Based on PR#42711 by Fredrik Pettai.
Pkgsrc changes:
Honor VARBASE.
* Version 1.0.27:
- IPv6 connections are accepted again (regression from version 1.0.26)
- SSLv3 renegociation has been disabled
- .pureftpd-upload-* files can be deleted by users with no quota.
- The server can be forced to shut down on iPhone.
* Version 1.0.26:
- Fix incompatibilities with Cyberduck and dramatically speed up directory
listings and transfers when TLS is enabled with some other clients like LFTP.
- Allow authentication of non-chrooted users again. It was a regression
from version 1.0.25. Spotted by Juergen Daubert.
* Version 1.0.25:
- The FTP server can now be built as a library for iPhone and iPod Touch.
- Display symbolic links in the MSLD command as symbolic links, unless the
broken clients mode is enabled, just like STAT/LIST/NLST.
- Enhanced compatibility with gcc 2.x and with custom installation paths.
- Fix packaging issues, especially when the server isn't installed in the
default paths
- Downloads now require less CPU and less memory.
- Fix an infinite loop that could lead to a client process burning a CPU
core if the client didn't disconnect properly. Reported by Thomas Min and
Margus Kaidja.
- Handle fake download resumes the traditional way for the sake of being
compatible with weird clients that insist on doing that.
- The group name is now always displayed instead of the gid when it matches the
primary user group.
* Version 1.0.24:
- When using LDAP in BIND mode, empty passwords are refused. Reported by
Henning Brauer.
* Version 1.0.23:
- The LDAP schema has been fixed.
- LDAP authentication through binding is now possible in addition to
passwords. This allows for the FTP server to run with an unprivileged LDAP
account.
- In LDAP objects, the "enabled" value is accepted again as a FTPStatus
property.
- Privilege separation is now enabled by default.
- The server should now properly compile on Solaris with privsep.
- Charset conversions are properly made on directory names.
- Transfers now handle every kind of disconnection.
- More informative log messages for errors and activity reporting.
- Virtual quotas are way more reliable and uploads are interrupted as soon as
quotas are exceeded.
- Atomic uploads are only used when necessary and only if --notruncate is
enabled.
- Dangling .pureftpd-upload files should be a thing of past.
- Enhanced conformance with RFCs and better compatibility with FTP clients.
- Improved SSL performance, compatibility and commands support.
- By default, up to 10000 files per directory can be listed instead of 2000.
- ALLO can now tell clients whether an upload would blow quotas before the
upload actually starts.
- PAM is now enabled by default on OSX.
- Switch euid to the _pure-ftpd account (unless it's nonexistent) in the
privsep process.
- --without-banner is not necessary any more. Having a cookie file
(--fortunefile=...) automatically disables the default banner, thus allowing
full customization of the welcome banner.
- ./configure --localstatedir is now honored in order to change the
run-time directory.
- Support for building a FTPS (implicit SSL/TLS) server, using
--with-implicittls
* Version 1.0.22:
- the LDAP authentication backend now supports TLS encryption.
- TLS encryption is supported on data channels.
- downloads require way less CPU time on platforms with slow mmap() calls.
- MySQL 5+ stored procedures can now be used in the authentication process.
- time zones issues should be fixed for good.
- on-demand directories can now be created with any set of permissions.
- password scrambling of MySQL 5+ is now supported.
- a catalan translation has been contributed.
- spurious disconnections due to some clients keepalive tricks have
been fixed.
- custom authentication handlers are now informed about the encryption
status of the session.
- standard-conformance and compatibility with several clients have improved.
- large files are now supported by default.
- enhanced support for Solaris.
- a bunch of bug fixes, optimizations and compatibility with newer
libraries and operating system versions.
- "ftp" and "anonymous" user names can have passwords if the -E switch (no
anonymous logins) is specified.
- in compatibility mode, non-dangling symbolic links are now displayed as
if they were regular files/directories.
- --with-everything now includes privsep.
support, from unex@linija.org via PR pkg/32901.
Changes:
* When SHA1HANDSOFF is defined, we shouldn't cast a pointer to a large union to
a char buffer, because of alignment required by some architectures.
* WITH_THROTTLING should actually be THROTTLING in src/log_extauth.c . It fixes
throttling with extauth. Reported and fixed by Marcus Merighi <mcmer@tor.at>
through Brad our beloved OpenBSD maintainer.
* Rendezvous has been renamed Bonjour.
* A double-close in the CHMOD command has been fixed.
* The old PAM sample has been removed.
* -F option added to pure-pw.
* MAX_USER_LENGTH has been bumped to 127 due to popular demand.
* pam/* can now be used if security/* doesn't exist. Fixes PAM detection on
MacOS X.
* Call tzset() in chrooted apps in order to get correct time zones in syslog
messages.
* simplify() simplifies paths ending by /. and /..
* MySQL's hash_password() needs 3 arguments since mySQL 4.1.
* Experimental support for RFC2640 (UTF-8 filename encoding) has been added,
derived from code by Jui-Nan Lin ===> added as "utf8" pkgsrc option.
* The LDAP schema has been changed: FTPStatus should be a boolean.
* New switch: -p (--pidfile=) for pure-authd and pure-uploadscript, by Old
Sparky.
* By popular request, even non-chrooted users are now denied access if their
home directory is not mounted.
* If die() is called during a TLS-enabled session, encrypt the death message.
Contributed by Cynix.
* Don't wrongly abort transfer during file upload. Fix by Patrick Gosling.
* WITH_LARGE_FILES is now defined by default.
* sendfile64() support on Linux.
* privsep and main processes were swapped out so that pure-ftpwho displays the
right pid.
* OPTS MLST has been implemented.
* SITE UTIME has been implemented.
* TCP_CORK is on by default again. A new configure switch, --without-cork, can
disable it.
* Correctly format %c and %% in fakesprintf().
* The connection socket is now created with the Nagle algorithm disabled. It
was the trick to dramatically improve performance when transfering a lot of
small files.
* Updated getopt_long() and realpath() substitutes.
* Allow logging to named pipes (thanks to Steve Marple).
* Use CLIENT_MULTI_STATEMENTS while connecting to a MySQL server.
* Documentation updates.
* MySQL errors are now logged.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
pkgsrc changes:
o move to bsd.options.mk framework
o add ldap options
package changes:
o On MacOS X Panther and Tiger, clients were sometimes rejected when they
has no reverse DNS entry and DNS resolution was enabled. This has been
fixed. Thanks to Yann Thomas Gerard <inside@parasiterecords.com> .
o The command-line parser was broken on FreeBSD and Solaris in version
1.0.19. This has also been fixed.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
patch provided by Sergio Jimenez in PR pkg/26381
* Version 1.0.19:
- A workaround for pure-ftpwho not working on OpenBSD has been added.
- Real disk space is no more shown.
- A possible denial of service when too many users were connected should be
fixed. Reported by Agri <agri@desnol.ru>, thanks!
* Version 1.0.18:
- A new, nice-looking PDF version of the documentation is now available from
http://www.pureftpd.org/readme.pdf . Contributed by Torgny Wernersson.
- The beast now compiles and links against MySQL 4.1.x, but passwords must
not be hashed with MySQL-specific hashing function.
- Buglets were fixed in the documentation.
- Two new translations were added : hungarian and catalan. Contributed by
Bánhalmi Csaba and Contributed by Oriol Magrané.
- The server now uses distinct IPv4 and IPv6 to listen to both protocols on
all operating systems. A new switch, -6, forces the server to only listen to
IPv6.
- W3C and CLF alternative log formats are now more standard conformant.
- Pure-FTPd can now produce WU-FTPd (xferlog) compatible log files.
- Support for Rendezvous was added on MacOS X.
- Support for Apple / GNUStep plist data output was added to pure-ftpwho.
- UTF-8 characters are now supported in file names. A new switch,
--without-unicode, can be used to filter out non-latin characters.
Changes:
* Version 1.0.17a:
+ An old standing issue has been fixed : ungracefully aborted transfers
caused the session to exit without removing ftpwho entry and atomic
files. This fix also speeds up ftpwho and peruserlimit.
* Version 1.0.17:
+ The SSL certificate file can now be changed through a new configuration
switch, --with-certfile. It doesn't depend on sysconfdir any more and it
defaults to the original location : /etc/ssl/private/pure-ftpd.pem.
+ Shadowed NIS accounts and MacOS X Panther system accounts are now
processed by the pure-pwconvert tool.
+ The server doesn't reject users any more on Linux when capabilities are
used.
+ The documentation has been improved (man pages, README, FAQ, typos).
+ Optimizations have been made.
+ SO_REUSEPORT is now used on FreeBSD to always bind the ftp-data port.
+ SSL-related error messages are now more explicit.
+ The SITE TIME command has been implemented.
+ The sample PAM configuration file has been rewritten.
+ A logfile parser has been added to the contribs.
+ MacOS X Panther specific instructions have been added.
+ Upload is now atomic. A file is uploaded with a temporary name and it
gets its final name only once the upload has been completed. If a file
already exists with the same name, the content can be preserved until the
new content has been fully transfered (using the new --notruncate run-time
switch).
Web servers will no more serve partially transfered files during uploads.
The new handling of uploads also limits the races in virtual quota
handling.
* Version 1.0.16c:
+ The PAM backend and the CGI mode were accidentally broken in version
1.0.16b. This version fixes both issues.
+ The Norwegian translation has been updated.
* Version 1.0.16b:
+ The server now properly compiles with SSL/TLS on RedHat 9 systems.
+ pure-ftpwho now outputs nice-looking XHTML 1.1 conformant code, an XSS
issue has been fixed and the local host name is now properly displayed in
verbose mode.
+ The path to SSL certificates now follows the --sysconfdir prefix.
+ Minor optimizations have been made.
+ IPv4 and IPv6 addresses will now listen for connections even
without the -4 switch on NetBSD and FreeBSD.
Based on PR pkg/22680 by Jon Olsson.
Changes:
- add new build-time options: PURE_FTPD_USE_TLS, PURE_FTPD_USE_VIRTUAL_CHROOT
- make the MySQL support actually work
- install more documentation
1.0.16a:
========
- Fix typo (sizeof_resolved instead of sizeof resolved) in src/bsd-realpath.c
Not a vulnerability because it happens in the good way, but it sometimes
used to break uploadscript.
1.0.16:
=======
- An obsolete comment in pure-ftpd.conf was fixed : RPMs don't parse
/etc/sysconf/pure-ftpd any more.
- Recognize the '##' prefix as a shadowed password - make authentication work
on Solaris with shadow/NIS.
- Add back some random sleep() between authentication failures in addition to
the exponential sleep. Zzzzz... sleeping is good in summer...
- Upgrade to automake 1.7.5.
- The list of options in the pure-ftpd(8) man page was reordered -
Thanks to our beloved Claudiu Costin.
- SSL/TLS support was added (bits in src/{ftpd.c,ftp_parser.c,tls.c,tls.h,
configure.ac}, new doc: README.TLS, new globals: tls_ctx, tls_cnx). New
related commands were introduced : AUTH, PBSZ and PROT.
- Uploaded files are now removed when realpath() fails and bsd_realpath() was
modified to fall back to getcwd()/chdir() if we can't get a descriptor on
the current directory because it is not readable. It fixes pure-uploadscript
on some platforms like MacOS X.
- HAVE_BROKEN_REALPATH is gone. USE_BUILTIN_REALPATH is born.
- A typo in the Python configuration file wrapper was fixed : -t was used in
place of -y.
- MacOS X Panther has a lousy getnameinfo() implementation that doesn't fill
the buffer when no DNS entry is found for a host and a numerical result
wasn't explicitely asked. As a result, Pure-FTPd didn't even start on Panther
(saying "bad IP address") . We now check for EAI_NONAME if available and we
retry with NI_NUMERICHOST if this is what getnameinfo() returns. Thanks to
Yann Bizeul for his valuable help on this issue.
- Implement a working strdup() replacement in puredb for systems lacking it.
- Some MAXPATHLEN / MAXPATHLEN + 1 cleanups. Basically when paths are
generated by our own functions, we use MAXPATHLEN for the complete
zero-terminated string. When a buffer is passed to a libc function, we reserve
a MAXPATHLEN + 1 buffer and give a MAXPATHLEN size, just to avoid bad
surprises if an off-by-one ever occurs in a getcwd() like function.
- Don't use make_scrambled_password() in the MySQL backend because the API
changed since MySQL 4.1.
- Removed fixed-size constant arrays in src/crypto.c because of MacOS X linker
bugs (grrr...) .
Updated to version 1.0.15.
Addresses PR pkg/21941 by Jon Olsson.
Changes:
- buildlink2-ify
- added PostgreSQL support (PURE_FTPD_USE_PGSQL)
- fixed MySQL support (missing bsd.prefs.mk include)
1.0.15:
=======
- A turkish translation has been added. Thanks to Mehmet Cokcevik
<dns@netline.com.tr> .
- Various functional and portability fixes have been made to the
handling of upload scripts, to the pure-pw command and to the
automatic creation of home directories.
- Accounts in a puredb database can now be quickly listed ("pure-pw
list").
- The anonymous FTP directory can now be overriden on the Windows
port (using a WIN32_ANON_DIR environment variable).
- The default banner has been stripped down to look more
professionnal (ie. boring).
- Transfer speed on BSD systems has been improved.
- The license of the whole package has changed from GPL to a simplified
BSD license.
