Version in base suite: 1.3.0-19etch2
Version in overlay suite: (not present)

Base version: proftpd-dfsg_1.3.0-19etch2
Target version: proftpd-dfsg_1.3.0-19etch3
Base file: /org/ftp.debian.org/ftp/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch2.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/proftpd-dfsg_1.3.0-19etch3.dsc

 changelog                    |    7 +++
 patches/00list               |    1 
 patches/cve_2009_3639.dpatch |   82 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+)

diff -Nru proftpd-dfsg-1.3.0/debian/changelog proftpd-dfsg-1.3.0/debian/changelog
--- proftpd-dfsg-1.3.0/debian/changelog	2009-11-06 12:31:12.000000000 +0000
+++ proftpd-dfsg-1.3.0/debian/changelog	2009-10-26 13:55:07.000000000 +0000
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.0-19etch3) oldstable-security; urgency=low
+
+  * [SECURITY] Added patch cve_2009_3639.dpatch. It fixes CVE-2009-3639.
+    See also http://bugs.proftpd.org/show_bug.cgi?id=3275.
+
+ -- Francesco Paolo Lovergine <frankie@debian.org>  Mon, 26 Oct 2009 14:53:56 +0100
+
 proftpd-dfsg (1.3.0-19etch2) stable-security; urgency=low
 
   * [SECURITY] Added patch xsiteforgery.dpatch. It fixes CVE-2008-4242.
diff -Nru proftpd-dfsg-1.3.0/debian/patches/00list proftpd-dfsg-1.3.0/debian/patches/00list
--- proftpd-dfsg-1.3.0/debian/patches/00list	2009-11-06 12:31:12.000000000 +0000
+++ proftpd-dfsg-1.3.0/debian/patches/00list	2009-10-26 13:53:45.000000000 +0000
@@ -17,3 +17,4 @@
 CORE-2006-1127
 auth_cache
 xsiteforgery
+cve_2009_3639
diff -Nru proftpd-dfsg-1.3.0/debian/patches/cve_2009_3639.dpatch proftpd-dfsg-1.3.0/debian/patches/cve_2009_3639.dpatch
--- proftpd-dfsg-1.3.0/debian/patches/cve_2009_3639.dpatch	1970-01-01 00:00:00.000000000 +0000
+++ proftpd-dfsg-1.3.0/debian/patches/cve_2009_3639.dpatch	2009-10-26 13:52:03.000000000 +0000
@@ -0,0 +1,82 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE_2009_3639.dpatch by Francesco Paolo Lovergine <frankie@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad 1.3.0~/contrib/mod_tls.c 1.3.0/contrib/mod_tls.c
+--- 1.3.0~/contrib/mod_tls.c	2009-10-26 14:48:44.000000000 +0100
++++ 1.3.0/contrib/mod_tls.c	2009-10-26 14:51:32.000000000 +0100
+@@ -450,14 +450,33 @@
+             const char *cert_dns_name = (const char *) name->d.ia5->data;
+             have_dns_ext = TRUE;
+ 
+-            if (strcmp(cert_dns_name, conn->remote_name) != 0) {
+-              tls_log("client cert dNSName value '%s' != client FQDN '%s'",
+-                cert_dns_name, conn->remote_name);
++            /* Check for subjectAltName values which contain embedded
++             * NULs.  This can cause verification problems (spoofing),
++             * e.g. if the string is "www.goodguy.com\0www.badguy.com"; the
++             * use of strcmp() only checks "www.goodguy.com".
++             */
++
++            if ((size_t) name->d.ia5->length != strlen(cert_dns_name)) {
++              tls_log("%s", "client cert dNSName contains embedded NULs, "
++                "rejecting as possible spoof attempt");
+ 
+               GENERAL_NAME_free(name);
+               sk_GENERAL_NAME_free(sk_alt_names);
+               X509_free(cert);
++              ok = FALSE;
+               return FALSE;
++
++            } else {
++              if (strcmp(cert_dns_name, conn->remote_name) != 0) {
++                tls_log("client cert dNSName value '%s' != client FQDN '%s'",
++                  cert_dns_name, conn->remote_name);
++
++                GENERAL_NAME_free(name);
++                sk_GENERAL_NAME_free(sk_alt_names);
++                X509_free(cert);
++                ok = FALSE;
++                return FALSE;
++              }
+             }
+ 
+             tls_log("%s", "client cert dNSName matches client FQDN");
+@@ -1330,8 +1349,9 @@
+       /* Now we can go on with our post-handshake, application level
+        * requirement checks.
+        */
+-      if (!tls_check_client_cert(ssl, conn))
++      if (!tls_check_client_cert(ssl, conn)) {
+         return -1;
++      }
+     }
+ 
+     /* Setup the TLS environment variables, if requested. */
+@@ -2949,8 +2969,10 @@
+     if (tls_accept(session.c, FALSE) < 0) {
+       tls_log("%s", "TLS/TLS-C negotiation failed on control channel");
+ 
+-      if (tls_required_on_ctrl)
++      if (tls_required_on_ctrl) {
++        pr_response_send(R_550, "TLS handshake failed");
+         end_login(1);
++	  }
+ 
+       pr_response_add_err(R_550, "TLS handshake failed");
+       return ERROR(cmd);
+@@ -2973,8 +2995,10 @@
+     if (tls_accept(session.c, FALSE) < 0) {
+       tls_log("%s", "SSL/TLS-P negotiation failed on control channel");
+ 
+-      if (tls_required_on_ctrl)
++      if (tls_required_on_ctrl) {
++        pr_response_send(R_550, "TLS handshake failed");
+         end_login(1);
++	  }
+ 
+       pr_response_add_err(R_550, "TLS handshake failed");
+       return ERROR(cmd);