1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Proftpd source servers compromised - backdoor inserted in proftpd-1.3.3c source

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by Mshaker, Dec 2, 2010.

  1. Mshaker

    Mshaker Basic Pleskian

    18
    85%
    Joined:
    Oct 21, 2010
    Messages:
    75
    Likes Received:
    0
  2. Mshaker

    Mshaker Basic Pleskian

    18
    85%
    Joined:
    Oct 21, 2010
    Messages:
    75
    Likes Received:
    0
    It seems that both atomics psa-proftpd rpms and plesks own micro-update are not affected by the compromise ;)
     
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Definitely not. The source tar.gz's are also signed with proftpd's upstream GPG key, and part of our build system is an automatic validation against that key. Were it to have occurred when we built the 1.3.3c packages (October 29th) it would have failed right there.

    Furthermore proftpd is one of the packages I personally maintain at atomicorp. Due to the number of modifications Ive made to it I have to go over all the changes from upstream to the source code manually to re-integrate my patches to it every time they make an update.

    Last but not least, all atomicorp packages are signed with our GPG key before they go out. That private key does not live on any publicly accessible system, and furthermore aside from a copy kept in our safe (in case I get hit by a train) only I know the pass phrase to that key.
     
Loading...