|
This update has been duplicated in both the Atomic and ASL repositories.
Changelog
1.3.4a
---------
+ Fixed mod_load/mod_wrap2 build issues.
1.3.4
---------
+ New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation
for details.
+ Improved configure script for cross-compiling.
+ Reworked the proftpd.spe
1.3.4a
---------
+ Fixed mod_load/mod_wrap2 build issues.
1.3.4
---------
+ New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation
for details.
+ Improved configure script for cross-compiling.
+ Reworked the proftpd.spec RPM file
+ Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD.
+ New "IgnoreSFTPSetTimes" SFTPOption added; see the SFTPOptions
documentation for details.
+ Fixed response pool use-after-free issue.
1.3.4rc3
---------
+ The mod_ldap configuration directives have changed to a simplified
version; please read the "Changes" section in README.LDAP for details.
+ Support for using RADIUS for authentication SSH2 logins, and for
supporting the NAS-IPv6-Address RADIUS attribute.
+ Automatically disable sendfile support on AIX systems.
+ <Limit WRITE> now prevents renaming/moving a file out of the limited
directory.
+ ExtendedLog entries now written for data transfers which time out.
1.3.4rc2
---------
+ Display messages work properly again.
(i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for
http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
+ Performance improvements, especially during server startup/restarts.
+ New --enable-memcache configure option
ProFTPD now provides an API for modules for using memcached servers for
caching information among different proftpd server and/or across
sessions. For more information, see the mod_memcache documentation
in doc/modules/mod_memcache.html.
+ New --enable-pcre configure option
The C library support for POSIX regular expressions is vulnerable to
some pathological regex patterns; the glibc library in particular
can be made to burn CPU with such patterns. Sites which wish to avoid
such buggy C library implementations can instead use PCRE for regular
expression support in ProFTPD, by using the --enable-pcre configure
option.
+ New modules
mod_tls_memcache
The mod_tls_memcache module uses the new mod_memcache/memcached support
in ProFTPD to use memcached servers for caching SSL session information.
This can be useful, especially when clusters of proftpd servers are
in used, or for preserving SSL session caches across proftpd restarts.
See doc/contrib/mod_tls_memcache.html for more details on this module.
+ New configuration directives:
MaxCommandRate
Some clients send FTP commands too quickly. The new MaxCommandRate
directive is used to detect and to throttle such malicious clients;
it also generates an event that can be used by the mod_ban module
for banning these clients. See doc/modules/mod_core.html#MaxCommandRate.
ProcessTitles
By default, proftpd changes the process title for session processes
to include the authenticated user name and the FTP command being
handled, including the paths to files being downloaded. The new
ProcessTitles directive can be used to modify proftpd's behavior with
regard to this session process title changing. See
doc/modules/mod_core.html#ProcessTitles for more info.
SQLNamedConnectInfo
Some sites wish to have mod_sql connections to multiple different
databases simultaneously, e.g. one connection for retrieving user
data and a separate connection for logging. To support such sites,
the new SQLNamedConnectInfo directive can be used to create "named
connection". These "named connections" can then be used in a
SQLNamedQuery, i.e. you can specify the named connection that a
SQLNamedQuery is to use when it is expected. More information can
found at doc/contrib/mod_sql.html#SQLNamedConnectInfo.
TraceOptions
The TraceLog can provide very detailed information, especially when
diagnosing an issue. To aid in such diagnoses, the new TraceOptions
directive can be used to add more information to the TraceLog,
such as client/server IP addresses (if available), and timestamps
with millisecond granularity. The documentation at
doc/modules/mod_core.html#TraceOptions has the details.
+ The following utilities are now installed under $prefix/bin/ by the
'make install' target: ftpasswd, ftpmail, ftpquota
+ Changed configuration directives:
BanOnEvent
The mod_ban module's BanOnEvent directive now supports a few more
events, namely 'MaxCommandRate' and 'UnhandledCommand'. These events
can be used to ban clients which send commands too quickly, or which
send too many unhandled/unknown commands.
ExtendedLog
For some LogFormat variables (e.g. %E, %I, %O) it is useful to log
them when then session exits. The mod_sql module has had the ability
to log at session exit for quite some time. The ExtendedLog directive
can how log at session exit as well, using the new "EXIT" command class.
LogFormat
The LogFormat directive now supports a couple of new variables:
%E variable, for end-of-session reason
%H variable, for IP address of server handling session
These are listed in the LogFormat docs; see
doc/modules/mod_log.html#LogFormat.
PathAllowFilter, PathDenyFilter
The PathAllowFilter and PathDenyFilter directives now support an
optional flags parameter, which can be used to specify e.g.
case-insensitive evaluation of the configured regular expression.
For example:
PathDenyFilter .jpg$ [NC]
See doc/modules/mod_core.html#PathAllowFilter for more details.
SFTPOptions
The mod_sftp module's SFTPOptions directive supports a new
'IgnoreSFTPSetPerms' option. This option is similar to the existing
'IgnoreSFTPUploadPerms'; it causes mod_sftp to silently ignore the SFTP
client's attempts to change file permissions. See
doc/contrib/mod_sftp.html#SFTPOptions.
SFTPPAMOptions
The SFTPPAMOptions directive for the mod_sftp_pam module now supports
a 'NoInfoMsgs' option, which disables the sending of informational
messages from the PAM library to the connecting SSH client. This
option can be used to make mod_sftp_pam behavior like OpenSSH with
regard to PAM support.
SQLNamedQuery
The SQLNamedQuery directive now supports an optional "named connection"
name, for supporting multiple database connections. See the
doc/contrib/mod_sql.html#SQLNamedConnectInfo docs for more information.
TLSSessionCache
The TLSSessionCache directive from the mod_tls module can now be
used to explicitly configure the session cache timeout when OpenSSL's
internal session caching mechanism (used by default) is being used.
See doc/contrib/mod_tls.html#TLSSessionCache for details.
Trace
The Trace directive can now to be used to specify a range of trace
channel log levels, rather than simply specifying the maximum log
level for a channel. For example, to see only messages from log
levels 5 to 8, you would do:
Trace DEFAULT:5-8
This is documented in the Trace directive documentation, at
doc/modules/mod_core.html#Trace.
+ New documentation:
doc/howto/ConnectionACLs.html
doc/utils/ftpasswd.html
doc/utils/ftpcount.html
doc/utils/ftpdctl.html
doc/utils/ftpquota.html
doc/utils/ftpscrub.html
doc/utils/ftptop.html
doc/utils/ftpwho.html
+ Developer/API Changes
The following functions have been removed, as they are not used anywhere
and should not be being used:
pr_response_send_ml()
pr_response_send_ml_start()
pr_response_send_ml_end()
The following function has been renamed/moved:
end_login() is now pr_session_end()
A related new function, pr_session_disconnect() is added. This new
function allows the caller to specify a reason code indicating why
the session is ending, as well as support for an optional string
for more details about the reason for ending the session.
1.3.4rc1
---------
+ Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925)
+ Fixed directory traversal bug in mod_site_misc (CVE-2010-3867)
+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
+ Added Japanese translation
+ Many mod_sftp bugfixes
+ Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later
+ Fixed handling of utmp/utmpx format changes on FreeBSD
+ Automatic detection of MySQL, Postgres library and header file locations
+ Added support for SMTP authentication in ftpmail script
+ Updated fnmatch implementation, using glibc-2.9 version.
+ Overhauled mod_ldap configuration directives, making mod_ldap easier
to configure. Previous configurations must be updated. See README.LDAP
for details.
+ New modules:
mod_copy
This module provides the SITE CPFR and SITE CPTO commands, for
allowing a client to copy files from one location to another on the
server, without requiring downloads/uploads. See
doc/contrib/mod_copy.html for details.
mod_deflate
This module provides support for MODE Z, which uses compression to
reduce the number of bytes required for data transfers and directory
lists. See doc/contrib/mod_deflate.html for more information.
Depending on the data being transferred, clients can see quite
a difference in the speed; see:
http://www.smartftp.com/support/kb/file.php?f=192
for some performance numbers.
mod_ifversion
This module allows for version-specific configuration sections of
the proftpd config file. It is useful for using the same proftpd
config across multiple servers where different proftpd versions may
be in use. See doc/contrib/mod_ifversion.html for examples.
mod_qos
This module allows administrators to set networking-specific
"Quality of Service" (QoS) bits on the packets used by the server.
More information can be found in doc/contrib/mod_qos.html
+ New configuration directives:
Protocols
This directive can be used to specify which protocols can be used
by a connecting client. It is designed to work with mod_ifsession,
so that it can be set on a per-user/group/class basis. See
doc/modules/mod_core.html#Protocols for details.
ScoreboardMutex
This directive is used to explicitly configure the patch to a
"mutex" file used for scoreboard locking; this file is used to
increase proftpd's performance under load. See:
http://bugs.proftpd.org/show_bug.cgi?id=3208
for more information.
SFTPClientAlive
This directive is used to enable a protocol-level "keep alive"
check for mod_sftp SSH connections. More details can be found
in doc/contrib/mod_sftp.html#SFTPClientAlive.
WrapOptions
The mod_wrap2 module has additional behaviors such as checking the
allow/deny rules at client connect time (versus after login),
and checking the allow/deny rules using all of a client's DNS names.
The WrapOptions directive is used to configure these behaviors;
see doc/contrib/mod_wrap2.html#WrapOptions for more information.
+ Changed configuration directives:
BanOnEvent
The BanOnEvent directive of the mod_ban module now supports
LoginRate events; see doc/contrib/mod_ban.html#BanOnEvent. This
lets mod_ban reject clients which are logging in too quickly.
ListOptions
The mod_ls module now supports the -c and -u options for the LIST
command. The ListOptions directive handles these options as well.
See the ls(1) man page for more details on these options.
In addition, the NoErrorIfAbsent ListOption can be used to configure
whether mod_ls returns a 226 response code, rather than the default
450 response code, for a LIST/NLST command for a path which does not
exist. Some clients are sensitive to this use case.
LogFormat
The LogFormat directive now supports two additional variables:
%I for logging the total number of bytes read from the network,
and %O for logging the total number of bytes written to the network.
Note that these values do NOT include any bytes for the TCP packet
overhead. The mod_sql module's SQLLog directive also supports these
variables.
These variables can be used to get a better idea of network traffic
per session/client, as well as for comparing the relative network
traffic of e.g. FTPS versus SFTP.
SFTPOptions
The mod_sftp module did not interoperate well with old ssh.com or
with Tectia SSH clients. Support for these clients was added to
mod_sftp via the OldProtocolCompat SFTPOption (Bug#3480). See
doc/contrib/mod_sftp.html#SFTPOptions for more information.
TLSOptions
When verifying a client's certificate, the mod_tls module could
be configured to check the iPAddress and/or dNSName portions of the
SubjectAltName section of the client certificate, via the TLSOptions
directive. A new CommonNamedRequired TLSOptions is now supported,
which tells mod_tls to check the CommonName (CN) section of the
client certificate. See doc/contrib/mod_tls.html#TLSOptions for
details.
UseSendfile
The UseSendfile directive can now be used in <Directory> sections and
.ftpaccess files. This means that sendfile(2) support can be disabled
on filesystems which do not support it, while still be used on other
parts of the filesystem which can support it.
The UseSendfile directive can now also configure how many bytes of
a file to send via sendfile(2) at a time; this can be either in number
of bytes, or in percentage of the file size. The advantage of this
is that now the ScoreboardFile (and ftptop/ftpwho) can show download
progress rates when UseSendfile is enabled.
See doc/howto/Sendfile.html for the full details.
+ Deprecated configuration directives:
DisplayGoAway
Support for this directive has been removed.
1.3.3g
---------
+ New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation
for details.
+ Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD.
1.3.3f
---------
+ Fixes segfault if mod_sql_mysql and "SQLAuthenticate groupsetfast"
configuration used.
+ Fixes mod_wrap syslog level (regression from Bug#3317).
+ Fixes mod_ifsession segfault if regular expression patterns used in
a <VirtualHost> section.
c RPM file
+ Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD.
+ New "IgnoreSFTPSetTimes" SFTPOption added; see the SFTPOptions
documentation for details.
+ Fixed response pool use-after-free issue.
1.3.4rc3
---------
+ The mod_ldap configuration directives have changed to a simplified
version; please read the "Changes" section in README.LDAP for details.
+ Support for using RADIUS for authentication SSH2 logins, and for
supporting the NAS-IPv6-Address RADIUS attribute.
+ Automatically disable sendfile support on AIX systems.
+ <Limit WRITE> now prevents renaming/moving a file out of the limited
directory.
+ ExtendedLog entries now written for data transfers which time out.
1.3.4rc2
---------
+ Display messages work properly again.
(i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for
http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
+ Performance improvements, especially during server startup/restarts.
+ New --enable-memcache configure option
ProFTPD now provides an API for modules for using memcached servers for
caching information among different proftpd server and/or across
sessions. For more information, see the mod_memcache documentation
in doc/modules/mod_memcache.html.
+ New --enable-pcre configure option
The C library support for POSIX regular expressions is vulnerable to
some pathological regex patterns; the glibc library in particular
can be made to burn CPU with such patterns. Sites which wish to avoid
such buggy C library implementations can instead use PCRE for regular
expression support in ProFTPD, by using the --enable-pcre configure
option.
+ New modules
mod_tls_memcache
The mod_tls_memcache module uses the new mod_memcache/memcached support
in ProFTPD to use memcached servers for caching SSL session information.
This can be useful, especially when clusters of proftpd servers are
in used, or for preserving SSL session caches across proftpd restarts.
See doc/contrib/mod_tls_memcache.html for more details on this module.
+ New configuration directives:
MaxCommandRate
Some clients send FTP commands too quickly. The new MaxCommandRate
directive is used to detect and to throttle such malicious clients;
it also generates an event that can be used by the mod_ban module
for banning these clients. See doc/modules/mod_core.html#MaxCommandRate.
ProcessTitles
By default, proftpd changes the process title for session processes
to include the authenticated user name and the FTP command being
handled, including the paths to files being downloaded. The new
ProcessTitles directive can be used to modify proftpd's behavior with
regard to this session process title changing. See
doc/modules/mod_core.html#ProcessTitles for more info.
SQLNamedConnectInfo
Some sites wish to have mod_sql connections to multiple different
databases simultaneously, e.g. one connection for retrieving user
data and a separate connection for logging. To support such sites,
the new SQLNamedConnectInfo directive can be used to create "named
connection". These "named connections" can then be used in a
SQLNamedQuery, i.e. you can specify the named connection that a
SQLNamedQuery is to use when it is expected. More information can
found at doc/contrib/mod_sql.html#SQLNamedConnectInfo.
TraceOptions
The TraceLog can provide very detailed information, especially when
diagnosing an issue. To aid in such diagnoses, the new TraceOptions
directive can be used to add more information to the TraceLog,
such as client/server IP addresses (if available), and timestamps
with millisecond granularity. The documentation at
doc/modules/mod_core.html#TraceOptions has the details.
+ The following utilities are now installed under $prefix/bin/ by the
'make install' target: ftpasswd, ftpmail, ftpquota
+ Changed configuration directives:
BanOnEvent
The mod_ban module's BanOnEvent directive now supports a few more
events, namely 'MaxCommandRate' and 'UnhandledCommand'. These events
can be used to ban clients which send commands too quickly, or which
send too many unhandled/unknown commands.
ExtendedLog
For some LogFormat variables (e.g. %E, %I, %O) it is useful to log
them when then session exits. The mod_sql module has had the ability
to log at session exit for quite some time. The ExtendedLog directive
can how log at session exit as well, using the new "EXIT" command class.
LogFormat
The LogFormat directive now supports a couple of new variables:
%E variable, for end-of-session reason
%H variable, for IP address of server handling session
These are listed in the LogFormat docs; see
doc/modules/mod_log.html#LogFormat.
PathAllowFilter, PathDenyFilter
The PathAllowFilter and PathDenyFilter directives now support an
optional flags parameter, which can be used to specify e.g.
case-insensitive evaluation of the configured regular expression.
For example:
PathDenyFilter .jpg$ [NC]
See doc/modules/mod_core.html#PathAllowFilter for more details.
SFTPOptions
The mod_sftp module's SFTPOptions directive supports a new
'IgnoreSFTPSetPerms' option. This option is similar to the existing
'IgnoreSFTPUploadPerms'; it causes mod_sftp to silently ignore the SFTP
client's attempts to change file permissions. See
doc/contrib/mod_sftp.html#SFTPOptions.
SFTPPAMOptions
The SFTPPAMOptions directive for the mod_sftp_pam module now supports
a 'NoInfoMsgs' option, which disables the sending of informational
messages from the PAM library to the connecting SSH client. This
option can be used to make mod_sftp_pam behavior like OpenSSH with
regard to PAM support.
SQLNamedQuery
The SQLNamedQuery directive now supports an optional "named connection"
name, for supporting multiple database connections. See the
doc/contrib/mod_sql.html#SQLNamedConnectInfo docs for more information.
TLSSessionCache
The TLSSessionCache directive from the mod_tls module can now be
used to explicitly configure the session cache timeout when OpenSSL's
internal session caching mechanism (used by default) is being used.
See doc/contrib/mod_tls.html#TLSSessionCache for details.
Trace
The Trace directive can now to be used to specify a range of trace
channel log levels, rather than simply specifying the maximum log
level for a channel. For example, to see only messages from log
levels 5 to 8, you would do:
Trace DEFAULT:5-8
This is documented in the Trace directive documentation, at
doc/modules/mod_core.html#Trace.
+ New documentation:
doc/howto/ConnectionACLs.html
doc/utils/ftpasswd.html
doc/utils/ftpcount.html
doc/utils/ftpdctl.html
doc/utils/ftpquota.html
doc/utils/ftpscrub.html
doc/utils/ftptop.html
doc/utils/ftpwho.html
+ Developer/API Changes
The following functions have been removed, as they are not used anywhere
and should not be being used:
pr_response_send_ml()
pr_response_send_ml_start()
pr_response_send_ml_end()
The following function has been renamed/moved:
end_login() is now pr_session_end()
A related new function, pr_session_disconnect() is added. This new
function allows the caller to specify a reason code indicating why
the session is ending, as well as support for an optional string
for more details about the reason for ending the session.
1.3.4rc1
---------
+ Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925)
+ Fixed directory traversal bug in mod_site_misc (CVE-2010-3867)
+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
+ Added Japanese translation
+ Many mod_sftp bugfixes
+ Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later
+ Fixed handling of utmp/utmpx format changes on FreeBSD
+ Automatic detection of MySQL, Postgres library and header file locations
+ Added support for SMTP authentication in ftpmail script
+ Updated fnmatch implementation, using glibc-2.9 version.
+ Overhauled mod_ldap configuration directives, making mod_ldap easier
to configure. Previous configurations must be updated. See README.LDAP
for details.
+ New modules:
mod_copy
This module provides the SITE CPFR and SITE CPTO commands, for
allowing a client to copy files from one location to another on the
server, without requiring downloads/uploads. See
doc/contrib/mod_copy.html for details.
mod_deflate
This module provides support for MODE Z, which uses compression to
reduce the number of bytes required for data transfers and directory
lists. See doc/contrib/mod_deflate.html for more information.
Depending on the data being transferred, clients can see quite
a difference in the speed; see:
http://www.smartftp.com/support/kb/file.php?f=192
for some performance numbers.
mod_ifversion
This module allows for version-specific configuration sections of
the proftpd config file. It is useful for using the same proftpd
config across multiple servers where different proftpd versions may
be in use. See doc/contrib/mod_ifversion.html for examples.
mod_qos
This module allows administrators to set networking-specific
"Quality of Service" (QoS) bits on the packets used by the server.
More information can be found in doc/contrib/mod_qos.html
+ New configuration directives:
Protocols
This directive can be used to specify which protocols can be used
by a connecting client. It is designed to work with mod_ifsession,
so that it can be set on a per-user/group/class basis. See
doc/modules/mod_core.html#Protocols for details.
ScoreboardMutex
This directive is used to explicitly configure the patch to a
"mutex" file used for scoreboard locking; this file is used to
increase proftpd's performance under load. See:
http://bugs.proftpd.org/show_bug.cgi?id=3208
for more information.
SFTPClientAlive
This directive is used to enable a protocol-level "keep alive"
check for mod_sftp SSH connections. More details can be found
in doc/contrib/mod_sftp.html#SFTPClientAlive.
WrapOptions
The mod_wrap2 module has additional behaviors such as checking the
allow/deny rules at client connect time (versus after login),
and checking the allow/deny rules using all of a client's DNS names.
The WrapOptions directive is used to configure these behaviors;
see doc/contrib/mod_wrap2.html#WrapOptions for more information.
+ Changed configuration directives:
BanOnEvent
The BanOnEvent directive of the mod_ban module now supports
LoginRate events; see doc/contrib/mod_ban.html#BanOnEvent. This
lets mod_ban reject clients which are logging in too quickly.
ListOptions
The mod_ls module now supports the -c and -u options for the LIST
command. The ListOptions directive handles these options as well.
See the ls(1) man page for more details on these options.
In addition, the NoErrorIfAbsent ListOption can be used to configure
whether mod_ls returns a 226 response code, rather than the default
450 response code, for a LIST/NLST command for a path which does not
exist. Some clients are sensitive to this use case.
LogFormat
The LogFormat directive now supports two additional variables:
%I for logging the total number of bytes read from the network,
and %O for logging the total number of bytes written to the network.
Note that these values do NOT include any bytes for the TCP packet
overhead. The mod_sql module's SQLLog directive also supports these
variables.
These variables can be used to get a better idea of network traffic
per session/client, as well as for comparing the relative network
traffic of e.g. FTPS versus SFTP.
SFTPOptions
The mod_sftp module did not interoperate well with old ssh.com or
with Tectia SSH clients. Support for these clients was added to
mod_sftp via the OldProtocolCompat SFTPOption (Bug#3480). See
doc/contrib/mod_sftp.html#SFTPOptions for more information.
TLSOptions
When verifying a client's certificate, the mod_tls module could
be configured to check the iPAddress and/or dNSName portions of the
SubjectAltName section of the client certificate, via the TLSOptions
directive. A new CommonNamedRequired TLSOptions is now supported,
which tells mod_tls to check the CommonName (CN) section of the
client certificate. See doc/contrib/mod_tls.html#TLSOptions for
details.
UseSendfile
The UseSendfile directive can now be used in <Directory> sections and
.ftpaccess files. This means that sendfile(2) support can be disabled
on filesystems which do not support it, while still be used on other
parts of the filesystem which can support it.
The UseSendfile directive can now also configure how many bytes of
a file to send via sendfile(2) at a time; this can be either in number
of bytes, or in percentage of the file size. The advantage of this
is that now the ScoreboardFile (and ftptop/ftpwho) can show download
progress rates when UseSendfile is enabled.
See doc/howto/Sendfile.html for the full details.
+ Deprecated configuration directives:
DisplayGoAway
Support for this directive has been removed.
1.3.3g
---------
+ New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation
for details.
+ Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD.
1.3.3f
---------
+ Fixes segfault if mod_sql_mysql and "SQLAuthenticate groupsetfast"
configuration used.
+ Fixes mod_wrap syslog level (regression from Bug#3317).
+ Fixes mod_ifsession segfault if regular expression patterns used in
a <VirtualHost> section.
To Upgrade:
yum upgrade psa-proftpd |
