[rpms/proftpd] epel10: Update proftpd to 1.3.9b and mod_proxy to 0.9.7

[Paul Howarth <paul@city-fan.org>]

            A new commit has been pushed.

            Repo   : rpms/proftpd
            Branch : epel10
            Commit : ef0d3e654f697ebb0bc6e653f2d608e4cf6afca7
            Author : Paul Howarth <paul@city-fan.org>
            Date   : 2026-06-08T16:51:55+01:00
            Stats  : +54/-237 in 7 file(s)
            URL    : https://src.fedoraproject.org/rpms/proftpd/c/ef0d3e654f697ebb0bc6e653f2d608e4cf6afca7?branch=epel10

            Log:
            Update proftpd to 1.3.9b and mod_proxy to 0.9.7

- New upstream release 1.3.9b
  - Fix SQL Injection in mod_wrap2_sql via reverse DNS hostname (GH#2057,
    CVE-2026-44331)
  - Additional fix for session management with OpenSSL 3.2.x or later, when
    using TLSv1.2 or earlier; this complements the fix for GH#1963 (GH#2096)
  - Hard quota limits on uploads do not cause SFTP WRITE requests to fail as
    expected (GH#2098)
  - Fix SSH payload length underflow calculation for ETM/ChaChaPoly algorithms
    in mod_sftp (GH#2102)
  - SSH packet with empty payload triggered null pointer dereference in
    mod_sftp (GH#2104)
  - Bad DSA signatures could lead to out-of-bounds read of heap memory in
    mod_sftp (GH#2106)
  - Mismatched RSA/DSA algorithm signatures could lead to null dereference in
    mod_sftp (GH#2108)
  - SFTP request payload length underflow calculation in mod_sftp (GH#2115)
  - Several modules failed to build using OpenSSL 4.0 (GH#2120)
- Update mod_proxy to 0.9.7
  - Add a check on the maximum allowed SSH payload (vs. packet) length (GH#291)
  - Set the payload_len field before checking its value (GH#292)
  - Keep the SSH packet reading code in mod_proxy more in line with what is
    done in mod_sftp, for legibility (GH#294)
  - Implement support for the OpenSSH-specific ChaChaPoly SSH algorithm
    (GH#295, GH#296)
  - Correct misspellings noted by codespell (GH#297)
  - Use clang-tidy to start polishing the codebase (GH#298)
  - Disable the Nagle algorithm by default on our TCP connections to back-end
    servers (GH#299)
  - Require OpenSSL for building (GH#249, GH#300)
  - Documentation fixes
  - Implement a limit on the number of EXT_INFO extensions we'll be willing to
    accept (GH#303)
  - Comparison of expected/provided MAC data should be done in a constant-time
    manner
  - Support PKCS11-stored private keys
  - Implement the "mlkem768x25519-sha256" and "sntrup761x25519-sha512"
    post-quantum SSH key exchange mechanisms (GH#306)
  - Add sanity check for SRV record lengths
  - Ensure that the SSH payload length computation, for ETM/ChaChaPoly packets,
    does not underflow
  - If we detect a bad DSA signature length, properly error out
  - Ensure that RSA/DSA signatures match their expected algorithm types, and
    avoid null pointer dereferences
  - Update to build against OpenSSL 4.x (GH#313)

---
diff --git a/.gitignore b/.gitignore
index 697a1ba..7eeea01 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,12 @@
-# rawhide/f44/f43/f42/epel10
-# note: the v0.9.5.tar.gz is mod_proxy
+# rawhide/f44/f43/epel10
 /proftpd-1.3.9a.tar.gz
 /v0.9.12.tar.gz
-/v0.9.5.tar.gz
+/v0.9.7.tar.gz
 # epel9
 /proftpd-1.3.8d.tar.gz
 /v0.9.11.tar.gz
 /v0.9.4.tar.gz
 # epel8
-# note: the v0.9.5.tar.gz is mod_vroot
 /proftpd-1.3.6e.tar.gz
 /v0.9.5.tar.gz
+/proftpd-1.3.9b.tar.gz

diff --git a/04d89957.patch b/04d89957.patch
deleted file mode 100644
index 866ab74..0000000
--- a/04d89957.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 04d89957d8ace325ef76fdfab22049df16a40c0b Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj@castaglia.org>
-Date: Tue, 5 May 2026 17:22:18 -0700
-Subject: [PATCH] Issue #2052: It is possible that some note values come from
- client-supplied text, and as such, they should always be escaped as well.
-
----
- contrib/mod_sql.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/contrib/mod_sql.c b/contrib/mod_sql.c
-index 4872f5fa6..bafe175ff 100644
---- a/contrib/mod_sql.c
-+++ b/contrib/mod_sql.c
-@@ -987,6 +987,7 @@ static int sql_resolve_on_meta(pool *p, pr_jot_ctx_t *jot_ctx,
-       case LOGFMT_META_FILENAME:
-       case LOGFMT_META_IDENT_USER:
-       case LOGFMT_META_METHOD:
-+      case LOGFMT_META_NOTE_VAR:
-       case LOGFMT_META_ORIGINAL_USER:
-       case LOGFMT_META_RESPONSE_STR:
-       case LOGFMT_META_REMOTE_HOST:
-@@ -1016,7 +1017,6 @@ static int sql_resolve_on_meta(pool *p, pr_jot_ctx_t *jot_ctx,
-       case LOGFMT_META_LOCAL_FQDN:
-       case LOGFMT_META_LOCAL_IP:
-       case LOGFMT_META_LOCAL_NAME:
--      case LOGFMT_META_NOTE_VAR:
-       case LOGFMT_META_PROTOCOL:
-       case LOGFMT_META_REMOTE_IP:
-       case LOGFMT_META_VERSION:

diff --git a/07797aba.patch b/07797aba.patch
deleted file mode 100644
index 521f75d..0000000
--- a/07797aba.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 07797aba88dca902da7eaf1dfe262c8896943de7 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj@castaglia.org>
-Date: Tue, 5 May 2026 09:56:33 -0700
-Subject: [PATCH] Issue #2057: Properly escape the "name" provided when doing
- SQL lookups for allowed/denied client IP addresses or DNS names.
-
----
- contrib/mod_wrap2_sql.c | 49 +++++++++++++++++++++++++++++++++++++----
- 1 file changed, 45 insertions(+), 4 deletions(-)
-
-diff --git a/contrib/mod_wrap2_sql.c b/contrib/mod_wrap2_sql.c
-index eaf6ea7dc5..d4fd56e699 100644
---- a/contrib/mod_wrap2_sql.c
-+++ b/contrib/mod_wrap2_sql.c
-@@ -1,7 +1,7 @@
- /*
-  * ProFTPD: mod_wrap2_sql -- a mod_wrap2 sub-module for supplying IP-based
-  *                           access control data via SQL tables
-- * Copyright (c) 2002-2016 TJ Saunders
-+ * Copyright (c) 2002-2026 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -25,7 +25,7 @@
- #include "mod_wrap2.h"
- #include "mod_sql.h"
- 
--#define MOD_WRAP2_SQL_VERSION		"mod_wrap2_sql/1.0"
-+#define MOD_WRAP2_SQL_VERSION		"mod_wrap2_sql/1.1"
- 
- #define WRAP2_SQL_NSLOTS		2
- #define WRAP2_SQL_CLIENT_QUERY_IDX	0
-@@ -62,6 +62,41 @@ static int sqltab_close_cb(wrap2_table_t *sqltab) {
-   return 0;
- }
- 
-+static char *sqltab_get_escaped_text(pool *p, wrap2_table_t *sqltab,
-+    const char *text) {
-+  pool *tmp_pool = NULL;
-+  cmdtable *sql_cmdtab = NULL;
-+  cmd_rec *sql_cmd = NULL;
-+  modret_t *sql_res = NULL;
-+
-+  /* Find the cmdtable for the sql_escapestr command, as the provided
-+   * name needs to be properly escaped for SQL syntax; see Issue #2057.
-+   */
-+  sql_cmdtab = pr_stash_get_symbol2(PR_SYM_HOOK, "sql_escapestr", NULL, NULL,
-+    NULL);
-+  if (sql_cmdtab == NULL) {
-+    wrap2_log("error: unable to find SQL hook symbol 'sql_escapestr': "
-+      "perhaps your proftpd.conf needs 'LoadModule mod_sql.c'?");
-+    return NULL;
-+  }
-+
-+  sql_cmd = sql_cmd_create(tmp_pool, 1, text);
-+  sql_res = pr_module_call(sql_cmdtab->m, sql_cmdtab->handler, sql_cmd);
-+  if (sql_res == NULL) {
-+    wrap2_log("sql_escapestr '%s' returned no data; "
-+      "see the mod_sql.c SQLLogFile for more details", text);
-+    return NULL;
-+  }
-+
-+  if (MODRET_ISERROR(sql_res)) {
-+    wrap2_log("error processing sql_escapestr '%s': "
-+      "check the mod_sql.c SQLLogFile for more details", text);
-+    return NULL;
-+  }
-+
-+  return sql_res->data;
-+}
-+
- static array_header *sqltab_fetch_clients_cb(wrap2_table_t *sqltab,
-     const char *name) {
-   register unsigned int i;
-@@ -70,12 +105,18 @@ static array_header *sqltab_fetch_clients_cb(wrap2_table_t *sqltab,
-   cmd_rec *sql_cmd = NULL;
-   modret_t *sql_res = NULL;
-   array_header *sql_data = NULL;
--  char *query = NULL, **vals = NULL;
-+  char *escaped_name = NULL, *query = NULL, **vals = NULL;
-   array_header *clients_list = NULL;
- 
-   /* Allocate a temporary pool for the duration of this read. */
-   tmp_pool = make_sub_pool(sqltab->tab_pool);
- 
-+  escaped_name = sqltab_get_escaped_text(tmp_pool, sqltab, name);
-+  if (escaped_name == NULL) {
-+    destroy_pool(tmp_pool);
-+    return NULL;
-+  }
-+
-   query = ((char **) sqltab->tab_data)[WRAP2_SQL_CLIENT_QUERY_IDX];
- 
-   /* Find the cmdtable for the sql_lookup command. */
-@@ -89,7 +130,7 @@ static array_header *sqltab_fetch_clients_cb(wrap2_table_t *sqltab,
-   }
- 
-   /* Prepare the SELECT query. */
--  sql_cmd = sql_cmd_create(tmp_pool, 3, "sql_lookup", query, name);
-+  sql_cmd = sql_cmd_create(tmp_pool, 3, "sql_lookup", query, escaped_name);
- 
-   /* Call the handler. */
-   sql_res = pr_module_call(sql_cmdtab->m, sql_cmdtab->handler, sql_cmd);

diff --git a/5e06acc4.patch b/5e06acc4.patch
deleted file mode 100644
index 270db6c..0000000
--- a/5e06acc4.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 5e06acc4687046c7bf794b55bd8c44a86a05ae61 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj@castaglia.org>
-Date: Tue, 5 May 2026 15:59:08 -0700
-Subject: [PATCH] Issue #2057: The same escaping of possibly remote DNS
- hostname should be done when fetching any optional "options" from the SQL
- tables as well.
-
----
- contrib/mod_wrap2_sql.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/mod_wrap2_sql.c b/contrib/mod_wrap2_sql.c
-index d4fd56e69..0d52e3833 100644
---- a/contrib/mod_wrap2_sql.c
-+++ b/contrib/mod_wrap2_sql.c
-@@ -233,16 +233,22 @@ static array_header *sqltab_fetch_options_cb(wrap2_table_t *sqltab,
-   cmd_rec *sql_cmd = NULL;
-   modret_t *sql_res = NULL;
-   array_header *sql_data = NULL;
--  char *query = NULL, **vals = NULL;
-+  char *escaped_name = NULL, *query = NULL, **vals = NULL;
-   array_header *options_list = NULL;
- 
-   /* Allocate a temporary pool for the duration of this read. */
-   tmp_pool = make_sub_pool(sqltab->tab_pool);
- 
-+  escaped_name = sqltab_get_escaped_text(tmp_pool, sqltab, name);
-+  if (escaped_name == NULL) {
-+    destroy_pool(tmp_pool);
-+    return NULL;
-+  }
-+
-   query = ((char **) sqltab->tab_data)[WRAP2_SQL_OPTION_QUERY_IDX];
- 
-   /* The options-query is not necessary.  Skip if not present. */
--  if (!query) {
-+  if (query == NULL) {
-     destroy_pool(tmp_pool);
-     return NULL;
-   }
-@@ -258,7 +264,7 @@ static array_header *sqltab_fetch_options_cb(wrap2_table_t *sqltab,
-   }
- 
-   /* Prepare the SELECT query. */
--  sql_cmd = sql_cmd_create(tmp_pool, 3, "sql_lookup", query, name);
-+  sql_cmd = sql_cmd_create(tmp_pool, 3, "sql_lookup", query, escaped_name);
- 
-   /* Call the handler. */
-   sql_res = pr_module_call(sql_cmdtab->m, sql_cmdtab->handler, sql_cmd);

diff --git a/7e076e84.patch b/7e076e84.patch
deleted file mode 100644
index 78a4d49..0000000
--- a/7e076e84.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 7e076e844ab5da63a0887b875aca2c3cfbc83a49 Mon Sep 17 00:00:00 2001
-From: TJ Saunders <tj@castaglia.org>
-Date: Thu, 7 May 2026 09:15:08 -0700
-Subject: [PATCH] Issue #2052: It is possible that some environment values come
- from user-supplied text, so we should always escape `%{env:...}` variables,
- too.
-
----
- contrib/mod_sql.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/contrib/mod_sql.c b/contrib/mod_sql.c
-index bafe175ff..b90725942 100644
---- a/contrib/mod_sql.c
-+++ b/contrib/mod_sql.c
-@@ -984,6 +984,7 @@ static int sql_resolve_on_meta(pool *p, pr_jot_ctx_t *jot_ctx,
-       case LOGFMT_META_COMMAND:
-       case LOGFMT_META_DIR_NAME:
-       case LOGFMT_META_DIR_PATH:
-+      case LOGFMT_META_ENV_VAR:
-       case LOGFMT_META_FILENAME:
-       case LOGFMT_META_IDENT_USER:
-       case LOGFMT_META_METHOD:
-@@ -1010,7 +1011,6 @@ static int sql_resolve_on_meta(pool *p, pr_jot_ctx_t *jot_ctx,
-       }
- 
-       case LOGFMT_META_CLASS:
--      case LOGFMT_META_ENV_VAR:
-       case LOGFMT_META_EOS_REASON:
-       case LOGFMT_META_GROUP:
-       case LOGFMT_META_ISO8601:

diff --git a/proftpd.spec b/proftpd.spec
index b4dc616..9274909 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -17,13 +17,13 @@
 %undefine _strict_symbol_defs_build
 
 #global prever rc4
-%global baserelease 2
-%global mod_proxy_version 0.9.5
+%global baserelease 1
+%global mod_proxy_version 0.9.7
 %global mod_vroot_version 0.9.12
 
 Summary:		Flexible, stable and highly-configurable FTP server
 Name:			proftpd
-Version:		1.3.9a
+Version:		1.3.9b
 Release:		%{?prever:0.}%{baserelease}%{?prever:.%{prever}}%{?dist}
 License:		GPL-2.0-or-later
 URL:			http://www.proftpd.org/
@@ -43,10 +43,6 @@ Source11:		http://github.com/Castaglia/proftpd-mod_proxy/archive/v%{mod_proxy_ve
 Patch1:			proftpd-1.3.8-shellbang.patch
 Patch2:			mod_proxy-certificate.patch
 Patch3:			proftpd-1.3.4rc1-mod_vroot-test.patch
-Patch11:		https://github.com/proftpd/proftpd/commit/04d89957.patch
-Patch12:		https://github.com/proftpd/proftpd/commit/7e076e84.patch
-Patch13:		https://github.com/proftpd/proftpd/commit/07797aba.patch
-Patch14:		https://github.com/proftpd/proftpd/commit/5e06acc4.patch
 
 BuildRequires:		coreutils
 BuildRequires:		gcc
@@ -228,17 +224,6 @@ mv contrib/README contrib/README.contrib
 # If we're running the full test suite, include the mod_vroot test
 %patch -P 3 -p1 -b .test_vroot
 
-# Additional escaping for avoidance of SQL injection issues with %%{note:...} and %%{env:...}
-# These are on top of the existing fix for CVE-2026-42167 in 1.3.10rc1
-# https://github.com/proftpd/proftpd/issues/2052
-%patch -P 11 -p1
-%patch -P 12 -p1
-
-# Fix for SQL Injection in mod_wrap2_sql via reverse DNS hostname (CVE-2026-44331)
-# https://github.com/proftpd/proftpd/issues/2057
-%patch -P 13 -p1
-%patch -P 14 -p1
-
 # Tweak logrotate script for systemd compatibility (#802178)
 sed -i -e '/killall/s/test.*/systemctl try-reload-or-restart proftpd.service/' \
 	contrib/dist/rpm/proftpd.logrotate
@@ -476,6 +461,52 @@ fi
 %{_mandir}/man1/ftpwho.1*
 
 %changelog
+* Mon Jun  8 2026 Paul Howarth <paul@city-fan.org> - 1.3.9b-1
+- Update to 1.3.9b
+  - Fix SQL Injection in mod_wrap2_sql via reverse DNS hostname (GH#2057,
+    CVE-2026-44331)
+  - Additional fix for session management with OpenSSL 3.2.x or later, when
+    using TLSv1.2 or earlier; this complements the fix for GH#1963 (GH#2096)
+  - Hard quota limits on uploads do not cause SFTP WRITE requests to fail as
+    expected (GH#2098)
+  - Fix SSH payload length underflow calculation for ETM/ChaChaPoly algorithms
+    in mod_sftp (GH#2102)
+  - SSH packet with empty payload triggered null pointer dereference in
+    mod_sftp (GH#2104)
+  - Bad DSA signatures could lead to out-of-bounds read of heap memory in
+    mod_sftp (GH#2106)
+  - Mismatched RSA/DSA algorithm signatures could lead to null dereference in
+    mod_sftp (GH#2108)
+  - SFTP request payload length underflow calculation in mod_sftp (GH#2115)
+  - Several modules failed to build using OpenSSL 4.0 (GH#2120)
+- Update mod_proxy to 0.9.7
+  - Add a check on the maximum allowed SSH payload (vs. packet) length (GH#291)
+  - Set the payload_len field before checking its value (GH#292)
+  - Keep the SSH packet reading code in mod_proxy more in line with what is
+    done in mod_sftp, for legibility (GH#294)
+  - Implement support for the OpenSSH-specific ChaChaPoly SSH algorithm
+    (GH#295, GH#296)
+  - Correct misspellings noted by codespell (GH#297)
+  - Use clang-tidy to start polishing the codebase (GH#298)
+  - Disable the Nagle algorithm by default on our TCP connections to back-end
+    servers (GH#299)
+  - Require OpenSSL for building (GH#249, GH#300)
+  - Documentation fixes
+  - Implement a limit on the number of EXT_INFO extensions we'll be willing to
+    accept (GH#303)
+  - Comparison of expected/provided MAC data should be done in a constant-time
+    manner
+  - Support PKCS11-stored private keys
+  - Implement the "mlkem768x25519-sha256" and "sntrup761x25519-sha512"
+    post-quantum SSH key exchange mechanisms (GH#306)
+  - Add sanity check for SRV record lengths
+  - Ensure that the SSH payload length computation, for ETM/ChaChaPoly packets,
+    does not underflow
+  - If we detect a bad DSA signature length, properly error out
+  - Ensure that RSA/DSA signatures match their expected algorithm types, and
+    avoid null pointer dereferences
+  - Update to build against OpenSSL 4.x (GH#313)
+
 * Mon May 11 2026 Paul Howarth <paul@city-fan.org> - 1.3.9a-2
 - Additional escaping for avoidance of SQL injection issues with %%{note:...}
   and %%{env:...}; these are on top of the existing fix for CVE-2026-42167 in

diff --git a/sources b/sources
index 959a85f..3354efa 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (proftpd-1.3.9a.tar.gz) = 217780522a9366dd16c678ab4ca3de8a6079482a0d68d2f0ab7869d0f8aba4982d0cb0105821f52c8d2fca6f76b3156da70bdbb7d01ac96ad5c16f99f33fdd76
+SHA512 (proftpd-1.3.9b.tar.gz) = bfcfe013db3b93247abacd2fd8fb2d929feede4e7f804a2416ca161c5cc1a3a4a18e1cc5914ae6536ebc2f40da69c1713a65c1317a3a8cbfe63706709f2e4dec
 SHA512 (v0.9.12.tar.gz) = a84c14b9d05c4890abe50c86f832c91fa4d0971bc2b1866a3a34d73ff85acd1e902fc0cae739e22ea46e530c73230fb005ea9edeb68fd6cfb963e0c5ca9655ec
-SHA512 (v0.9.5.tar.gz) = 72fc691ea480f3c71ac2f21a1d35465412faf09fddb1b78f6e8f7b26fbf9a7db7813a74dd3e20b9992430bd7a61ef55395474a9c4b6ccaf45ee3e2b36784346b
+SHA512 (v0.9.7.tar.gz) = 9979dc21ebebf5f219303769cebd73be9ab66ae7f50756fa12bdf37bcac1cdc9ac70feeb557ef16bb4bb3fcf8121aed4d16b6a0e5c0738bbcc53a0055410c3cd