Version in base suite: 1.3.8+dfsg-4+deb12u4

Base version: proftpd-dfsg_1.3.8+dfsg-4+deb12u4
Target version: proftpd-dfsg_1.3.8+dfsg-4+deb12u5
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.8+dfsg-4+deb12u4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.8+dfsg-4+deb12u5.dsc

 changelog                                             |    7 ++
 patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff |   36 ++++++++++++++
 patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff |   44 ++++++++++++++++++
 patches/series                                        |    2 
 4 files changed, 89 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvmgsz0bs/proftpd-dfsg_1.3.8+dfsg-4+deb12u4.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvmgsz0bs/proftpd-dfsg_1.3.8+dfsg-4+deb12u5.dsc: no acceptable signature found
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/changelog proftpd-dfsg-1.3.8+dfsg/debian/changelog
--- proftpd-dfsg-1.3.8+dfsg/debian/changelog	2024-11-30 22:32:48.000000000 +0000
+++ proftpd-dfsg-1.3.8+dfsg/debian/changelog	2026-04-13 20:46:57.000000000 +0000
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.8+dfsg-4+deb12u5) bookworm; urgency=medium
+
+  * Add patch from upstream to address CVE-2024-57392.
+  * Add patch from upstream to address issues #1840 (Closes: #1133677).
+
+ -- Hilmar Preuße <hille42@debian.org>  Mon, 13 Apr 2026 22:46:57 +0200
+
 proftpd-dfsg (1.3.8+dfsg-4+deb12u4) bookworm-security; urgency=high
 
   * Add my Debian E-Mail address to Field Uploaders.
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff
--- proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff	1970-01-01 00:00:00.000000000 +0000
+++ proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff	2026-04-13 18:56:15.000000000 +0000
@@ -0,0 +1,36 @@
+From 3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Sat, 26 Oct 2024 12:06:00 -0700
+Subject: [PATCH] Issue #1840: Fix the computation of the RADIUS
+ Message-Authenticator signature to conform more properly to RFC 2869. (#1843)
+
+---
+ contrib/mod_radius.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c
+index f232e99290..057bd1a377 100644
+--- a/contrib/mod_radius.c
++++ b/contrib/mod_radius.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD: mod_radius -- a module for RADIUS authentication and accounting
+- * Copyright (c) 2001-2022 TJ Saunders
++ * Copyright (c) 2001-2024 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -2266,8 +2266,11 @@ static int radius_verify_auth_mac(radius_packet_t *pkt, const char *pkt_type,
+       memset(replied, '\0', sizeof(replied));
+       memcpy(replied, attrib->data, attrib_len);
+ 
+-      /* Next, zero out the value so that we can calculate it ourselves. */
+-      memset(attrib->data, '\0', attrib_len);
++      /* Next, zero out the value so that we can calculate it ourselves.
++       *
++       * Note that we only want to zero out the first 16 bytes, per RFC 2869.
++       */
++      memset(attrib->data, '\0', expected_len);
+ 
+       memset(digest, '\0', sizeof(digest));
+       md = EVP_md5();
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
--- proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff	1970-01-01 00:00:00.000000000 +0000
+++ proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff	2026-04-13 18:55:58.000000000 +0000
@@ -0,0 +1,44 @@
+From 9b2b4a3e32d251798bf8fa841b124ab15ba58f11 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Sun, 9 Feb 2025 12:13:48 -0800
+Subject: [PATCH] Manually backporting some of the null pointer guards from
+ Issue #1866 to the 1.3.8 branch.
+
+---
+ modules/mod_ls.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/mod_ls.c b/modules/mod_ls.c
+index 5458ccc74d..980691b9d6 100644
+--- a/modules/mod_ls.c
++++ b/modules/mod_ls.c
+@@ -2,7 +2,7 @@
+  * ProFTPD - FTP server daemon
+  * Copyright (c) 1997, 1998 Public Flood Software
+  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
+- * Copyright (c) 2001-2022 The ProFTPD Project
++ * Copyright (c) 2001-2024 The ProFTPD Project
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt, ...) {
+           errno != 0) {
+         int xerrno = errno;
+ 
+-        if (session.d != NULL) {
++        if (session.d != NULL &&
++            session.d->outstrm != NULL) {
+           xerrno = PR_NETIO_ERRNO(session.d->outstrm);
+         }
+ 
+@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) {
+     return res;
+   }
+ 
+-  tail->down = NULL;
++  if (tail != NULL) {
++    tail->down = NULL;
++  }
+   tail = NULL;
+   colwidth = (colwidth | 7) + 1;
+   if (opt_l || !opt_C) {
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/series proftpd-dfsg-1.3.8+dfsg/debian/patches/series
--- proftpd-dfsg-1.3.8+dfsg/debian/patches/series	2024-11-30 22:32:48.000000000 +0000
+++ proftpd-dfsg-1.3.8+dfsg/debian/patches/series	2026-04-13 18:56:56.000000000 +0000
@@ -21,3 +21,5 @@
 bcec15efe6c53dac40420731013f1cd2fd54123b.diff
 97bbe68363ccf2de0c07f67170ec64a8b4d62592.diff
 5031d498a71c493b9659e2b5ccafde58b0897e30.diff
+9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
+3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff