Package: proftpd-basic Severity: grave Tags: security Justification: user security hole
proftpd-basic ships with a file /etc/proftpd/dhparams.pem with the following header text: # Note that these DH parameters should be refreshed every so often (e.g. # every few years). These parameters were last updated on 2008-09-07. Seems to me that "few years" have gone by now, and will be long gone by the end of the supported lifecycle of a stable Debian release. I understand that the parameters are CPU-hungry to generate (I am trying right now on a virtual server and only half way through after an hour), so makes sense to not generate at install time, and probably not at every build either. I therefore suggest to not install the upstream provided file but one shipped with the Debian packaging, provide a custom build target to regenerate that file, and have the normal build routines check the embedded timestamp and fail if more than one year old. Regards, - Jonas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
