Ubuntu
proftpd package

SSH authentication fails for many clients due to receiving of SSH_MSG_IGNORE packet

  1. Xenial (16.04)
  2. Bug #1870555
Bug #1870555 reported by Eric Desrochers
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
proftpd (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Incomplete
Undecided
Unassigned
Bionic
Incomplete
Undecided
Unassigned
Eoan
Won't Fix
Undecided
Unassigned

Bug Description

This bug has been brought to my attention the following:

There is a Debian bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949622

The proftpd-basic package suffers from this bug. The impact is very widespread. Every person that uses Filezilla client version greater than 3.46.1 cannot connect to any Ubuntu server using this proftpd package due to the bug.

As you see in the link above, there is a patch for Debian. So is it possible that the support team can get this functionality bug and security fix implemented in Xenial and Bionic?

https://github.com/proftpd/proftpd/commit/3d17c8419afb10580b942f392f0a5c6de995c4e2

# Proftpd
$ git describe --contains 3d17c8419
v1.3.7rc3~25^2

 proftpd-basic | 1.3.5a-1ubuntu0.1 | xenial-updates/universe
 proftpd-basic | 1.3.5e-1build1 | bionic/universe
 proftpd-basic | 1.3.6-4 | disco/universe
 proftpd-basic | 1.3.6-6build2 | eoan/universe
 proftpd-basic | 1.3.6c-2 | focal/universe

Focal has the patch already:
./f/proftpd-dfsg-1.3.6c/debian/patches/upstream_4385

# Filezilla
 filezilla | 3.15.0.2-1ubuntu1 | xenial/universe
 filezilla | 3.28.0-1 | bionic/universe
 filezilla | 3.39.0-2 | disco/universe
 filezilla | 3.39.0-2 | eoan/universe
 filezilla | 3.46.3-1build1 | focal/universe

Reference:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949622
http://bugs.proftpd.org/show_bug.cgi?id=4385

See original description
Tags: sts
Eric Desrochers (slashd)
tags: added: sts
Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
description: updated
Changed in proftpd (Ubuntu):
status: New → Fix Released
Eric Desrochers (slashd)
description: updated
description: updated
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

For now I don't see the point to fix other Ubuntu releases as only focal contains filezilla "3.46" and Focal also already got the proftpd-basic fix.

Focal:
proftpd-dfsg-1.3.6c/debian/patches/upstream_4385

Upstream bug mentionned:
All my users that use the filezilla client 3.46.1+ fail to connect to my
proftpd server. I tested the problem exist on debian jessie and debian etch
proftpd and filezilla 3.46.2 and 3.46.3

Please provide more context if I'm wrong here, but so far this is what I understand from it.

- Eric

Revision history for this message
Eric Desrochers (slashd) wrote :

Filezilla is cross-platform so I think it is also fair to say there is various filezilla in the field (outside what the Ubuntu archive is providing today).

https://filezilla-project.org/download.php?show_all=1

My point is that If we go with the SRU (process to fix a package) in version earlier than Focal for proftpd.

We will need to make sure the bugfix is backward compatible by testing with filezilla version:
w/ lower 3.46
w/ greater 3.46

at the very least.

As we want to stay backward compatible with version found in our Ubuntu archive as well.

Another scenario is to upgrade proftpd server to Focal (20.04LTS) when he becomes stable by EOM.

- Eric

Eric Desrochers (slashd)
Changed in proftpd (Ubuntu Xenial):
status: New → Incomplete
Changed in proftpd (Ubuntu Bionic):
status: New → Incomplete
Changed in proftpd (Ubuntu Eoan):
status: New → Incomplete
Revision history for this message
Brian Murray (brian-murray) wrote :

The Eoan Ermine has reached end of life, so this bug will not be fixed for that release

Changed in proftpd (Ubuntu Eoan):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.