Version in base suite: 1.3.8+dfsg-4+deb12u1 Base version: proftpd-dfsg_1.3.8+dfsg-4+deb12u1 Target version: proftpd-dfsg_1.3.8+dfsg-4+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.8+dfsg-4+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.8+dfsg-4+deb12u2.dsc changelog | 6 +++ patches/series | 1 patches/upstream_1707.diff | 69 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/changelog proftpd-dfsg-1.3.8+dfsg/debian/changelog --- proftpd-dfsg-1.3.8+dfsg/debian/changelog 2023-06-28 13:17:54.000000000 +0000 +++ proftpd-dfsg-1.3.8+dfsg/debian/changelog 2023-11-16 22:06:15.000000000 +0000 @@ -1,3 +1,9 @@ +proftpd-dfsg (1.3.8+dfsg-4+deb12u2) bookworm; urgency=medium + + * Add patch from upstream to address issue 1694 (Closes: #1051236). + + -- Hilmar Preusse Thu, 16 Nov 2023 23:06:15 +0100 + proftpd-dfsg (1.3.8+dfsg-4+deb12u1) bookworm; urgency=medium * Now do not enable proftpd.socket to avoid conflicts at boot time. diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/series proftpd-dfsg-1.3.8+dfsg/debian/patches/series --- proftpd-dfsg-1.3.8+dfsg/debian/patches/series 2023-06-28 13:15:41.000000000 +0000 +++ proftpd-dfsg-1.3.8+dfsg/debian/patches/series 2023-11-16 22:05:44.000000000 +0000 @@ -17,3 +17,4 @@ 01_disable_inet_connect_ipv4_test.diff 02_disable_redis_sentinel_conn_new_test.diff 03_disable_all_non_api_tests.diff +upstream_1707.diff diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/upstream_1707.diff proftpd-dfsg-1.3.8+dfsg/debian/patches/upstream_1707.diff --- proftpd-dfsg-1.3.8+dfsg/debian/patches/upstream_1707.diff 1970-01-01 00:00:00.000000000 +0000 +++ proftpd-dfsg-1.3.8+dfsg/debian/patches/upstream_1707.diff 2023-11-16 22:05:44.000000000 +0000 @@ -0,0 +1,69 @@ +--- proftpd.orig/contrib/mod_sftp/kex.c ++++ proftpd/contrib/mod_sftp/kex.c +@@ -52,6 +52,12 @@ + */ + #define SFTP_DH_PREF_MIN_LEN 2048 + ++/* Define the size of the buffer we use to compute H. Note that this buffer ++ * needs to be large enough to contain the KEXINIT messages from both client ++ * and server; see Issue#1694. ++ */ ++#define SFTP_KEX_H_BUFLEN 8192 ++ + extern pr_response_t *resp_list, *resp_err_list; + extern module sftp_module; + +@@ -312,7 +318,7 @@ + unsigned char *buf, *ptr; + uint32_t buflen, bufsz; + +- bufsz = buflen = 8192; ++ bufsz = buflen = SFTP_KEX_H_BUFLEN; + + /* XXX Is this buffer large enough? Too large? */ + ptr = buf = sftp_msg_getbuf(kex_pool, bufsz); +@@ -441,7 +447,7 @@ + unsigned char *buf, *ptr; + uint32_t buflen, bufsz; + +- bufsz = buflen = 8192; ++ bufsz = buflen = SFTP_KEX_H_BUFLEN; + + /* XXX Is this buffer large enough? Too large? */ + ptr = buf = sftp_msg_getbuf(kex_pool, bufsz); +@@ -590,7 +596,7 @@ + unsigned char *buf, *ptr; + uint32_t buflen, bufsz; + +- bufsz = buflen = 4096; ++ bufsz = buflen = SFTP_KEX_H_BUFLEN; + + /* XXX Is this buffer large enough? Too large? */ + ptr = buf = sftp_msg_getbuf(kex_pool, bufsz); +@@ -704,7 +710,7 @@ + unsigned char *buf, *ptr; + uint32_t buflen, bufsz; + +- bufsz = buflen = 4096; ++ bufsz = buflen = SFTP_KEX_H_BUFLEN; + + /* XXX Is this buffer large enough? Too large? */ + ptr = buf = sftp_msg_getbuf(kex_pool, bufsz); +@@ -4142,7 +4148,7 @@ + unsigned char *buf, *ptr; + uint32_t buflen, bufsz; + +- bufsz = buflen = 4096; ++ bufsz = buflen = SFTP_KEX_H_BUFLEN; + + /* XXX Is this buffer large enough? Too large? */ + ptr = buf = sftp_msg_getbuf(kex_pool, bufsz); +@@ -4584,7 +4590,7 @@ + unsigned char *buf, *ptr; + uint32_t buflen, bufsz; + +- bufsz = buflen = 4096; ++ bufsz = buflen = SFTP_KEX_H_BUFLEN; + + /* XXX Is this buffer large enough? Too large? */ + ptr = buf = sftp_msg_getbuf(kex_pool, bufsz);