Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
URGENT: security fix for psa-proftpd?
- Thread starter horst rupp
- Start date
Hi Igor,
Plesk 8.6 is not that old, plus it's the latest Plesk version supported on RHEL3/CentOS3 and many hosting providers, including us, are still running it on production servers. Please issue a patch for it asap.
Thank you.
M
Marcel Zuidwijk
Guest
I have Plesk 9.3 and used the solution mentioned in the mail:
# wget -O - http://www.atomicorp.com/installers/atomic |sh
# yum upgrade psa-proftpd
Now I can't login on FTP with Plesk users (local accounts do work)
I've read something about lost configuration files... How can I solve this?
# wget -O - http://www.atomicorp.com/installers/atomic |sh
# yum upgrade psa-proftpd
Now I can't login on FTP with Plesk users (local accounts do work)
I've read something about lost configuration files... How can I solve this?
Plesk 8.6 has old version of proftpd which is not affected by this security issue. This problem occurs in 1.3.2rc3 ProFTPd version. Plesk 9.3 has 1.3.1 version, for example. I think that there is more earlier version in Plesk 8.6.
M
Marcel Zuidwijk
Guest
Changing the FTP username to another one, and changing it back didn't work here
M
Marcel Zuidwijk
Guest
Now that's really helping ... joined today, only one post...
Ok, it's your opinion, based on your own experiences
M
Marcel Zuidwijk
Guest
How can I remove the patch? I need to get the FTP working a.s.a.p. 
T
trialot
Guest
For all those forum members that do not resolve the issue with the atomic upgrade, be aware that the hotfix should be present by now.
Anyhow, download of source 1.3.3c Proftpd and compiling it also works for every Linux OS.
I did a post (somehow missing in this thread), with some steps and gave an update for this post (can be found in this thread).
Since a hotfix is present, you can ask me about compilation of your own proftpd (from source), if needed.
Kind regards....
Anyhow, download of source 1.3.3c Proftpd and compiling it also works for every Linux OS.
I did a post (somehow missing in this thread), with some steps and gave an update for this post (can be found in this thread).
Since a hotfix is present, you can ask me about compilation of your own proftpd (from source), if needed.
Kind regards....
Igor,
Great to know that Plesk 8.6 is not affected by this vulnerability.
But according to the article your site at http://www.parallels.com/products/plesk/ProFTPD, updates for Plesk 9.3 are coming too:
Can you clarify if Plesk 9.3 is affected or not by the vulnerability?
Thanks.
T
trialot
Guest
Remark
Marcel, you did a post in another thread, about the atomic upgrade.
I responded to that post, please read that.
How can I remove the patch? I need to get the FTP working a.s.a.p.
Marcel, you did a post in another thread, about the atomic upgrade.
I responded to that post, please read that.
T
trialot
Guest
Vulnerability of plesk 9.x
Thewolf, it should be.
Verify it yourself and check the version of psa-proftpd, versions 1.3.1 to 1.3.2e are sure to be vulnerable and versions of proftpd (not psa-proftpd) are vulnerable from 1.3.1 to 1.3.3c (if I am not mistaken, since the security gap was introduced in the versions after 10 november 2008 and hence in proftpd and psa-proftpd as of that time).
To check, run command: /usr/sbin/proftpd -v (or just issue command: ftp localhost)
Kind regards.
Thewolf, it should be.
Verify it yourself and check the version of psa-proftpd, versions 1.3.1 to 1.3.2e are sure to be vulnerable and versions of proftpd (not psa-proftpd) are vulnerable from 1.3.1 to 1.3.3c (if I am not mistaken, since the security gap was introduced in the versions after 10 november 2008 and hence in proftpd and psa-proftpd as of that time).
To check, run command: /usr/sbin/proftpd -v (or just issue command: ftp localhost)
Kind regards.
G
G1zm0
Guest
Igor,
Is it correct that after applying the proftpd microupdate on debian 5 the version still is:
plesk-test:/usr/src# /usr/sbin/proftpd -v
ProFTPD Version 1.3.2e
plesk-test:/usr/sbin# dpkg -l | grep proft
ii psa-proftpd 1.3.2e-debian5.0.build95101022.03 ProFTPD -- Professional FTP Server.
ii psa-proftpd-inetd 1.3.2e-debian5.0.build95101022.03 ProFTPD -- Setup for inetd operation.
And on debian 4:
root@vps:~# dpkg -l | grep proft
ii psa-proftpd 1.3.2e-debian4.0.build95101022.06 ProFTPD -- Professional FTP Server.
ii psa-proftpd-inetd 1.3.2e-debian4.0.build95101022.06 ProFTPD -- Setup for inetd operation.
Please confirm, would it not be better if this is the correct patch, to name it 1.3.3?
Thanks,
Rob
Is it correct that after applying the proftpd microupdate on debian 5 the version still is:
plesk-test:/usr/src# /usr/sbin/proftpd -v
ProFTPD Version 1.3.2e
plesk-test:/usr/sbin# dpkg -l | grep proft
ii psa-proftpd 1.3.2e-debian5.0.build95101022.03 ProFTPD -- Professional FTP Server.
ii psa-proftpd-inetd 1.3.2e-debian5.0.build95101022.03 ProFTPD -- Setup for inetd operation.
And on debian 4:
root@vps:~# dpkg -l | grep proft
ii psa-proftpd 1.3.2e-debian4.0.build95101022.06 ProFTPD -- Professional FTP Server.
ii psa-proftpd-inetd 1.3.2e-debian4.0.build95101022.06 ProFTPD -- Setup for inetd operation.
Please confirm, would it not be better if this is the correct patch, to name it 1.3.3?
Thanks,
Rob
T
trialot
Guest
ASSURANCE - Version of proftpd after hotfix
It is true that hotfixing yields a version of psa-proftpd with version number 1.3.2e.
Do not be alarmed!!!!!!!!!
Even though proftpd -v command yields the 1.3.2e resul (indicating a vulnerable version of proftpd), IT IS NOT!
The Parallles hotfix does:
- install a proftpd that is of version 1.3.3c
- install a psa-proftpd version of 1.3.2e (that is the Plesk renamed compilation of proftpd 1.3.3c)
I could verify this, since I symlinked ftp tools like ftpwho and ftpcount. These tools can only use the scoreboard file that is of version 1.3.3c. They are working!.
In short, the psa-proftpd version is named 1.3.2e but uses the proftpd compiled version 1.3.3c.
Kind regards....
It is true that hotfixing yields a version of psa-proftpd with version number 1.3.2e.
Do not be alarmed!!!!!!!!!
Even though proftpd -v command yields the 1.3.2e resul (indicating a vulnerable version of proftpd), IT IS NOT!
The Parallles hotfix does:
- install a proftpd that is of version 1.3.3c
- install a psa-proftpd version of 1.3.2e (that is the Plesk renamed compilation of proftpd 1.3.3c)
I could verify this, since I symlinked ftp tools like ftpwho and ftpcount. These tools can only use the scoreboard file that is of version 1.3.3c. They are working!.
In short, the psa-proftpd version is named 1.3.2e but uses the proftpd compiled version 1.3.3c.
Kind regards....
G
G1zm0
Guest
trialot,
Thanks for your reply, would be nice if parallells would still confirm build numbers before I open up FTP again.
Regards,
Rob
Thanks for your reply, would be nice if parallells would still confirm build numbers before I open up FTP again.
Regards,
Rob
i've updated also using yum upgrade psa-proftpd and now i can't login into my ftp. I've tried updating through the Plesk 9.5.3 panel the component 'Base packages of Plesk' but it fails due to a conflict with old version of proftpd, how can i solve this? My system is CentOS 5
K
KlausR2020
Guest
Hmm. Very confusing version numbers. The hotfix for SuSE indicates
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.2e Server
The first thing anyone does is to compare the version numbers.
# proftpd -v
ProFTPD Version 1.3.2e
I have double checked if the hotfix is really installed. It is. The question is, have you backported the IAC fixes in 1.3.2e?
I think, thats very confusing the users who has applied the hotfix.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.2e Server
The first thing anyone does is to compare the version numbers.
# proftpd -v
ProFTPD Version 1.3.2e
I have double checked if the hotfix is really installed. It is. The question is, have you backported the IAC fixes in 1.3.2e?
I think, thats very confusing the users who has applied the hotfix.
T
trialot
Guest
Rob, I know and asked Igor already to announce this publicly.
You can open up FTP, the naming of the psa-proftpd version is only unfortunate.
And, if still not sure, check it yourself by verifying the scoreboard version. This would yield the insurance you need, i.e. that proftpd (not to be mistaken with psa-proftpd) is of version 1.3.3c.
Kind regards....
PS Note: Rob, there is still a minor vulnerability, but that is NO reason for not opening up ftp: mod_site vulnerability still seems to be present and not hotfixed (again asked Igor and Parallels team, no answer yet). This type of vulnerability has always been present, but is not a real danger, like the one that is hotfixed. However, the hotfix (and upgrade to 1.3.3c version of proftpd) should contain a more secure mod_site...........so at least APPLY HOTFIX.
You can open up FTP, the naming of the psa-proftpd version is only unfortunate.
And, if still not sure, check it yourself by verifying the scoreboard version. This would yield the insurance you need, i.e. that proftpd (not to be mistaken with psa-proftpd) is of version 1.3.3c.
Kind regards....
PS Note: Rob, there is still a minor vulnerability, but that is NO reason for not opening up ftp: mod_site vulnerability still seems to be present and not hotfixed (again asked Igor and Parallels team, no answer yet). This type of vulnerability has always been present, but is not a real danger, like the one that is hotfixed. However, the hotfix (and upgrade to 1.3.3c version of proftpd) should contain a more secure mod_site...........so at least APPLY HOTFIX.
Autoinstaller doesn't work (Plesk 9.5.3 and CentOS 5) and it gives this message:
.
solution?
Similar threads
