Bug 1778258 (CVE-2019-19270)

Summary: CVE-2019-19270 proftpd: failure to check for the appropriate field of a CRL entry prevents some valid CRLs from being taken into account
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ingvar, itamar, matthias, paul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-29 19:04:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1778260, 1778261    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2019-11-29 16:22:08 UTC 
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

Reference:
https://github.com/proftpd/proftpd/issues/859
Comment 1 Guilherme de Almeida Suckevicz 2019-11-29 16:24:16 UTC 
Created proftpd tracking bugs for this issue:

Affects: epel-all [bug 1778261]
Affects: fedora-all [bug 1778260]
Comment 2 Product Security DevOps Team 2019-11-29 19:04:54 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.