Upgrade psa-proftpd {1.3.1}, SQL injection vulnerability

[Aaron Bennett]

ref: http://www.milw0rm.com/exploits/8037
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2

1.3.2 (stable)
---------------

+ Security fixes

Fixed encoding-dependent SQL injection vulnerability in mod_sql_mysql
and mod_sql_postgres modules.

---

Have parallels repackaged psa-proftpd yet? (Debian Etch in this case). If not will they look into doing this soon as a priority?

 

[atomicturtle]

An update to address this, and other vulnerabilities in psa-proftpd is available from the atomic archive for RHEL 4/5, CentOS 4/5, and Fedora 6-11

To upgrade:
1) Add the atomic repo
wget -q -O - http://www.atomicorp.com/installers/atomic |sh

2) Upgrade psa-proftpd
yum upgrade psa-proftpd

 

[skiper43]

psa-proftpd won't upgrade

Hello -

I have Plesk 8.6, and run the hotfix, so maybe I'm OK. I was hacked with this vulnerability. However, psa-proftpd is still at 1.3.1.

When I try to upgrade to 1.3.4 w/ the atomic repo, I get:

Transaction Check Error:
file /etc/proftpd.conf from install of psa-proftpd-1.3.4a-1.el5.art.x86_64 conflicts with file from package psa-proftpd-xinetd-1.3.1-cos5.build86080722.00.x86_64
file /etc/xinetd.d/ftp_psa from install of psa-proftpd-1.3.4a-1.el5.art.x86_64 conflicts with file from package psa-proftpd-xinetd-1.3.1-cos5.build86080722.00.x86_64

If I try to remove 1.3.1, yum wants to remove over 100 packages because of dependencies, so think that's too risky.

Is there a way around this to upgrade to 1.3.4?

I haven't seen any more hacks since applying the hotfix, but maybe they're just resting.

Thanks for any info.