DescriptionAn issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
proftpd-dfsg (PTS)jessie1.3.5-1.1+deb8u2fixed
jessie (security)1.3.5e+r1.3.5-2+deb8u5fixed
stretch (security)1.3.5b-4+deb9u2fixed
buster, buster (security)1.3.6-4+deb10u2fixed
bullseye, sid1.3.6b-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
proftpd-dfsgsourcejessie(not affected)
proftpd-dfsgsourcestretch(not affected)


[stretch] - proftpd-dfsg <not-affected> (Bug was introduced in 1.3.5c)
[jessie] - proftpd-dfsg <not-affected> (Bug was introduced in 1.3.5c)
Introduced in: (v1.3.5c)

Search for package or bug name: Reporting problems