From 2865b67e293ebfc706a5531ef79bfb9826d8cc6d Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Mon, 2 Feb 2026 17:37:11 +0100 Subject: [PATCH] proftpd: ignore CVE-2021-47865 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865 This CVE was opened based on a 5 years old Github issue[1], and has been made public recently. The CVE wasn't officially disputed (yet?), but based on the description and the given PoC the application is working as expected. The vulnerability description and the PoC basically configures proftpd to accept maximum x connections, and then when the user tries to open x + 1 concurrent connections, it refuses new connections over the configured limit. See also discussion in the Github issue. It seems that it won't be fixed, because there is nothing to fix. [1]: https://github.com/proftpd/proftpd/issues/1298 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb index 65dd2f9561..d64e0a0495 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.9.bb @@ -25,6 +25,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P(\d+(\.\d+)+\w?))" CVE_VERSION_SUFFIX = "alphabetical" CVE_STATUS[CVE-2001-0027] = "fixed-version: version 1.2.0rc3 removed affected module" +CVE_STATUS[CVE-2021-47865] = "upstream-wontfix: it is not a vulnerability but inproper configuration" EXTRA_OECONF += "--enable-largefile INSTALL=install"