Debian Patches

Status for linux-ftpd-ssl/0.17.36+really0.17-2

Patch Description Author Forwarded Bugs Origin Last update
001-from_hamm.diff Patching recovered from linux-ftpd_0.17-13.diff.gz and Rainer Weikusat Herbert Xu <> no 2002-02-09
002-from_sarge.diff Patches taken from linux-ftpd_0.17-20sarge2.diff.gz. Difference constructed against linux-ftpd_0.17-13.diff.gz.
Robert Millan <>
Alberto Gonzalez Iniesta <>
diff -u linux-ftpd-0.17/ftpd/ftpcmd.y linux-ftpd-0.17/ftpd/ftpcmd.y
Herber Xu <> no 2006-09-25
003-from_etch.diff Patches recovered from linux-ftpd_0.17-23.diff.gz. Interdiff against linux-ftpd_0.17-20sarge2.diff.gz.
and Andreas Jochens.
diff -u linux-ftpd-0.17/ftpd/ftpcmd.y linux-ftpd-0.17/ftpd/ftpcmd.y
Alberto Gonzalaez Iniesta <agi@inittab> no 2006-11-25
010-ftpd_csrf.diff Fix cross-site request forgery (CSRF) attacks. Ian Beckwith <> no 2008-10-17
016-family_independence.diff Make the TCP transport code independent of address family. Make sure to eliminate as much outdated dependency on AF_INET,
even before migrating to true support for AF_INET6.
1. Rewrite dolog() and check_host().
2. Eliminate inet_ntoa(), gethostbyname(), gethostbyaddr().
3. Introduce helper functions get_port() and set_port()
in order to hide family dependency, as well as representation
in network byte order. This isolates use of ntohs() and htons()
to the above two functions, with a single exception.
4. Make sure that the daemon initialization depends only on
a single AF_INET used for getaddrinfo(). This will later
be replaced by AF_UNSPEC.
5. Make name and address lookup in main() independent of
address family.
6. Reconstruct passive() to inherit address family from the
controlling socket, then building the listening socket
in an address independent manner.
7. Let statcmd() and passive() report on IPv6 sockets
using the EPSV semantics '(|||portnum|)'.
8. Let the parser in ftpcmd.y use getaddrinfo() with NI_NUMERICHOST
when constructing the IP-address, instead of manipulating byte
fields. Likewise, hide port extraction in get_port().
which is in use by the OpenBSD strand of this software.
Mats Erik Andersson <> not-needed 2010-04-30
020-support_ipv6.diff Activate support for IPv6 transport. This patch supplies working services for:
1. Mixed IPv4 and IPv6 in inetd mode.
2. Mixed IPv4 and IPv6 in standalone daemon mode.
3. Selectable options '-4' and '-6' to activate a
single address family.
4. Registration in wtmp of the caller's address structure.
This field in 'struct utmp' was earlier ignored, as it
it an extension particular to Linux.
5. Implementation of ABOR for use in idle state.
6. Conversion of second time length in case a compatibility
layer between 32 bits and 64 bits are in effect.
Testing was performed using xinetd and net.ipv6.bindv6only=1,
on architectures i386 and amd64.
which is in use by the OpenBSD strand of this software.
Mats Erik Andersson <> not-needed 2011-04-06
024-failing_va_list.diff Reinitialize variable argument list for vsyslog(). The use of vprintf(fmt, ap) leaves the second argument in an
undefined state after execution. On a system using the amd64
architecture, this leads consistently to segmentation faults.
The solution is to insert the required initialization before
the call to vsyslog().
Mats Erik Andersson <> no 2010-05-09
026-support_glibc_bsd_and_gnu.diff Implement changes to support GNU/Hurd and GNU/kfreebsd. Several conditionals on '__linux__' are altered to react identical
to '__GLIBC__' and '__GNU__'. This should produce working code
also for the Debian ports GNU/kfreebsd and GNU/Hurd.
GNU/kfreebsd uses distinct options IP_PORTRANGE and IPV6_PORTRANGE
depending on address family.
Use IP_TOS only for IPv4 when compiling for non-Linux.
Mats Erik Andersson <> not-needed 2010-05-25
030-manpage_typos.diff Spelling error in manual page. Alberto Gonzalez Iniesta <> not-needed 2010-07-08
044-support_gnu_hurd.diff Support GNU/Hurd. Since MAXPATHLEN and MAXHOSTNAMELEN are not prescribed
by POSIX, GNU/Hurd need not specify these. Thus they are
now assigned the default values as used on BSD systems.
Mats Erik Andersson <> no 2012-03-29
500-ssl.diff Base SSL patch The original ssl patch, modified to apply to debian's linux-ftpd package. Tim Hudson <> not-needed 2015-06-11
510-old_patches.diff Patches up to linux-ftpd-ssl 0.17.18+0.3-3 Cai Qian <>
and probably others

Christoph Martin <> no 2010-06-09
520-CVE-2005-3524.diff Fix CVE-2005-3524 - a remotely exploitable buffer overflow.
James Longstreet <> no debian
530-CVE-2007-6263.diff Fix CVE-2007-6263 - remote denial of service
Nico Golde <> no debian
540-docs.diff Document SSL options in manpage, fix typo
Ian Beckwith <> no
550-fix_warnings.diff Fix all warnings in source
Ian Beckwith <> no
560-set_default_key_and_cert.diff Set default SSL key/cert file to /etc/ftpd-ssl/ftpd.pem
Ian Beckwith <> no
570-redirect_ssl_output.diff Missing use of SSL protected stream. The commands HELP and STAT are not directing all their
output via the SSL mechanisms, instead sending data to
stdout. This appears as data loss to the client, or as
errors during SSL protected transmission.
Four particular problem cases are notable:
* STAT path
Mats Erik Andersson <> no debian 2015-01-06
580-recent_libssl.diff Make possible builds with libssl of version 1.1.0. Protected access to an opaque structure was made mandatory
in version 1.1.0 of libssl.
Mats Erik Andersson <> not-needed 2017-01-16
600-better_conformity.diff Better contemporary TLS abilities. The commands PBSZ, PROT and CCC are implemented to the minimal extent
needed to fulfill RFC 2228 in the sense of negotiating with a client.
Thereby 'AUTH TLS' and 'AUTH SSL' are treated correctly. A client
call like 'curl --ftp-ssl' is now successfully handled. 'Minimal'
means in particular that the protected mode 'PROT P' is the only
supported level for data exchange, once SSL handshaking is complete.
There are new SSL options, or corrected to be functional: 'debug=file',
'cipher=list', 'cacert=file', 'key=file', and 'certrequired'. The CA
list collected from 'cacert=file' will be sent to the client, which
is useful for advanced client software.
The option 'cert=file' reads a complete chain of certificates, which
together with 'cacert=file' makes the whole spectrum of verification
via 'verify=num' available. Either of 'certsok' and 'certrequired'
will set SSL_VERIFY_PEER, and 'certrequired' will also set
A temporary SSL option 'legacy' activates an ugly work around during
verification, controlled by SSL_VERIFY_FAIL_IF_NO_PEER_CERT. This
quirk was present in the legacy patch set, but should not be used
with the new ability to read chains and CA lists. Its introduction
should only be seen as a step in the transition to contemporary
Include SSL_OP_NO_SSLv2 when setting library options.
Much effort has gone into sensible and helpful messages during SSL debug.
TODO: Autologin based on 'certsok' could be considered in SSL-only
mode, or in secure mode. Presently the PAM code only is able to emit
debug messages as to whether certsok would accept or reject the claimed
username for a corresponding subject identifier.

diff -Naurp linux-ftpd-0.17.debian/ftpd/ftpcmd.y linux-ftpd-0.17/ftpd/ftpcmd.y
Mats Erik Andersson <> not-needed 2017-01-24
use-cmake-as-buildsystem.patch Use cmake as build system Christoph Biedl <> no debian 2019-02-24
use-cmake-as-buildsystem-debian-extras.patch Debian-specific changes to the cmake build system Christoph Biedl <> not-needed 2019-02-24

All known versions for source package 'linux-ftpd-ssl'