Subject: CVS commit: pkgsrc/net/proftpd
From: Thomas Merkel
Date: 2021-10-16 21:46:42
Message id: 20211016194642.64256FA94@cvs.NetBSD.org

Log Message:
Update proftpd to 1.3.7c

1.3.7c
  + Fix memory disclosure to RADIUS servers by mod_radius (Issue #1284).
  + PCRE expressions with capture groups were not being handled properly
    (Issue #1300).

1.3.7b
  + Fixed occasional segfaults with FTPS data transfers using TLSv1.3, when
    session tickets cannot be decrypted (Issue #1063).
  + Passive transfers fail unexpectedly due to use of SO_REUSEPORT socket
    option (Issue #1171).
  + Implemented support for Redis 6.x AUTH semantics (Issue #1070).
  + Fixed memory use-after-free issue in mod_sftp which can cause unexpected
    login/authentication issues.
  + Fixed SQL syntax regression for some generated SQL statements
    (Issue #1149).
  + Fixed "Corrupted MAC on inptut" errors when SFTP uses the
    umac-64@openssh.com digest (Issue #1111).

1.3.7a
  + Fix build-time regression when using the --localstatedir configure option.

1.3.7
  + Support the SOURCE_DATE_EPOCH environment variable, for reproducible
    builds (Issue #1038).

1.3.7rc4
  + Implemented support for configuring certificate options for LDAP
    connections using SSL/TLS.
  + Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
  + Fixed handling of IPv6 addresses in From directives (Issue #682).
  + Added -b and -n command-line options to ftptop.
  + Ignore supplemental groups when run as non-root user (Issue #808).
  + Use re-entrant versions of time functions where available (Issue #983).
  + New Configuration Directives
    BanOptions
      The BanOptions directive is used to tune mod_ban behavior, such as
      creating ban entries that match/apply to all <VirtualHost> sections.
      See doc/contrib/mod_ban.html#BanOptions for more details.
    LDAPUseSASL
      The LDAPUseSASL directive configures a list of SASL authentication
      mechanisms to use, when using the LDAPBindDN to bind to the LDAP
      server.  See doc/contrib/mod_ldap.html#LDAPUseSASL for details.
    LogOptions
      The LogOptions directive is used to modify the default logging format
      for ProFTPD syslog, debug, and module logging.  See
      doc/modules/mod_log.html#LogOptions for more information.
    SQLKeepAlive
      The SQLKeepAlive directive configures a periodic "keepalive" query
      for ensuring the connection between mod_sql and the backend database
      server.  See doc/contrib/mod_sql.html#SQLKeepAlive for more information.
  + Changed Configuration Directives
    LDAPServer
      The LDAPServer directive now supports configuring the trusted CA
      file, client certificate and key files, SSL ciphers, and verification
      policies for LDAP connections.  See doc/contrib/mod_ldap.html#LDAPServer
      for more details.
    TraceOptions
      The TraceOptions directive now supports a "Timestamp" option, for
      disabling inclusion of timestamps in Trace logs.
  + Developer notes
    When MaxLoginAttempts is reach, the POST_CMD_ERR/LOG_CMD_ERR command
    handler phases will now run.  This allows interested modules, such
    as mod_exec and others, to react to these events (Issue #718).

1.3.7rc3
  + Fixed regression in directory listing latency (Issue #863).
  + Fixed use-after-free vulnerability during data transfers (Issue #903).
  + Addressed out-of-bounds read in mod_cap by removing bundled libcap, and
    relying solely on the system-provided libcap (Issue #902).  Note that
    building ProFTPD from source will *not* automatically include the
    mod_cap module, unless the libcap library is available.
  + mod_sftp now supports OpenSSH-specific private host keys (Issue #793).
    Newer versions of OpenSSH ssh-keygen(1) automatically generate private
    keys formatted with this OpenSSH-specific format.
  + mod_sftp now supports Ed25519 keys (Bug #4221).
  + mod_sftp now supports RSA SHA-2 publickey signatures, per RFC 8332
    (Issue #907).
  + mod_tls now honors client-provided SNI as part of the TLS handshake,
    for implementing name-based virtual hosts via TLS SNI.
  + Changed Configuration Directives
    LogFormat %{transfer-port}
      The LogFormat directive supports a %{transfer-port} variable for
      logging the selected data transfer port.
    SFTPOptions NoExtensionNegotiation
      The mod_sftp module now supports SSH extension negotations (RFC 8332).
      If there any issues with this support, it can be disabled using:
        SFTPOptions NoExtensionNegotiation
    SQLAuthTypes bcrypt
      The mod_sql_passwd module now supports bcrypt-encrypted passwords.
      This can be enabled using:
        SQLAuthTypes bcrypt
      in your mod_sql configuration.  See doc/contrib/mod_sql_password.html
      for more information.
    TLSOption IgnoreSNI
      The TLSOption directive now supports an "IgnoreSNI" setting, to
      tell mod_tls to ignore/not use any SNI, provided by the client in the
      TLS handshake, for determining any name-based virtual hosts.  See
      doc/contrib/mod_tls.html#TLSOption for more details.
  + Added API
    FSIO pread(2), pwrite(2) (Issue#317)

1.3.7rc2
  + Fixed pre-authentication remote denial-of-service issue (Issue #846,
    CVE-2019-18217).

1.3.7rc1
  + RootRevoke is now on by default, meaning that once authentication succeeds,
    all root privileges are dropped by default, unless the UserOwner directive
    (which requires root privileges) is used (Bug#4241).
  + The mod_ident module is no longer automatically built by default.
    To include the mod_ident module in the build, it must be explicitly
    requested via --enable-ident or --with-shared=mod_ident.
    This means that configuration files using the IdentLookups directive
    will now want to using an enclosing <IfModule> section, like so:
      <IfModule mod_ident.c>
        IdentLookups off
      </IfModule>
  + The mod_tls module now performs basic sanity checks of configured TLS
    files on startup (Issue#491).
  + The mod_deflate module now supports MODE Z data transfers when TLS
    is used (Issue#505).
  + The mod_xfer module now supports the RANG FTP command; see
    https://tools.ietf.org/html/draft-bryan-ftp-range-08 (Issue#351).
  + The ftpasswd script now supports a --change-home option, for changing
    the home directory of a user in an AuthUserFile (Issue#566).
  + The ftpasswd script supports deleting a user from a group (Issue#620).
  + Refactored the LogFormat handling code so that it is not longer
    duplicated by mod_log, mod_sql, etc.  The new Jot API is the common API
    to be used by modules for LogFormat variables and logging.
  + Generated new DH parameters for mod_sftp, mod_tls.
  + New Configuration Directives
    AuthFileOptions
      The mod_auth_file module supports a configuration directive for disabling
      its requirement for secure permissions on configured
      AuthUserFile/AuthGroupFile.  See
      doc/modules/mod_auth_file.html#AuthFileOptions for information.
    RedisLogOnEvent
      The mod_redis module can be configured to log JSON messages based on
      specified events (Issue#392).  See the
      doc/modules/mod_redis.html#RedisLogOnEvent documentation for details.
    RedisOptions
      The mod_redis module now implements a RedisOptions directive, for tuning
      some of the module behavior (Issue#477).  The
      doc/modules/mod_redis.html#RedisOptions documentation has more details.
    RedisSentinel
      The mod_redis module now supports use of Redis Sentinels (Issue#396);
      see doc/modules/mod_redis.html#RedisSentinel.
  + Changed Configuration Directives
    AllowForeignAddress class-name
      The AllowForeignAddress directive supports a Class name, for finer-grained
      control over which clients are allowed to use foreign/mismatching IP
      addresses for transfers.  See
      doc/modules/mod_core.html#AllowForeignAddress for more information.
    ExecEnviron %b
      The ExecEnviron directive has been fixed to properly resolve the %b
      LogFormat variable (Issue#515).
    RedisServer db-index (Issue#550)
      The mod_redis module can now be configured to select a database index
      via the RedisServer directive (Issue#550).  See the
      doc/modules/mod_redis.html#RedisServer documentation for details.
    RewriteMap idnatrans
      The mod_rewrite module can now support rewriting `idn` to `idna`
      formats (Issue#231).  See the doc/modules/mod_rewrite#RewriteMap for
      details on how to do so.
    RootRevoke on
      The RootRevoke directive is now enabled by default (Bug#4241).  This
      makes for more secure configurations/sessions out-of-the-box.  See
      doc/modules/mod_auth.html#RootRevoke for more information.
    SFTPCiphers, SFTPDigests
      Some weak algorithms are now disabled by default in mod_sftp (Bug#4279).
      These algorithms, if need be, can be explicitly enabled by configuration;
      they are just not enabled automatically.  For list of the algorithms
      affected, see doc/contrib/mod_sftp.html#SFTPCiphers,
      doc/contrib/mod_sftp.html#SFTPDigests.
    SFTPOptions IncludeSFTPTimes
      The SFTOptions directive of mod_sftp now supports an option for explicitly
      including the timestamps of files when SFTP protocol 4 and higher are
      used, even if the SFTP client did not request these timestamps.  This
      works around a bug in the popular Rebex SFTP library; see
      doc/contrib/mod_sftp.html#SFTPOptions for details.
    TLSProtocol TLSv1.3
      The mod_tls module, and its TLSProtocol directive, now support TLSv1.3
      (Issue#536).  See doc/contrib/mod_tls.html#TLSProtocol for more
      information.
    TLSServerCipherPreference
      The TLSServerCipherPreference directive is now enabled by default.
      See doc/contrib/mod_tls.html#TLSServerCipherPrefrence.
    TLSStaplingOptions NoFakeTryLater
      Some TLS clients have trouble with the "fake" OCSP response that \ 
mod_tls
      might stable, when the client requested stapled OCSP responses and
      mod_tls is unable to contact the OCSP responder.  Use this option to
      disable such fake responses (Issue#518):
        TLSStaplingOptions NoFakeTryLater
      See doc/contrib/mod_tls.html#TLSStaplingOptions for details.
  + Removed Configuration Directives
    The following directives have been removed:
      GroupPassword
      LoginPasswordPrompt
      TransferPriority

Files:
RevisionActionfile
1.93modifypkgsrc/net/proftpd/Makefile
1.13modifypkgsrc/net/proftpd/Makefile.common
1.2modifypkgsrc/net/proftpd/Makefile.module
1.29modifypkgsrc/net/proftpd/PLIST
1.53modifypkgsrc/net/proftpd/distinfo
1.3modifypkgsrc/net/proftpd/patches/patch-Make.rules.in
1.2modifypkgsrc/net/proftpd/patches/patch-Makefile.in
1.2modifypkgsrc/net/proftpd/patches/patch-configure.in
1.2modifypkgsrc/net/proftpd/patches/patch-contrib_mod__load_configure.in
1.3modifypkgsrc/net/proftpd/patches/patch-contrib_mod__load_mod__load.c
1.2modifypkgsrc/net/proftpd/patches/patch-contrib_mod__load_mod__load.h.in
1.2modifypkgsrc/net/proftpd/patches/patch-contrib_mod__sftp_Makefile.in
1.3modifypkgsrc/net/proftpd/patches/patch-include_pfilter.h
1.2modifypkgsrc/net/proftpd/patches/patch-src_main.c
1.3modifypkgsrc/net/proftpd/patches/patch-src_pfilter.c
1.1addpkgsrc/net/proftpd/patches/patch-src_pidfile.c