From 668a2ea39a23b44f1dfd13c4eaaa6fdca36a7b9d Mon Sep 17 00:00:00 2001 From: Dinko Korunic Date: Fri, 26 Oct 2007 17:58:41 +0000 Subject: [PATCH 1/1] r1: [svn-inject] Installing original source of proftpd-cn --- README.CARNet | 9 +++ changelog.CARNet | 1 + debian/changelog | 66 +++++++++++++++++++ debian/compat | 1 + debian/control | 25 ++++++++ debian/docs | 2 + debian/postinst | 189 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ debian/postrm | 43 +++++++++++++ debian/rules | 73 +++++++++++++++++++++ 9 files changed, 409 insertions(+) create mode 100644 README.CARNet create mode 120000 changelog.CARNet create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/docs create mode 100755 debian/postinst create mode 100755 debian/postrm create mode 100755 debian/rules diff --git a/README.CARNet b/README.CARNet new file mode 100644 index 0000000..13de3be --- /dev/null +++ b/README.CARNet @@ -0,0 +1,9 @@ +proftpd-cn +~~~~~~~~~~ + +Zabranjen je anonimni FTP pristup. + +Proftp-cn generira SSL certifikat proftpd, ukoliko certifikat vec ne +postoji. + + -- Zoran Dzelajlija Fri, 26 Oct 2007 19:30:16 +0200 diff --git a/changelog.CARNet b/changelog.CARNet new file mode 120000 index 0000000..194579e --- /dev/null +++ b/changelog.CARNet @@ -0,0 +1 @@ +changelog.Debian \ No newline at end of file diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..e9c5635 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,66 @@ +proftpd-cn (2:1.3.0-2) stable; urgency=low + + * ispravno se puni ServerName + * globalna aktivacija TLS-a (cp-update blok) + * paljenje DelayEngine-a + * default je standalone servis (i mijenja originalni debconf unos) + + -- Dinko Korunic Fri, 26 Oct 2007 18:05:48 +0200 + +proftpd-cn (2:1.3.0-1) stable; urgency=low + + * Nova verzija i backport iz stable, ispravlja niz sigurnosnih propusta: + CVE-2005-2390, CVE-2005-4816, CVE-2006-5815, CVE-2006-6170, CVE-2006-6171, + CVE-2006-6563, CVE-2007-2165. Na nasu konfiguraciju su primjenjivi: + - CVE-2006-5815 sreplace() stack overflow + - CVE-2006-6170 mod_tls module tls_x509_name_oneline() buffer overflow + * Izmjene proftpd-common.postrm na sustavu da purge istog ne napravi probleme. + * Ispravke ovisnosti. + + -- Zoran Dzelajlija Mon, 14 May 2007 14:15:14 +0200 + +proftpd-cn (2:1.2.10-4) stable; urgency=low + + * Svjezi backport paketa iz unstable, inacica iz stable-security + se segfaulta jer ima samo sigurnosne ispravke, a pregazila je prethodni + backport. + + -- Zoran Dzelajlija Wed, 18 Jan 2006 01:59:06 +0100 + +proftpd-cn (2:1.2.10-3) stable; urgency=low + + * Ime backup datoteke vise nema razmaka. + + -- Zoran Dzelajlija Mon, 29 Aug 2005 17:18:42 +0200 + +proftpd-cn (2:1.2.10-2) stable; urgency=low + + * Backport Debianovog paketa iz unstable, navodno ispravlja segfaultove + (T#: 2005062413000027, T#: 2005082113000011, mozda T#: 2005080913000025). + Takodjer ispravlja i dva sitna sigurnosna propusta (CAN-2005-2390, oba): + + - SQLShowInfo format string vulnerability + http://bugs.proftpd.org/show_bug.cgi?id=2645 + + - ftpshut format string vulnerability + http://bugs.proftpd.org/show_bug.cgi?id=2646 + + -- Zoran Dzelajlija Sun, 21 Aug 2005 21:19:04 +0200 + +proftpd-cn (2:1.2.10-1) unstable; urgency=low + + * Ispravka preimenovane opcije LsDefaultOptions. + + -- Zoran Dzelajlija Wed, 22 Dec 2004 15:23:51 +0100 + +proftpd-cn (2:1.2.9-1) unstable; urgency=low + + * Novo upstream source izdanje + * Izdanje za stable distribuciju + * Ispravak mnogo source bugova + * proftpd-cn vise ne forsira standalone nacin rada, + ali i dalje zabranjuje anonimni FTP pristup + * Paket generira SSL certifikat za FTP, ukoliko certifikat + vec ne postoji + + -- Bozo Juretic Tue, 27 Apr 2004 11:47:32 +0200 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..447fc16 --- /dev/null +++ b/debian/control @@ -0,0 +1,25 @@ +Source: proftpd-cn +Section: net +Priority: optional +Maintainer: Zoran Dzelajlija +Build-Depends: debhelper (>= 4) +Standards-Version: 3.7.2 + +Package: proftpd-cn +Architecture: all +Depends: proftpd (>= 1.3.0-18cn1), openssl, carnet-tools-cn (>= 2.4), debconf (>= 0.5) | debconf-2.0 +Description: Versatile, virtual-hosting FTP daemon + A powerful replacement for wu-ftpd, this File Transfer Protocol + daemon supports hidden directories, virtual hosts, and per-directory + ".ftpaccess" files. It uses a single main configuration file, with a + syntax similar to Apache. + . + Because of the advanced design, anonymous-FTP directories can have + an arbitrary internal structure (bin, lib, etc, and special files are + not needed). Advanced features like multiple password files and + upload/download ratios are also supported. + . + More information can be found at http://www.proftpd.org/. + . + This package depends on the basic installation of proftpd with PAM + authentication, and does a bit of configuration munging. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..ef5ce6c --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +changelog.CARNet +README.CARNet diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..bbd264c --- /dev/null +++ b/debian/postinst @@ -0,0 +1,189 @@ +#!/bin/sh +# postinst script for proftpd-cn +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure|reconfigure) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# created: 2002-11-15 Bozo Juretic +# last update: 2007-05-14 Zoran Dzelajlija +# last update: 2007-10-27 Dinko Korunic + +# Source debconf library. +. /usr/share/debconf/confmodule + +# Import CN toolsa +. /usr/share/carnet-tools/functions.sh + +FTP_CONF=/etc/proftpd/proftpd.conf +FTP_TMP=`mktemp /etc/proftpd/proftpd.conf.XXXXXX` +FTP_OLD=/var/backups/proftpd.conf.bak +SSL_CERT=/etc/ssl/certs/ftpd-rsa.pem +SSL_KEY=/etc/ssl/certs/ftpd-rsa-key.pem + +# Backup stare konfiguracije +cp_backup_conffile $FTP_CONF +cp -p $FTP_CONF $FTP_TMP + +# Onemogucavanje Anonymous ftp pristupa +disable_anonymous() +{ + if grep -qi "^ + TLSEngine on + + # Are clients required to use FTP over TLS when talking to this server? + TLSRequired off + + # Server's certificate + TLSRSACertificateFile $SSL_CERT + TLSRSACertificateKeyFile $SSL_KEY + + # CA the server trusts + #TLSCACertificateFile /etc/ftpd/root.cert.pem + + # Authenticate clients that want to use FTP over TLS? + TLSVerifyClient off + + # Allow SSL/TLS renegotiations when the client requests them, but + # do not force the renegotations. Some clients do not support + # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these + # clients will close the data connection, or there will be a timeout + # on an idle data connection. + TLSRenegotiate required off + +EOF + fi +} + +# include za slucaj da sistemac nije prihvatio izmjene od Debiana +include_modules() +{ + if [ -f $FTP_TMP ] ; then + if ! egrep -qi "^[[:space:]]*Include.*/etc/proftpd/modules.conf" $FTP_TMP ; then + printf "#\n# Includes required DSO modules. This is mandatory in proftpd 1.3\n#\nInclude\t/etc/proftpd/modules.conf\n\n" >$FTP_TMP.tmp.$$ + cat $FTP_TMP >>$FTP_TMP.tmp.$$ + mv -f $FTP_TMP.tmp.$$ $FTP_TMP + fi + fi +} + +# Generiranje SSL certifikata +make_ssl_cert() +{ + if [ ! -f $SSL_CERT ] ; then + cd $(dirname $SSL_CERT) + echo "CN: Generating SSL certificate ... " + openssl req -new -x509 -days 365 -nodes -out $(basename $SSL_CERT) -keyout $(basename $SSL_KEY) + echo "CN: Self-signed SSL certificate generated in $SSL_CERT." + echo "CN: Please note that the certificate will expire in one year." + fi +} + +# purge starog proftpd-common paketa bi napravio rusvaj +defuse_old_postrm() +{ + if [ -f /var/lib/dpkg/info/proftpd-common.postrm ]; then + cp_check_and_sed '^[^#]*(update-rc.d|update-inetd|/var/run/proftpd)' \ + '/update-rc.d/d; /update-inetd/d; /var\/run\/proftpd/d' \ + /var/lib/dpkg/info/proftpd-common.postrm || true + fi +} + +defuse_old_postrm +disable_anonymous +fix_conf +add_tls +include_modules +make_ssl_cert + +if [ -z "$2" ]; then + echo "CN: Proftpd-cn is configured with disabled anonymous FTP access," + echo "CN: for the security reasons." +fi + +if ! cmp -s $FTP_TMP $FTP_CONF; then + echo "CN: Original configuration file is saved in $FTP_OLD." + cp_mv $FTP_TMP $FTP_CONF +else + rm -f $FTP_TMP +fi + +echo "CN: Restarting proftpd ..." + +if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d proftpd restart +else + /etc/init.d/proftpd restart +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..050f590 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,43 @@ +#!/bin/sh +# postrm script for proftpd-cn +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + purge) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# import CN-functions +. /usr/share/carnet-tools/functions.sh + +# remove our block +if [ -e /etc/proftpd/proftpd.conf ]; then + cp-update -r proftpd-cn /etc/proftpd/proftpd.conf +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..4e3c6e9 --- /dev/null +++ b/debian/rules @@ -0,0 +1,73 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# This file is public domain software, originally written by Joey Hess. +# +# This version is for packages that are architecture independent. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +build: build-stamp +build-stamp: + dh_testdir + + # Add here commands to compile the package. + #$(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + #-$(MAKE) clean + #-$(MAKE) distclean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/. + #$(MAKE) prefix=`pwd`/debian/`dh_listpackages`/usr install + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installcatalogs +# dh_installpam +# dh_installmime + dh_installinit +# dh_installcron +# dh_installinfo +# dh_undocumented + dh_installman + dh_link + dh_compress + dh_fixperms +# dh_perl +# dh_python + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install -- 1.7.10.4