An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Created proftpd tracking bugs for this issue: Affects: epel-6 [bug 1777977] Affects: epel-7 [bug 1777978] Affects: fedora-all [bug 1777976]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
(In reply to Guilherme de Almeida Suckevicz from comment #1) > Created proftpd tracking bugs for this issue: > > Affects: epel-6 [bug 1777977] > Affects: epel-7 [bug 1777978] > Affects: fedora-all [bug 1777976] Also affects epel-8-playground, fixed in proftpd-1.3.6b-2.epel8.playground.
In reply to comment #3: > Also affects epel-8-playground, fixed in proftpd-1.3.6b-2.epel8.playground. Thank you for letting me know that. Do you need a bug for proftpd in epel-8?
(In reply to Guilherme de Almeida Suckevicz from comment #4) > In reply to comment #3: > > Also affects epel-8-playground, fixed in proftpd-1.3.6b-2.epel8.playground. > > Thank you for letting me know that. Do you need a bug for proftpd in epel-8? Not unless it helps your tracking. I've already built the updated version and it'll go out with the next push.
Created proftpd tracking bugs for this issue: Affects: epel-8 [bug 1778206]
In reply to comment #5: > Not unless it helps your tracking. I've already built the updated version > and it'll go out with the next push. It's created, thank you Paul.