./net/pure-ftpd, Secure FTP daemon with optional SQL support

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.0.49nb2, Package name: pure-ftpd-1.0.49nb2, Maintainer: pkgsrc-users

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant
FTP server based upon Troll-FTPd. It doesn't provide useless bells and
whistles, but focuses on efficiency and ease of use. It provides simple
answers to common needs, plus unique useful features for personal users as
well as hosting providers.


Required to run:
[security/openssl]

Required to build:
[pkgtools/cwrappers]

Package options: ssl, virtualchroot

Master sites:

Filesize: 476.521 KB

Version history: (Expand)


CVS history: (Expand)


   2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)
Log message:
*: bump for openssl 3
   2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958)
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
   2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962)
Log message:
net: Remove SHA1 hashes for distfiles
   2021-06-23 22:33:18 by Nia Alarie | Files touched by this commit (103)
Log message:
Revbump for MySQL default change
   2020-06-30 13:10:26 by Jonathan Perkin | Files touched by this commit (1)
Log message:
pure-ftpd: SunOS needs _XOPEN_SOURCE=600 for CMSG bits.
   2020-03-11 12:47:19 by Nia Alarie | Files touched by this commit (5)
Log message:
pure-ftpd: Update to 1.0.49

* Version 1.0.49:
 - This version fixes a regression introduced in version 1.0.48 that broke
the external authentication feature. Reported by Peter Hudec, thanks!
 - Sockets from `pure-authd` and `pure-extauth` are now always owned by
`root` in order to cope with the absence of `CAP_DAC_OVERRIDE` on Linux.
Suggested by Arkadiusz Miśkiewicz, thanks!

* Version 1.0.48:
 - SNI support has been added. A new service, `pure-certd`, can run
external code written in any language in order to map SNI names to TLS certificates.
 - External authentication handlers get a new
`AUTHD_CLIENT_SNI_NAME` environment variable set when the client uses SNI.
 - TLS certificates and keys can now be in different files.
 - `make install` does not overwrite existing configuration files any
more. The example files layout has changed.
 - TLS 1.3 is enabled when using OpenSSL 1.1.x.
 - TLS < 1.2 is disabled by default.
 - Quirks for obsolete OpenSSL versions have been removed.
 - Username _ftp can be used as an alternative to ftp everywhere.
 - Password hashing parameters are now chosen according to locally
available resources. The `pure-pw` command gets to new switches: `-C` (as
a hint regarding the number of simultaneous login attempts) and `-M`
(total memory, in MB, to reserve for password hashing).
 - New translation: Albanian, thanks to Moisi Xhaferaj.
 - The `PRET` command has been added. It can avoid opening useless data
connections for nonexistent content.
 - Dot-files are always displayed. We don't lie any more in some
commands while not lying in other commands to respect the protocol.
 - Support for RFC 2640 has been removed from the free version, as it
was early, experimental, slow, mostly broken and unmaintained code.
 - The `NLST` command doesn't perform globbing any more.
 - The `MLSD` command now prepends the path to file names.

* Version 1.0.47:
 - Unlike other directory listing commands, the STAT command should
use TLS on the control channel even if TLS has been disabled on the data
channel. It wasn't the case; this has been fixed. Thanks to Carlo
Cannas.
 - Return a 451 error code instead of 226 on aborted uploads.
 - The system user "_ftp" can be used as an alternative to \ 
"ftp" for
anonymous sessions.
 - Compatibility with libsodium > 1.0.12 was added (including minimal
mode).

* Version 1.0.46:
 - The server can now be linked against OpenSSL 1.1.x with the strict API.
 - Unmaintained contributions have been removed.
 - Globbing: the number of * in an expression has been limited to 3.

* Version 1.0.45:
 - TLS v1.0 sessions are now refused.
 - Version 1.0.44 didn't properly parse the TLSCipherSuite directive.
This has been fixed.

* Version 1.0.44:
 - The Perl and Python wrappers are gone. The daemon can now use a
configuration file without requiring external dependencies.
 - Pure-FTPd can now be linked against OpenSSL 1.1.x
 - The QUIT command didn't work properly when the server was compiled
without support for RFC2640. This has been fixed.
 - 3DES was removed from the default cipher suite.

* Version 1.0.43:
 - Passwords can now be hashed using Argon2.
 - The -J switch didn't work any more in 1.0.42. This has been fixed.
 - The default cipher suite was simplified.
 - Authentication against system accounts is compatible with OpenBSD 6.0.
 - Fixed: protocol conformance when TLS sessions are refused.
 - Altlog records can now be sent to `stdout`/`stderr`.

* Version 1.0.42:
 - Compilation fix for OpenBSD and Bitrig when Pure-FTPd is not
compiled with libsodium.
 - The connection is now dropped if HTTP commands are received.
 - LDAP force_default_gid and force_default_uid now work as documented.
 - The ONLY_ACCEPT_REUSED_SSL_SESSIONS switch (introduced in Pure-FTPd
1.0.22 circa 2009, but disabled back then due to client compatibility
concerns) is now on by default, except in broken clients compatibility mode.

* Version 1.0.41:
 - libmariadb is looked for in addition to libmysqlclient
 - MySQL: my_make_scrambled_password() is not always an exported
symbol any more, so pure-ftpd now ships a reimplementation.
 - openssl/ec.h is not available on some Linux distributions that
disable EC in OpenSSL. This is being tested by autoconf.
 - New command-line switch: -2/--certfile= to set the path to the
certificate file when using TLS.

* Version 1.0.40:
 - Support for TCP_FASTOPEN added on Linux
 - The LDAP configuration file didn't allow a default gid without also
defining a default uid. This is no longer the case.
 - OpenBSD's glob() left the glob_t structure uninitialized if the
pattern was larger than PATH_MAX, causing globfree() to free() an
unwanted pointer. The bug was introduced in Pure-FTPd 1.0.34.

* Version 1.0.39:
 - Explicitly include openssl/ec.h for OpenSSL 0.9.8 (CentOS 5)
 - Retry if SSL_shutdown() returns -1 and SSL_ERROR_WANT_(READ|WRITE)

* Version 1.0.38:
 - The default cipher suite is now \ 
ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-S \ 
HA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES2 \ 
56-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:EC \ 
DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA \ 
-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-S \ 
HA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES12 \ 
8-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM- \ 
SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:C \ 
AMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-D \ 
ES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SH
 - TLS forward secrecy support was added. DH parameters are loaded from
TLS_DHPARAMS_FILE, if present. ECDH is also supported - Default curve
is prime256v1 (TLS_DEFAULT_ECDH_CURVE). The best curve is automatically
selected when using LibreSSL.
 - scrypt hashed passwords can be used in the MySQL, PostgreSQL and
LDAP backends.

* Version 1.0.37:
 - The -C: prefix can be added to the cipher suite in order to make valid
client certificates mandatory. This is no longer a compile-time option.
 - The Clear Command Channel (CCC) command is now supported.
 - pure-config.py is compatible with Python 3.
 - SSL (v2, v3) is refused by default.
 - The PureDB backend supports the scrypt function in order to hash
passwords. This is the preferred algorithm, but requires the presence
of libsodium.
 - DES-hashed passwords are not supported any more.
 - LDAP uid and gid values can over overridden in the LDAP configuration file.
 - New LDAPUseTLS directive for LDAP.
 - RC4 was killed.

* Version 1.0.36:
 - The safe_write()/safe_read() factorization broke extauth. Using
safe_read_partial() to read from the extauth pipe wasn't enough.
Bug reported by Rasmus Fauske.
 - Improved autoconf detection of -fstack-protector and -fPIE
 - If 10 digits are not enough to print the size of a file in an
ls-like output, bump the max number of digits to 18. This adds support for
files up to 1 exabyte.
 - Pure-FTPd can be compiled with Cygwin, ASLR/DEP is enabled by
default on Windows, and ASCII downloads on Windows have been fixed.
 - A new undocumented macro, ALLOW_EVERYTHING_IN_FILE_NAMES, allows
any characters in a file name. Disabled by default.
 - Don't display dot files (except . and ..) if dot_read_ok is 0 in
donlist() - but not in sglob() yet. This change is purely cosmetic. There are
many ways to figure out if a file exists.
   2020-02-25 15:10:44 by Leonardo Taccari | Files touched by this commit (1) | Package updated
Log message:
pure-ftpd: Reset MAINTAINER to pkgsrc-users@

Email address seems no longer deliverable (if you are the maintainer and
reading that and/or if the problem was just temporary please let me
know and I will update it!).
   2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836)
Log message:
*: Recursive revision bump for openssl 1.1.1.