Recommended update for pure-ftpd

SUSE Recommended Update: Recommended update for pure-ftpd
Announcement ID: SUSE-RU-2017:1630-1
Rating: moderate
References: #1042690 #971980 #986520
Affected Products:
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that has three recommended fixes can now be installed.

    Description:


    This update provides pure-ftpd 1.0.43, which brings several fixes and new
    features.

    - The connection is now dropped if HTTP commands are received.
    - LDAP force_default_gid and force_default_uid now work as documented.
    - The ONLY_ACCEPT_REUSED_SSL_SESSIONS switch is now on by default, except
    in broken clients compatibility mode.
    - New command-line switch: -2/--certfile= to set the path to the
    certificate file when using TLS.
    - Support for TCP_FASTOPEN added on Linux.
    - The LDAP configuration file now allows a default gid without also
    defining a default uid.
    - Retry if SSL_shutdown() returns -1 and SSL_ERROR_WANT_(READ|WRITE)
    - TLS forward secrecy support was added. DH parameters are loaded from
    TLS_DHPARAMS_FILE, if present. ECDH is also supported and the default
    curve is prime256v1 (TLS_DEFAULT_ECDH_CURVE).
    - scrypt hashed passwords can be used in the MySQL, PostgreSQL and LDAP
    backends.
    - The -C: prefix can be added to the cipher suite in order to make valid
    client certificates mandatory.
    - The Clear Command Channel (CCC) command is now supported.
    - SSL (v2, v3) is refused by default.
    - DES-hashed passwords are not supported any more.
    - LDAP uid and gid values can over overridden in the LDAP configuration
    file.
    - RC4 was dropped.
    - Repair checkproc() on Linux when support for capabilities is compiled in.
    - Add support for MFMT, with the same code as SITE UTIME.
    - Support 2-arguments SITE UTIME.
    - Add LDAPDefaultHomeDirectory.
    - Fix quota computation after rename() overwrites an existing file.
    - If 10 digits are not enough to print the size of a file in an ls-like
    output, bump the max number
    of digits to 18. This adds support for files up to 1 exabyte.
    - Support SHA1 password hashing in MySQL and PostgreSQL backends.
    - Support for braces expansion in directory listings has been disabled.
    - Introduce --tlsciphersuite (-J) to set the list of allowed ciphers.
    - The -F switch has been documented in the built-in help.
    - Shell-like escaping is now partially handled when emulating the "ls"
    command.
    - pure-quotacheck can now work with a large number of files.
    - When an upload gets renamed (--autorename), send the new name to the
    uploadscript instead of the
    original one.
    - The ALLO command now checks for the actual disk space in addition to the
    virtual quota.
    - After an atomic resumed upload, don't append the previous file size to
    the quota.
    - Always accept OPTS UTF8 ON, but refuse OPTS UTF8 OFF if client_charset
    is UTF8.
    - Reset the CWD failures counter after a successful directory has been
    created.
    - Allow users with no quota to delete .pureftpd-upload-* files.
    - Properly change the process name on Linux when the -S option is used.
    - Restore the traditional behavior of a download restarting at the end of
    a file.
    - Refuse empty passwords in LDAP bind mode.
    - LDAP authentication through binding is now possible in addition to
    passwords.
    - Almost a complete rewrite of the upload, download and TLS code for more
    reliability.
    - Don't use atomic uploads unless --notruncate or --autorename have been
    enabled.
    - List up to 10000 files per directory per default instead of 2000.
    - Quota handling reworked.
    - RNTO support even when quota are enabled.
    - Don't change the TCP window size.
    - Privsep is now enabled by default.

    For a comprehensive list of changes please refer to the package's change
    log.

    Patch Instructions:

    To install this SUSE Recommended Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-pure-ftpd-13161=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-pure-ftpd-13161=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • pure-ftpd-1.0.43-29.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • pure-ftpd-debuginfo-1.0.43-29.1
      • pure-ftpd-debugsource-1.0.43-29.1

    References: