Fedora has issued an advisory for this on March 20:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html

Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

I agree the update to 1.3.5b . David, I can do that if you want...

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge

(In reply to José Jorge from comment #3)
> I agree the update to 1.3.5b . David, I can do that if you want...

Please do.  Thanks.

I have uploaded a 1.3.5b package for Mageia 5.

You can test this by connecting by ftp to localhost ;-)

Suggested advisory:
========================

Updated proftpd packages fix security vulnerabilities: a CVE has been assigned for a security issue in proftpd's mod_tls .


This update also brings as bonus other bugfixes of 1.3.5b version :
  + SSH RSA hostkeys smaller than 2048 bits now work properly.
  + MLSD response lines are now properly CRLF terminated.
  + Fixed selection of DH groups from TLSDHParamFile.


References:
http://openwall.com/lists/oss-security/2016/03/11/14
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b
========================

Updated packages in {core,tainted}/updates_testing:
========================
proftpd-1.3.5b-1.mga5
proftpd-mod{*}1.3.5b-1.mga5
proftpd-devel-1.3.5b-1.mga5


Source RPMs: 
proftpd-1.3.5b-1.mga5

Thanks Jóse!

Suggested advisory:
========================

Updated proftpd packages fix security vulnerability:

A bug with security implications was found in the mod_tls module in ProFTPD
before 1.3.5b. This module has a configuration option TLSDHParamFile to specify
user-defined Diffie Hellman parameters. The software would ignore the
user-defined parameters and use Diffie Hellman key exchanges with 1024 bits
(CVE-2016-3125).

The proftpd package has been updated to version 1.3.5b, which fixes this issue
and other bugs, including:
- SSH RSA hostkeys smaller than 2048 bits now work properly.
- MLSD response lines are now properly CRLF terminated.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179143.html

In VirtualBox, M5, KDE, 32-bit

default install of proftpd

[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5-5.1.mga5.i586 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

install proftpd from updates_testing

[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5b-1.mga5.i586 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

CC: (none) => wilcal.int
Whiteboard: advisory => advisory MGA5-32-OK

In VirtualBox, M5, KDE, 64-bit

default install of proftpd

[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5-5.1.mga5.x86_64 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

install proftpd from updates_testing

[root@localhost wilcal]# urpmi proftpd
Package proftpd-1.3.5b-1.mga5.x86_64 is already installed

accessing localhost using filezilla works
accessing Vbox client from another system on the LAN w/filezilla works

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK

This looks good to go. What you say David?

Yes, thanks William.

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0128.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED