Errata overview
Errata ID 479
Date 2020-03-11
Source package proftpd-dfsg
Fixed in version 1.3.5b-4+deb9u4
This update addresses the following issues:
* An issue was discovered in tls_verify_crl in ProFTPD: A dereference of a
  NULL pointer may occur. This pointer is returned by the OpenSSL
  sk_X509_REVOKED_value() function when encountering an empty CRL installed
  by a system administrator. The dereference occurs when validating the
  certificate of a client connecting to the server in a TLS client/server
  mutual-authentication setup. (CVE-2019-19269)
* In ProFTPD it is possible to corrupt the memory pool by interrupting the
  data transfer channel. This triggers a use-after-free in alloc_pool in
  pool.c, and possible remote code execution. (CVE-2020-9273)
Additional notes
CVE ID CVE-2019-19269
UCS Bug number #50876