Bug 25972

(In reply to David Walser from comment #0)
> Fedora has issued an advisory on December 8:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/
> 
> According to Debian, 1.3.5e is affected:
> https://security-tracker.debian.org/tracker/CVE-2019-19270
> 
> Mageia 7 is also affected.

The only patch debian has at that url is the one in 1.3.5e+r1.3.5-2+deb8u5 which we used for CVE-2019-19269 (mga#25844). The upstream patches do not apply to 1.3.5e and if you strip out the non-applicable parts you are left with what was already applied in 25844. Maybe debian is saying the same patch fixes both CVE-2019-19269 and CVE-2019-19270. In any case, I don't see anything further to do with this. I don't know whether this should be marked invalid or already resolved so I'll leave that up to you.

Actually it looks like this issue was fixed in 1.3.5c, so this would be INVALID.

However, the previous issue (CVE-2019-19269) links to this commit:
https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f

which we're missing the first part of (s/subject/issuer).

Yes, Debian removed those parts (and I assumed it was for a reason). The 9c3f commit was for 1.3.6 which does not have the same code as 1.3.5e. That said, I made a patch which does everything that upstream did in the 9c3f commit, and it does build. But I don't know if the specific thing affected by the s/subject/issuer in proftpd works or what would happen if it didn't. I'll push another update if you think it's safe.

Yeah it does look like it should be issuer, but maybe Debian did what they did for a reason.  I guess we can leave it for now.  Hopefully we can get it updated to 1.3.6 before Mageia 8.

Resolution: (none) => INVALID
Status: NEW => RESOLVED