Wrapper doesn't include TLSCipherSuite

For those wanting a quick, dirty fix...

Add
'TLSCipherSuite' => ['-J %s', \&parse_string],
to my %conf in /usr/sbin/pure-ftpd-wrapper.

In /etc/pure-ftpd/conf create TLSCipherSuite with something like
HIGH:MEDIUM:TLSv1.2:+TLSv1:!SSLv3:!SSLv2
as the content.

Then restart Pure FTP.

I hope I am following the proper procedures for security patches, as I am new to Ubuntu development and did my best to follow the packaging guide. The following debdiff patch fixes this issue by disabling SSLv3 using the -S flag included with the TLSCipherSuite parameter. You can verify the bug by running ./testssl.sh --starttls ftp localhost:21 (script from http://testssl.sh/testssl.sh) and checking that SSLv3 is enabled in the output. To test, the patch below was applied and the package rebuilt using pbuilder in a clean environment. The output deb file was applied over the currently available trusty version on a virtual machine without issue. The filezilla client was used to ensure normal operation of the ftp server. Re-running ./testssl.sh --starttls ftp localhost:21 then showed SSLv3 to be disabled. This issue was fixed in Debian version 1.0.36-3 meaning no future versions of Ubuntu are affected. I chose to use the -S flag rather than the Debian fix of including !SSLv3 in TLSCipherSuite because that also disables TLSv1 and TLSv1.1 (all 3 share the same cipher suites). I can also submit a branch merge request if that method is preferred.

Thanks for the debdiff in comment #2, but I don't think it's appropriate to have a completely different default configuration backported to Ubuntu 14.04 LTS than the configuration that is currently in Ubuntu 15.10 and Ubuntu 16.04 LTS.

While the configuration that is in later releases may not suit your needs, I think it would be confusing for administrators to have different versions contain different defaults.

Please update the debdiff with the exact configuration changes that are in later releases, and we'll sponsor the package. Thanks!

Here is the updated patch which uses the same fix included in Debian and later Ubuntu versions.

ACK on the debdiff in comment #4, thanks!

I'll release the package as a security update today.

This bug was fixed in the package pure-ftpd - 1.0.36-1.1ubuntu0.1

---------------
pure-ftpd (1.0.36-1.1ubuntu0.1) trusty-security; urgency=low

  * SECURITY-UPDATE: SSLv3 is enabled by default allowing the POODLE
    attack (LP: #1381840)
    - debian/pure-ftpd-wrapper: enable loading of TLSCipherSuite parameter
    - debian/etc/TLSCipherSuite: disable SSLv3
    - CVE-2014-3566

 -- Joshua Zeitlinger <email address hidden> Sat, 28 May 2016 19:50:18 -0400