should only count
authenticated clients.
- Bug 2339 - STAT command doesn't follow RFC959. Previously, ProFTPD did
not support use of the STAT command during file transfers. This
functionality is now implemented. Sites wishing to prevent this can
limit use of the STAT command by using <Limit STAT>.
- Bug 2257 - Add SITE SYMLINK command to mod_site. Rather than adding
this command to the mod_site module, a new module, mod_site_misc, has
been added to the contrib area. The mod_site_misc module implements
SITE SYMLINK, and a few other SITE commands. See contrib/mod_site_misc.html
for details.
- Bug 2355 - Send error message to client when 'TLSRequired on' is in effect.
Previously, if SSL/TLS was configured to be required for both control
and data channels, if the client did not perform the SSL/TLS handshake for
a data transfer, the connection would hang. Now, an error message is sent
to the client if no handshake is done.
- Bug 2353 - REST doesn't handle offsets greater than 2 GB.
- Bug 2357 - ftptop should use COLS for determining display width.
- Bug 2321 - FTP permission checks inconsistent for DELE and RMD/XRMD when
symlink is in directory path. This bug affected the RNFR command as well.
- Bug 2361 - Second USER command causes problems with chrooted session.
- Bug 2363 - ABOR response RFC 959 compliance. The 226 response was being
sent before closing the data connection; RFC 959 implies that the data
connection is closed first.
- Bug 2369 - EPSV should not send network address when MasqueradeAddress is
used. RFC 2428 does not address the case where a server may wish to
return an address in the EPSV response that differs from the control
connection address, as is done in a PASV response for forwarding devices
(e.g. NAT, firewall). Until the proper behavior can be determined,
do not honor MasqueradeAddress for EPSV.
- Bug 2367 - LIST *.* strange behaviour. The builtin listing mechanism
was inadvertently recursing into globbed directories when recursion was
not actually requested.
- Bug 2371 - ftpasswd should have option to compare password against value
in passwd file. ftpasswd now supports a --not-previous-password option.
- Added a `howto' directory under `doc/', for mini-HOWTOs.
- Bug 2221 - proftpd on hp-ux 11.22. The default data type of socklen_t
on HP-UX 11 is problematic; many system calls expect an int, and the
default type is a size_t. This mismatch causes problems for 64-bit
builds.
- Bug 2385 - Renames fail with error "Invalid cross-device link".
- Bug 2383 - mod_ctrls.c: ctrls_listen(): Invalid size in bind() argument.
The size of struct sockaddr_un is not consistent across platforms.
- Bug 2387 - PRIVS_USER macro should set effective GID to user's primary GID.
- Added a `modules/' directory under `doc/', for core module documentation.
Currently there are HTML docs for mod_auth_file, mod_cap, and mod_ctrls.
- Bug 2317 - Wrong order of privs calls on HP generates "unable to setregid()"
error.
2004-09-21 15:10:18 +02:00
|
|
|
man/man8/ftpdctl.8
|
2010-03-21 22:24:25 +01:00
|
|
|
man/man8/ftpscrub.8
|
2001-10-22 16:26:45 +02:00
|
|
|
man/man8/ftpshut.8
|
|
|
|
man/man8/proftpd.8
|
2010-03-21 22:24:25 +01:00
|
|
|
sbin/ftpscrub
|
2001-10-22 16:26:45 +02:00
|
|
|
sbin/ftpshut
|
|
|
|
sbin/in.proftpd
|
|
|
|
sbin/proftpd
|
|
|
|
share/doc/proftpd/Configuration.html
|
|
|
|
share/doc/proftpd/NEWS
|
|
|
|
share/doc/proftpd/README.LDAP
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
share/doc/proftpd/README.md
|
2001-10-22 16:26:45 +02:00
|
|
|
share/doc/proftpd/README.modules
|
2002-06-10 07:49:41 +02:00
|
|
|
share/doc/proftpd/faq.html
|
2001-10-22 16:26:45 +02:00
|
|
|
share/doc/proftpd/license.txt
|
|
|
|
share/examples/proftpd/anonymous.conf
|
|
|
|
share/examples/proftpd/basic.conf
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
share/examples/proftpd/blacklist.dat
|
2001-10-22 16:26:45 +02:00
|
|
|
share/examples/proftpd/complex-virtual.conf
|
Package ProFTPD using DSO (Dynamic Shared Objects) support.
This is preferable for binary package use as it allowes the user to choose
which features to enable by changeing the configuration file instead of
recompiling. This is also how ProFTPD is usually packaged in other systems.
For details about ProFTPD and DSO see:
http://www.proftpd.org/docs/howto/DSO.html
This change removes the following PKG_OPTIONS.proftpd:
ban, ldap, mysql, pgsql, proftpd-readme, quota, tls and wrap
The modules that were previously compiled when enabling ban, proftpd-readme,
quota or tls are now always included. To load them use a configuration
directive like:
LoadModule mod_ban.c
In addition the proftpd package includes by default many other modules that
were previously unavailble like: mod_load, mod_radius, mod_sftp and more.
The module that was provided by the wrap option is replaced by the wrap2 module
which is also always included.
The ldap option is superseded by the proftpd-ldap package.
The mysql option is superseded by the proftpd-mysql package.
The pgsql option is superseded by the proftpd-postgresql package.
Using proftpd-postgresql will create one binary package for each PostgreSQL
version in pkgsrc.
In addition the following added packages provide new functionality:
- proftpd-geoip (access GeoIP details)
- proftpd-memcached (mod_memcache and mod_tls_memcache)
- proftpd-odbc (access any ODBC database)
- proftpd-sqlite (access to sqlite3)
2015-09-25 12:01:36 +02:00
|
|
|
share/examples/proftpd/dhparams.pem
|
2009-01-11 23:47:54 +01:00
|
|
|
share/examples/proftpd/ftpasswd
|
2002-06-10 07:49:41 +02:00
|
|
|
share/examples/proftpd/mod_sql.conf
|
2001-10-22 16:26:45 +02:00
|
|
|
share/examples/proftpd/virtual.conf
|
2009-12-21 01:41:43 +01:00
|
|
|
share/locale/bg_BG/LC_MESSAGES/proftpd.mo
|
2008-10-03 08:52:03 +02:00
|
|
|
share/locale/en_US/LC_MESSAGES/proftpd.mo
|
2013-03-15 14:34:32 +01:00
|
|
|
share/locale/es_ES/LC_MESSAGES/proftpd.mo
|
2009-12-21 01:41:43 +01:00
|
|
|
share/locale/fr_FR/LC_MESSAGES/proftpd.mo
|
2008-10-03 08:52:03 +02:00
|
|
|
share/locale/it_IT/LC_MESSAGES/proftpd.mo
|
2010-11-07 13:21:09 +01:00
|
|
|
share/locale/ja_JP/LC_MESSAGES/proftpd.mo
|
2009-12-21 01:41:43 +01:00
|
|
|
share/locale/ko_KR/LC_MESSAGES/proftpd.mo
|
2009-02-08 08:28:44 +01:00
|
|
|
share/locale/ru_RU/LC_MESSAGES/proftpd.mo
|
2008-10-03 08:52:03 +02:00
|
|
|
share/locale/zh_CN/LC_MESSAGES/proftpd.mo
|
2009-12-21 01:41:43 +01:00
|
|
|
share/locale/zh_TW/LC_MESSAGES/proftpd.mo
|
2009-06-14 23:00:03 +02:00
|
|
|
@pkgdir lib/proftpd
|
Update proftpd to 1.3.7c
1.3.7c
+ Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
+ PCRE expressions with capture groups were not being handled properly
(Issue #1300).
1.3.7b
+ Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
session tickets cannot be decrypted (Issue #1063).
+ Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
option (Issue #1171).
+ Implemented support for Redis 6.x AUTH semantics (Issue #1070).
+ Fixed memory use-after-free issue in mod_sftp which can cause unexpected
login/authentication issues.
+ Fixed SQL syntax regression for some generated SQL statements
(Issue #1149).
+ Fixed "Corrupted MAC on inptut" errors when SFTP uses the
umac-64@openssh.com digest (Issue #1111).
1.3.7a
+ Fix build-time regression when using the --localstatedir configure option.
1.3.7
+ Support the SOURCE_DATE_EPOCH environment variable, for reproducible
builds (Issue #1038).
1.3.7rc4
+ Implemented support for configuring certificate options for LDAP
connections using SSL/TLS.
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
+ Fixed handling of IPv6 addresses in From directives (Issue #682).
+ Added -b and -n command-line options to ftptop.
+ Ignore supplemental groups when run as non-root user (Issue #808).
+ Use re-entrant versions of time functions where available (Issue #983).
+ New Configuration Directives
BanOptions
The BanOptions directive is used to tune mod_ban behavior, such as
creating ban entries that match/apply to all <VirtualHost> sections.
See doc/contrib/mod_ban.html#BanOptions for more details.
LDAPUseSASL
The LDAPUseSASL directive configures a list of SASL authentication
mechanisms to use, when using the LDAPBindDN to bind to the LDAP
server. See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
LogOptions
The LogOptions directive is used to modify the default logging format
for ProFTPD syslog, debug, and module logging. See
doc/modules/mod_log.html#LogOptions for more information.
SQLKeepAlive
The SQLKeepAlive directive configures a periodic "keepalive" query
for ensuring the connection between mod_sql and the backend database
server. See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
+ Changed Configuration Directives
LDAPServer
The LDAPServer directive now supports configuring the trusted CA
file, client certificate and key files, SSL ciphers, and verification
policies for LDAP connections. See doc/contrib/mod_ldap.html#LDAPServer
for more details.
TraceOptions
The TraceOptions directive now supports a "Timestamp" option, for
disabling inclusion of timestamps in Trace logs.
+ Developer notes
When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
handler phases will now run. This allows interested modules, such
as mod_exec and others, to react to these events (Issue #718).
1.3.7rc3
+ Fixed regression in directory listing latency (Issue #863).
+ Fixed use-after-free vulnerability during data transfers (Issue #903).
+ Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
relying solely on the system-provided libcap (Issue #902). Note that
building ProFTPD from source will *not* automatically include the
mod_cap module, unless the libcap library is available.
+ mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
Newer versions of OpenSSH ssh-keygen(1) automatically generate private
keys formatted with this OpenSSH-specific format.
+ mod_sftp now supports Ed25519 keys (Bug #4221).
+ mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
(Issue #907).
+ mod_tls now honors client-provided SNI as part of the TLS handshake,
for implementing name-based virtual hosts via TLS SNI.
+ Changed Configuration Directives
LogFormat %{transfer-port}
The LogFormat directive supports a %{transfer-port} variable for
logging the selected data transfer port.
SFTPOptions NoExtensionNegotiation
The mod_sftp module now supports SSH extension negotations (RFC 8332).
If there any issues with this support, it can be disabled using:
SFTPOptions NoExtensionNegotiation
SQLAuthTypes bcrypt
The mod_sql_passwd module now supports bcrypt-encrypted passwords.
This can be enabled using:
SQLAuthTypes bcrypt
in your mod_sql configuration. See doc/contrib/mod_sql_password.html
for more information.
TLSOption IgnoreSNI
The TLSOption directive now supports an "IgnoreSNI" setting, to
tell mod_tls to ignore/not use any SNI, provided by the client in the
TLS handshake, for determining any name-based virtual hosts. See
doc/contrib/mod_tls.html#TLSOption for more details.
+ Added API
FSIO pread(2), pwrite(2) (Issue#317)
1.3.7rc2
+ Fixed pre-authentication remote denial-of-service issue (Issue #846,
CVE-2019-18217).
1.3.7rc1
+ RootRevoke is now on by default, meaning that once authentication succeeds,
all root privileges are dropped by default, unless the UserOwner directive
(which requires root privileges) is used (Bug#4241).
+ The mod_ident module is no longer automatically built by default.
To include the mod_ident module in the build, it must be explicitly
requested via --enable-ident or --with-shared=mod_ident.
This means that configuration files using the IdentLookups directive
will now want to using an enclosing <IfModule> section, like so:
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
+ The mod_tls module now performs basic sanity checks of configured TLS
files on startup (Issue#491).
+ The mod_deflate module now supports MODE Z data transfers when TLS
is used (Issue#505).
+ The mod_xfer module now supports the RANG FTP command; see
https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
+ The ftpasswd script now supports a --change-home option, for changing
the home directory of a user in an AuthUserFile (Issue#566).
+ The ftpasswd script supports deleting a user from a group (Issue#620).
+ Refactored the LogFormat handling code so that it is not longer
duplicated by mod_log, mod_sql, etc. The new Jot API is the common API
to be used by modules for LogFormat variables and logging.
+ Generated new DH parameters for mod_sftp, mod_tls.
+ New Configuration Directives
AuthFileOptions
The mod_auth_file module supports a configuration directive for disabling
its requirement for secure permissions on configured
AuthUserFile/AuthGroupFile. See
doc/modules/mod_auth_file.html#AuthFileOptions for information.
RedisLogOnEvent
The mod_redis module can be configured to log JSON messages based on
specified events (Issue#392). See the
doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
RedisOptions
The mod_redis module now implements a RedisOptions directive, for tuning
some of the module behavior (Issue#477). The
doc/modules/mod_redis.html#RedisOptions documentation has more details.
RedisSentinel
The mod_redis module now supports use of Redis Sentinels (Issue#396);
see doc/modules/mod_redis.html#RedisSentinel.
+ Changed Configuration Directives
AllowForeignAddress class-name
The AllowForeignAddress directive supports a Class name, for finer-grained
control over which clients are allowed to use foreign/mismatching IP
addresses for transfers. See
doc/modules/mod_core.html#AllowForeignAddress for more information.
ExecEnviron %b
The ExecEnviron directive has been fixed to properly resolve the %b
LogFormat variable (Issue#515).
RedisServer db-index (Issue#550)
The mod_redis module can now be configured to select a database index
via the RedisServer directive (Issue#550). See the
doc/modules/mod_redis.html#RedisServer documentation for details.
RewriteMap idnatrans
The mod_rewrite module can now support rewriting `idn` to `idna`
formats (Issue#231). See the doc/modules/mod_rewrite#RewriteMap for
details on how to do so.
RootRevoke on
The RootRevoke directive is now enabled by default (Bug#4241). This
makes for more secure configurations/sessions out-of-the-box. See
doc/modules/mod_auth.html#RootRevoke for more information.
SFTPCiphers, SFTPDigests
Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
These algorithms, if need be, can be explicitly enabled by configuration;
they are just not enabled automatically. For list of the algorithms
affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
doc/contrib/mod_sftp.html#SFTPDigests.
SFTPOptions IncludeSFTPTimes
The SFTOptions directive of mod_sftp now supports an option for explicitly
including the timestamps of files when SFTP protocol 4 and higher are
used, even if the SFTP client did not request these timestamps. This
works around a bug in the popular Rebex SFTP library; see
doc/contrib/mod_sftp.html#SFTPOptions for details.
TLSProtocol TLSv1.3
The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
(Issue#536). See doc/contrib/mod_tls.html#TLSProtocol for more
information.
TLSServerCipherPreference
The TLSServerCipherPreference directive is now enabled by default.
See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
TLSStaplingOptions NoFakeTryLater
Some TLS clients have trouble with the "fake" OCSP response that mod_tls
might stable, when the client requested stapled OCSP responses and
mod_tls is unable to contact the OCSP responder. Use this option to
disable such fake responses (Issue#518):
TLSStaplingOptions NoFakeTryLater
See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
+ Removed Configuration Directives
The following directives have been removed:
GroupPassword
LoginPasswordPrompt
TransferPriority
2021-10-16 21:46:41 +02:00
|
|
|
@pkgdir etc
|