• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

URGENT: security fix for psa-proftpd?

Querying the repository,

Code:
Name       : psa-proftpd
Arch       : x86_64
Version    : 1.3.2e
Release    : cos5.build95101022.10

Querying the rpm,
Code:
lrwxrwxrwx    1 root    root                7 Oct 22 05:13 /usr/sbin/in.proftpd -> proftpd
-rwxr-xr-x    1 root    root           746376 Oct 22 05:13 /usr/sbin/proftpd

And since this issue was tracked by proftpd on the 29th of Oct, means you cannot trust the version that is available...

Soluction: grab the files from parallels and patch it yourself...

Best Regards,
Leandro
 
install pam-devel and restart xinetd

regard

Hello trialot,

I did what you said and get Connection close once I try to telnet and test it.
I see this error in syslog:



my plesk is 9.3. any suggestion?
 
ProFTPD issue

So I followed the instructions and updated my version 9.5.2... after the update I am now running 9.5.3... The problem though is that I do not have the most recent version of ProFTPD as the Plesk message boards suggests will happen if I apply the update: http://www.parallels.com/ca/products/plesk/ProFTPD.

So here is some more info:
[[email protected] ~]# proftpd -v
ProFTPD Version 1.3.2e

[[email protected] ~]# uname -a
Linux ip-97-74-126-57.ip.secureserver.net 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 i686 i386 GNU/Linux

[[email protected] ~]# cat /usr/local/psa/version
9.5.3 CentOS 5 95101022.06

If anyone from Parallels can explain why the update didn't work I'd be very thankful. Also if someone could post a HOWTO for updating without using Atomic (I'd love to use Atomic - I haven't done any research on them though).

Thanks,
 
Hi everyone,

So it seems that only atomic is providing the fixed version of psa-proftpd (1.3.3c - at least for Centos 5 x86_64)

For the ones still struggling with this topic, I leave here the commands:
Code:
rpm -Uhv http://www6.atomicorp.com/channels/atomic/centos/5/x86_64/RPMS/psa-proftpd-1.3.3c-2.el5.art.x86_64.rpm

HTH
Leandro
 
Hi,

When updating using the commands supplied by plesk:

# $PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

I am getting:

# File downloading PSA_9.5.3/microupdates/MU1/dist-deb-Ubuntu-8.04-i386/proftpd: was skipped because of md5 checksum match.

Any advice?
 
was skipped because of md5 checksum match.

It means that you have already installed this MU. MU will be automatically installed if you install any Plesk components.
 
Update

is there already an update from Parallels for the latest release of Proftdp?
 
For anyone experiencing problems with the atomic 1.3.3c-2 update please let me know what you're getting your logs. It was updated to include both the configuration files and obsolete the older plesk 9 psa-proftpd-xinetd and psa-proftpd-start packages.

The plesk autoupdater issue is unrelated, for the same reason Parallels needed to name their 1.3.3c update 1.3.2e. It uses a static variable instead of a dynamic one for version checking. I'd love to be able to fix that, but its on Parallels side so theres nothing I can do.
 
Fixed Problem with the proftpd-fix

Thanks
 
Last edited by a moderator:
It is affected by other vulnerabilities.

Excellent, we normally upgrade VPS's to Plesk 9.5 to fix that, I'll give it a test out. I take it that since its just a drop-in replacement for the proftpd binary it won't break the autoinstaller if/when we come to upgrade?
 
Excellent, we normally upgrade VPS's to Plesk 9.5 to fix that, I'll give it a test out. I take it that since its just a drop-in replacement for the proftpd binary it won't break the autoinstaller if/when we come to upgrade?

Actually it did affect the autoinstaller for me. The VPS in question was running Plesk 9.3 and I had applied the ART ProFTPd update. When I ran the autoinstaller to get 9.5.3 installed, I got this:

A dependency problem is found: required package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06.i586 conflicts with psa-proftpd-1.3.3c-2.el5.art.i386. No upgrade or obsolete solution was found for psa-proftpd. Try to add psa-proftpd to removable list.Problem occured during searching conflicts for package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06.i586 ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.i386 is removed from the system.
Not all packages were installed.
Please, resolve the above problem and try installing the packages again.

Easily remedied:

rpm -e psa-proftpd --nodeps

Then ran the autoinstaller again. What's odd is that the autoinstaller resulted in the following version installed:

rpm -qa | grep proftpd
psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06
psa-proftpd-1.3.2e-cos5.build95101022.06

Should those not be 1.3.3c ?

Jordan
 
[Discussing the Plesk 8.6 binaries provided by Igor]
It is affected by other vulnerabilities.

Hi Igor,

I can see that the two proftpd binaries are different for Centos x86_64, but they advertise themselves as the same version (1.3.1).

How can I demonstrate for PCI-Compliance that this is an updated version of proftpd?

Paul.
 
We're running several Plesk servers 9.5.2 + 9.5.3 and even with installed MU we have:

/usr/sbin/in.proftpd -vv
ProFTPD Version: 1.3.2e (maint)

Is there already an Plesk update for ProFTPD Version 1.3.3, preferably 1.3.3d ?
 
Back
Top