URGENT: security fix for psa-proftpd?

[ViktorT]

I have Plesk 9.5.3 I will update proftpd in Plesk 9.5.3 I have Debian Lenny what ca ein do

 

[thewolf]

Why do not want upgrade this very-very old Plesk version?

Hi Igor,

Plesk 8.6 is not that old, plus it's the latest Plesk version supported on RHEL3/CentOS3 and many hosting providers, including us, are still running it on production servers. Please issue a patch for it asap.

Thank you.

 

[Marcel Zuidwijk]

I have Plesk 9.3 and used the solution mentioned in the mail:

# wget -O - http://www.atomicorp.com/installers/atomic |sh
# yum upgrade psa-proftpd

Now I can't login on FTP with Plesk users (local accounts do work)

I've read something about lost configuration files... How can I solve this?

 

[dune2312]

I have the same problem Marcel Zuidwijk

Can't login ftp !!!!

PS: I have plesk version 9.5.3 centos 5.3

 

[IgorG]

Hi Igor,

Plesk 8.6 is not that old, plus it's the latest Plesk version supported on RHEL3/CentOS3 and many hosting providers, including us, are still running it on production servers. Please issue a patch for it asap.

Thank you.

Plesk 8.6 has old version of proftpd which is not affected by this security issue. This problem occurs in 1.3.2rc3 ProFTPd version. Plesk 9.3 has 1.3.1 version, for example. I think that there is more earlier version in Plesk 8.6.

 

[Marcel Zuidwijk]

I have the same problem Marcel Zuidwijk

Can't login ftp !!!!

PS: I have plesk version 9.5.3 centos 5.3

Changing the FTP username to another one, and changing it back didn't work here

 

[Marcel Zuidwijk]

Cause plesk 9 is the worst piece of software I've used?

Now that's really helping ... joined today, only one post...
Ok, it's your opinion, based on your own experiences

 

[IgorG]

Microupdates for affected Plesk 9.5.2 and 9.5.3 versions are published. Use autoinstaller for applying microupdate.

 

[Marcel Zuidwijk]

How can I remove the patch? I need to get the FTP working a.s.a.p.

 

[trialot]

For all those forum members that do not resolve the issue with the atomic upgrade, be aware that the hotfix should be present by now.

Anyhow, download of source 1.3.3c Proftpd and compiling it also works for every Linux OS.

I did a post (somehow missing in this thread), with some steps and gave an update for this post (can be found in this thread).

Since a hotfix is present, you can ask me about compilation of your own proftpd (from source), if needed.

Kind regards....

 

[thewolf]

Plesk 8.6 has old version of proftpd which is not affected by this security issue. This problem occurs in 1.3.2rc3 ProFTPd version. Plesk 9.3 has 1.3.1 version, for example. I think that there is more earlier version in Plesk 8.6.

Igor,
Great to know that Plesk 8.6 is not affected by this vulnerability.

But according to the article your site at http://www.parallels.com/products/plesk/ProFTPD, updates for Plesk 9.3 are coming too:

Patches for Plesk 9.0, 9.22, and 9.3 will be posted by 12 noon GMT on Friday November 12, (7am EST in the US).

Can you clarify if Plesk 9.3 is affected or not by the vulnerability?

Thanks.

 

[trialot]

Remark

How can I remove the patch? I need to get the FTP working a.s.a.p.

Marcel, you did a post in another thread, about the atomic upgrade.

I responded to that post, please read that.

 

[trialot]

Vulnerability of plesk 9.x

Igor,
Great to know that Plesk 8.6 is not affected by this vulnerability.

But according to the article your site at http://www.parallels.com/products/plesk/ProFTPD, updates for Plesk 9.3 are coming too:

Can you clarify if Plesk 9.3 is affected or not by the vulnerability?

Thanks.

Thewolf, it should be.

Verify it yourself and check the version of psa-proftpd, versions 1.3.1 to 1.3.2e are sure to be vulnerable and versions of proftpd (not psa-proftpd) are vulnerable from 1.3.1 to 1.3.3c (if I am not mistaken, since the security gap was introduced in the versions after 10 november 2008 and hence in proftpd and psa-proftpd as of that time).

To check, run command: /usr/sbin/proftpd -v (or just issue command: ftp localhost)

Kind regards.

 

[G1zm0]

Igor,

Is it correct that after applying the proftpd microupdate on debian 5 the version still is:

plesk-test:/usr/src# /usr/sbin/proftpd -v
ProFTPD Version 1.3.2e

plesk-test:/usr/sbin# dpkg -l | grep proft
ii psa-proftpd 1.3.2e-debian5.0.build95101022.03 ProFTPD -- Professional FTP Server.
ii psa-proftpd-inetd 1.3.2e-debian5.0.build95101022.03 ProFTPD -- Setup for inetd operation.

And on debian 4:

root@vps:~# dpkg -l | grep proft
ii psa-proftpd 1.3.2e-debian4.0.build95101022.06 ProFTPD -- Professional FTP Server.
ii psa-proftpd-inetd 1.3.2e-debian4.0.build95101022.06 ProFTPD -- Setup for inetd operation.

Please confirm, would it not be better if this is the correct patch, to name it 1.3.3?

Thanks,

Rob

 

[trialot]

ASSURANCE - Version of proftpd after hotfix

It is true that hotfixing yields a version of psa-proftpd with version number 1.3.2e.

Do not be alarmed!!!!!!!!!

Even though proftpd -v command yields the 1.3.2e resul (indicating a vulnerable version of proftpd), IT IS NOT!

The Parallles hotfix does:

- install a proftpd that is of version 1.3.3c
- install a psa-proftpd version of 1.3.2e (that is the Plesk renamed compilation of proftpd 1.3.3c)

I could verify this, since I symlinked ftp tools like ftpwho and ftpcount. These tools can only use the scoreboard file that is of version 1.3.3c. They are working!.

In short, the psa-proftpd version is named 1.3.2e but uses the proftpd compiled version 1.3.3c.

Kind regards....

 

[G1zm0]

trialot,

Thanks for your reply, would be nice if parallells would still confirm build numbers before I open up FTP again.

Regards,

Rob

 

[MiguelG]

i've updated also using yum upgrade psa-proftpd and now i can't login into my ftp. I've tried updating through the Plesk 9.5.3 panel the component 'Base packages of Plesk' but it fails due to a conflict with old version of proftpd, how can i solve this? My system is CentOS 5

 

[KlausR2020]

Hmm. Very confusing version numbers. The hotfix for SuSE indicates
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.2e Server

The first thing anyone does is to compare the version numbers.
# proftpd -v
ProFTPD Version 1.3.2e

I have double checked if the hotfix is really installed. It is. The question is, have you backported the IAC fixes in 1.3.2e?

I think, thats very confusing the users who has applied the hotfix.

 

[trialot]

Rob, I know and asked Igor already to announce this publicly.

You can open up FTP, the naming of the psa-proftpd version is only unfortunate.

And, if still not sure, check it yourself by verifying the scoreboard version. This would yield the insurance you need, i.e. that proftpd (not to be mistaken with psa-proftpd) is of version 1.3.3c.

Kind regards....

PS Note: Rob, there is still a minor vulnerability, but that is NO reason for not opening up ftp: mod_site vulnerability still seems to be present and not hotfixed (again asked Igor and Parallels team, no answer yet). This type of vulnerability has always been present, but is not a real danger, like the one that is hotfixed. However, the hotfix (and upgrade to 1.3.3c version of proftpd) should contain a more secure mod_site...........so at least APPLY HOTFIX.

 

[MiguelG]

Microupdates for affected Plesk 9.5.2 and 9.5.3 versions are published. Use autoinstaller for applying microupdate.

Autoinstaller doesn't work (Plesk 9.5.3 and CentOS 5) and it gives this message:

A dependency problem is found: required package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.10.x86_64 conflicts with psa-proftpd-1.3.3c-2.el5.art.x86_64. No upgrade or obsolete solution was found for psa-proftpd. Try to add psa-proftpd to removable list.Problem occured during searching conflicts for package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.10.x86_64 Error: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system

.

solution?