ProFTPD 1.3.3e - PCI complian scan failed

[snowfire]

ProFTPD 1.3.3e - PCI compliance scan failed

Hello
I just completed a clients container upgrade from 10.3 to 10.4.4 (media Temple Plesk Parallels panel) specifically to fix the issue with ProFTPD.
I just ran a new pci scan, and it failed on ProFtpD( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4130), It lists the solution as "upgrade to 1.3.3g".
current version: psa-proftpd 1.3.3e-cos5.build1013111101.14
according to the knowledgebase(http://www.parallels.com/products/plesk/documentation/proftpd/) the current version should be fine, is this true, should I contact security metrics and submit some type of mitigation?

Is this version available for upgrade? would I have to do a command line micro upgrade (my panel does not list any upgrades for the container)?
thank you for your help

 

[burnleyvic]

snowfire, you might also be interested in http://forum.parallels.com/showthread.php?t=257843 - they're tightly related and have a common cause, that is Plesk patching a 1.3.4a installation using with the wrong proftpd binary, one that doesn't even have DSO support, making it impossible to load modules at runtime.

 

[burnleyvic]

Updates at http://forum.parallels.com/showthread.php?p=618186#post618186

 

[snowfire]

thanks for the update burnleyvic.
can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
my client is very insistent that this get fixed asap, because their shopping cart is currently not pci compliant.
thank you

 

[snowfire]

can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
others with the same issue:
http://forum.parallels.com/showthread.php?t=257515
can anyone from plesk please update if there is a patch available.
thank you

 

[AcerPalmatum]

Cve-2011-4130

can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
others with the same issue:
http://forum.parallels.com/showthread.php?t=257515
can anyone from plesk please update if there is a patch available.
thank you

Also need a resolution of this issue. This update was released 9 Nov 11.
According to scan this is a severity 9 issue.

 

[snowfire]

Also need a resolution of this issue. This update was released 9 Nov 11.
According to scan this is a severity 9 issue.

since the previous ProFtp vulnerability was released in nov 2010 - and not patched until nov 2011,
how much you want to bet this won't be fixed until 2013 ?
looks like others patch proftp themselves:
http://forum.parallels.com/showthread.php?t=108791

 

[AcerPalmatum]

Agreed

Yea,

This was what our hosting company recommended as well...
Uh, kind of defeats the point of having a hosting company/using Plesk.
I should have just gone with Amazon.

 

[AcerPalmatum]

thanks for the link, works like a champ & will be careful of the microupdates...

 

[snowfire]

did that patch update you to 1.3.3g?
I haven't tried it yet myself, just found it. any issues with ftp afterwards?