proftpd-dfsg - Debian Package Tracker

general

source: proftpd-dfsg (main)
version: 1.3.9b~dfsg-1
maintainer: ProFTPD Maintainance Team (archive) (DMD)
uploaders: Francesco Paolo Lovergine [DMD] – Hilmar Preuße [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.7a+dfsg-12+deb11u2
o-o-sec: 1.3.7a+dfsg-12+deb11u5
oldstable: 1.3.8+dfsg-4+deb12u5
old-sec: 1.3.8+dfsg-4+deb12u4
stable: 1.3.8.c+dfsg-4+deb13u2
testing: 1.3.9b~dfsg-1
unstable: 1.3.9b~dfsg-1

versioned links

1.3.7a+dfsg-12+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.7a+dfsg-12+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.8+dfsg-4+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.8+dfsg-4+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.8.c+dfsg-4+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.9b~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

proftpd-core (2 bugs: 0, 1, 1, 0)
proftpd-dev
proftpd-doc
proftpd-mod-crypto (1 bugs: 0, 1, 0, 0)
proftpd-mod-geoip
proftpd-mod-ldap
proftpd-mod-mysql
proftpd-mod-odbc
proftpd-mod-pgsql
proftpd-mod-snmp
proftpd-mod-sqlite
proftpd-mod-wrap

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-35025: ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

Created: 2026-06-24 Last update: 2026-06-25 17:19

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-35025: ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

Created: 2026-06-24 Last update: 2026-06-25 17:19

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2026-35025: ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
CVE-2026-42167: mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
CVE-2026-44331: In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Created: 2026-04-28 Last update: 2026-06-25 17:19

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-35025: ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.

1 issue left for the package maintainer to handle:

CVE-2026-44331: (needs triaging) In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-06 Last update: 2026-06-25 17:19

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.3.9b~dfsg-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 538bb5a096dc9f57058fd45fc3905b08ec87260e
Author: Hilmar Preuße <hille42@web.de>
Date:   Fri Jun 26 23:57:14 2026 +0200

    Add changelog entry for #1140676.

commit 4566b22d1e748a5f622c099abd8f70b396f47e26
Merge: 46b4203 6bf251f
Author: Hilmar Preuße <hille42@web.de>
Date:   Thu Jun 25 10:23:24 2026 +0200

    Merge branch 'fix_r3' into 'master'
    
    Build without Rules-Requires-Root: binary-targets
    
    See merge request debian-proftpd-team/proftpd!13

commit 6bf251fbb0bf5857961ebc45d3c482969faabef7
Author: Jochen Sprickerhof <jspricke@debian.org>
Date:   Wed Jun 24 11:40:36 2026 +0200

    Build without Rules-Requires-Root: binary-targets
    
    This allows building without fakeroot and makes the package reproducible
    on reproduce.debian.net. Note that setting install_user/group has no
    effect on on the resulting packages as the user and group are fixed by
    the Debian build tooling.

commit 46b4203ef412fd4e24bd7f07efb0c80b02dd061d
Author: Hilmar Preuße <hille42@web.de>
Date:   Sun Jun 14 23:16:27 2026 +0200

    Fix lintian warning for ftpasswd.8.

commit 191cb9a10826ee637940362a0bd39997e9446cbe
Author: Hilmar Preuße <hille42@web.de>
Date:   Fri Jun 12 23:47:13 2026 +0200

    Patch for #1105645.

commit d37fead3cf2fe9e16bdb1f3d3081ca3f5d573ae3
Author: Hilmar Preuße <hille42@web.de>
Date:   Mon Jun 8 22:57:39 2026 +0200

    Simplify d/patches/autotools a little bit.

Created: 2026-06-08 Last update: 2026-06-27 00:31

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-27 Last update: 2026-05-27 07:31

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2026-35025: (postponed; to be fixed through a stable update) ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
CVE-2026-44331: (needs triaging) In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-28 Last update: 2026-06-25 17:19

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-07-24 Last update: 2025-08-18 02:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-06-08 04:49

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-06-13] proftpd-dfsg 1.3.9b~dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-06-07] Accepted proftpd-dfsg 1.3.9b~dfsg-1 (source) into unstable (Hilmar Preuße)
[2026-05-14] proftpd-dfsg 1.3.9a~dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-05-06] Accepted proftpd-dfsg 1.3.9a~dfsg-1 (source) into unstable (Hilmar Preuße)
[2026-05-02] Accepted proftpd-dfsg 1.3.8+dfsg-4+deb12u5 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Hilmar Preuße)
[2026-05-02] Accepted proftpd-dfsg 1.3.8.c+dfsg-4+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Hilmar Preuße)
[2026-05-02] proftpd-dfsg 1.3.9~dfsg-5 MIGRATED to testing (Debian testing watch)
[2026-04-28] Accepted proftpd-dfsg 1.3.9~dfsg-5 (source) into unstable (Hilmar Preuße)
[2025-11-11] proftpd-dfsg 1.3.9~dfsg-4 MIGRATED to testing (Debian testing watch)
[2025-11-09] Accepted proftpd-dfsg 1.3.8.c+dfsg-4+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Hilmar Preuße)
[2025-11-08] Accepted proftpd-dfsg 1.3.9~dfsg-4 (source) into unstable (Hilmar Preuße)
[2025-09-11] proftpd-dfsg 1.3.9~dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-09-09] Accepted proftpd-dfsg 1.3.9~dfsg-3 (source) into unstable (Hilmar Preuße)
[2025-08-31] proftpd-dfsg 1.3.9~dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-08-15] Accepted proftpd-dfsg 1.3.9~dfsg-2 (source) into unstable (Hilmar Preuße)
[2025-05-12] proftpd-dfsg 1.3.8.c+dfsg-4 MIGRATED to testing (Debian testing watch)
[2025-05-01] Accepted proftpd-dfsg 1.3.8.c+dfsg-4 (source) into unstable (Hilmar Preuße)
[2025-04-19] Accepted proftpd-dfsg 1.3.8.c+dfsg-3 (source) into unstable (Hilmar Preuße)
[2025-03-16] Accepted proftpd-dfsg 1.3.9~dfsg-1 (source) into experimental (Hilmar Preuße)
[2025-03-08] proftpd-dfsg 1.3.8.c+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-03-04] Accepted proftpd-dfsg 1.3.8.c+dfsg-2 (source) into unstable (Hilmar Preuße)
[2025-03-02] Accepted proftpd-dfsg 1.3.7a+dfsg-12+deb11u5 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-12-17] proftpd-dfsg 1.3.8.c+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-12-13] Accepted proftpd-dfsg 1.3.8.c+dfsg-1 (source) into unstable (Hilmar Preuße)
[2024-12-12] Accepted proftpd-dfsg 1.3.8+dfsg-4+deb12u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Hilmar Preuße)
[2024-12-10] Accepted proftpd-dfsg 1.3.8+dfsg-4+deb12u4 (source) into stable-security (Debian FTP Masters) (signed by: Hilmar Preuße)
[2024-11-29] Accepted proftpd-dfsg 1.3.7a+dfsg-12+deb11u3 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-11-18] proftpd-dfsg 1.3.8.b+dfsg-4 MIGRATED to testing (Debian testing watch)
[2024-11-15] Accepted proftpd-dfsg 1.3.8.b+dfsg-4 (source) into unstable (Hilmar Preuße)
[2024-11-08] proftpd-dfsg REMOVED from testing (Debian testing watch)

bugs [bug history graph]

all: 11
RC: 0
I&N: 6
M&W: 3
F&P: 2
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (-, 87)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.9b~dfsg-1