From 8c092c4a82abcebfaae0d4e41f34379d9f5e5e00 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Wed, 28 Jan 2026 06:51:18 +0100 Subject: [PATCH] proftpd: ignore CVE-2021-47865 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865 This CVE was opened based on a 5 years old Github issue[1], and has been made public recently. The CVE wasn't officially disputed (yet?), but based on the description and the given PoC the application is working as expected. The vulnerability description and the PoC basically configures proftpd to accept maximum x connections, and then when the user tries to open x + 1 concurrent connections, it refuses new connections over the configured limit. See also discussion in the Github issue. I just put it on the ignore list. [1]: https://github.com/proftpd/proftpd/issues/1298 Signed-off-by: Gyorgy Sarvari --- meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb index b8f2b50f79..7aee6d1281 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb @@ -28,6 +28,9 @@ inherit autotools-brokensep useradd update-rc.d systemd multilib_script # fixed-version: version 1.2.0rc3 removed affected module CVE_CHECK_IGNORE += "CVE-2001-0027" +# the issue is not a vulnerability, works as expected +CVE_CHECK_IGNORE += "CVE-2021-47865" + PACKAGECONFIG ??= "shadow \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 pam', d)} \ static \