CVE-2019-19269

NameCVE-2019-19269
DescriptionAn issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2018-1
Debian Bugs946345

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
proftpd-dfsg (PTS)jessie1.3.5-1.1+deb8u2vulnerable
jessie (security)1.3.5e+r1.3.5-2+deb8u5fixed
stretch1.3.5b-4+deb9u1vulnerable
stretch (security)1.3.5b-4+deb9u2vulnerable
buster, buster (security)1.3.6-4+deb10u2vulnerable
bullseye, sid1.3.6b-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
proftpd-dfsgsource(unstable)1.3.6b-2946345
proftpd-dfsgsourcejessie1.3.5e+r1.3.5-2+deb8u5DLA-2018-1

Notes

[buster] - proftpd-dfsg <no-dsa> (Minor issue)
[stretch] - proftpd-dfsg <no-dsa> (Minor issue)
https://github.com/proftpd/proftpd/issues/861
https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master)
https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch)

Search for package or bug name: Reporting problems