Version in base suite: 1.3.6-4+deb10u2

Base version: proftpd-dfsg_1.3.6-4+deb10u2
Target version: proftpd-dfsg_1.3.6-4+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.6-4+deb10u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.6-4+deb10u3.dsc

 changelog                                                   |    9 +++
 patches/series                                              |    1 
 patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 |   35 ++++++++++++
 3 files changed, 45 insertions(+)

diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog
--- proftpd-dfsg-1.3.6/debian/changelog	2019-10-23 14:22:38.000000000 +0000
+++ proftpd-dfsg-1.3.6/debian/changelog	2019-12-31 11:06:17.000000000 +0000
@@ -1,3 +1,12 @@
+proftpd-dfsg (1.3.6-4+deb10u3) buster; urgency=medium
+
+  * Cherry pick patch from upstream:
+     - for upstream 861 (CVE-2019-19269) (Closes: #946345)
+     - for upstream 859 (CVE-2019-19270) (Closes: #946346)
+     upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
+
+ -- Hilmar Preusse <hille42@web.de>  Tue, 31 Dec 2019 12:06:17 +0100
+
 proftpd-dfsg (1.3.6-4+deb10u2) buster-security; urgency=medium
 
   * Add patch from upstream to address CVE-2019-18217.
diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series
--- proftpd-dfsg-1.3.6/debian/patches/series	2019-10-23 14:22:38.000000000 +0000
+++ proftpd-dfsg-1.3.6/debian/patches/series	2019-12-10 22:08:11.000000000 +0000
@@ -19,3 +19,4 @@
 github_pr_594
 CVE-2019-12815.patch
 bug_846_CVE-2019-18217.patch
+upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
--- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269	1970-01-01 00:00:00.000000000 +0000
+++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269	2019-12-10 22:08:11.000000000 +0000
@@ -0,0 +1,35 @@
+From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Sun, 24 Nov 2019 14:03:54 -0800
+Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly
+ using issuer for lookups, and guarding against null pointers.
+
+---
+ contrib/mod_tls.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- proftpd-dfsg.orig/contrib/mod_tls.c
++++ proftpd-dfsg/contrib/mod_tls.c
+@@ -8968,10 +8968,10 @@
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+     !defined(HAVE_LIBRESSL)
+-  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
++  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+       !defined(HAVE_LIBRESSL)
+-  crls = X509_STORE_get1_crls(store_ctx, subject);
++  crls = X509_STORE_get1_crls(store_ctx, issuer);
+ #else
+   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
+   crls = NULL;
+@@ -8990,6 +8990,9 @@
+         ASN1_INTEGER *sn;
+ 
+         revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
++        if (revoked == NULL) {
++          continue;
++        }
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+     !defined(HAVE_LIBRESSL)
+         sn = X509_REVOKED_get0_serialNumber(revoked);