URGENT: security fix for psa-proftpd?

[LeandroG]

Querying the repository,

Name       : psa-proftpd
Arch       : x86_64
Version    : 1.3.2e
Release    : cos5.build95101022.10

Querying the rpm,

lrwxrwxrwx    1 root    root                7 Oct 22 05:13 /usr/sbin/in.proftpd -> proftpd
-rwxr-xr-x    1 root    root           746376 Oct 22 05:13 /usr/sbin/proftpd

And since this issue was tracked by proftpd on the 29th of Oct, means you cannot trust the version that is available...

Soluction: grab the files from parallels and patch it yourself...

Best Regards,
Leandro

 

[Leuviah]

install pam-devel and restart xinetd

regard

Hello trialot,

I did what you said and get Connection close once I try to telnet and test it.
I see this error in syslog:



my plesk is 9.3. any suggestion?

 

[bskrakes]

ProFTPD issue

So I followed the instructions and updated my version 9.5.2... after the update I am now running 9.5.3... The problem though is that I do not have the most recent version of ProFTPD as the Plesk message boards suggests will happen if I apply the update: http://www.parallels.com/ca/products/plesk/ProFTPD.

So here is some more info:

[[email protected] ~]# proftpd -v
ProFTPD Version 1.3.2e

[[email protected] ~]# uname -a
Linux ip-97-74-126-57.ip.secureserver.net 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 i686 i386 GNU/Linux

[[email protected] ~]# cat /usr/local/psa/version
9.5.3 CentOS 5 95101022.06

If anyone from Parallels can explain why the update didn't work I'd be very thankful. Also if someone could post a HOWTO for updating without using Atomic (I'd love to use Atomic - I haven't done any research on them though).

Thanks,

 

[LeandroG]

Hi everyone,

So it seems that only atomic is providing the fixed version of psa-proftpd (1.3.3c - at least for Centos 5 x86_64)

For the ones still struggling with this topic, I leave here the commands:

rpm -Uhv http://www6.atomicorp.com/channels/atomic/centos/5/x86_64/RPMS/psa-proftpd-1.3.3c-2.el5.art.x86_64.rpm

HTH
Leandro

 

[bskrakes]

Thanks for the reply LeandroG! Here is the link the for 32-bit systems:

rpm -Uvh http://www6.atomicorp.com/channels/atomic/centos/5/i386/RPMS/psa-proftpd-1.3.3c-2.el5.art.i386.rpm

Is there a way to use the Parallels patch if/when it becomes available? I guess we have to wait and see.

 

[Adam Mudie]

Helllppp!!!

I ran the command below on my server to update Proftpd but now no users can authenticate..

rpm -Uhv http://www6.atomicorp.com/channels/.../RPMS/psa-proftpd-1.3.3c-2.el5.art.x86_64.rpm

It updated okay and when i do proftpd -v its ProFTPD Version 1.3.3c

Any ideas... how to fix.. i need help ASAP..

Cheers

 

[IgorG]

Fixed binaries for ​CentOS/RHEL 5, SuSE 10.3, Ubuntu 8.04 and Debian 4 attached for Plesk 8.6:
http://download1.parallels.com/Plesk/Autoupdate/proftpd-fix.tar.bz2

 

[andyb-uk]

Hi,

When updating using the commands supplied by plesk:

# $PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

I am getting:

# File downloading PSA_9.5.3/microupdates/MU1/dist-deb-Ubuntu-8.04-i386/proftpd: was skipped because of md5 checksum match.

Any advice?

 

[IgorG]

was skipped because of md5 checksum match.

It means that you have already installed this MU. MU will be automatically installed if you install any Plesk components.

 

[marcelveldt]

Update

is there already an update from Parallels for the latest release of Proftdp?

 

[marcelveldt]

Is there already an Plesk update for ProFTPD Version 1.3.3 ?

 

[atomicturtle]

For anyone experiencing problems with the atomic 1.3.3c-2 update please let me know what you're getting your logs. It was updated to include both the configuration files and obsolete the older plesk 9 psa-proftpd-xinetd and psa-proftpd-start packages.

The plesk autoupdater issue is unrelated, for the same reason Parallels needed to name their 1.3.3c update 1.3.2e. It uses a static variable instead of a dynamic one for version checking. I'd love to be able to fix that, but its on Parallels side so theres nothing I can do.

 

[Adam Mudie]

Fixed Problem with the proftpd-fix

Thanks

 

[paulieG]

Fixed binaries for ​CentOS/RHEL 5, SuSE 10.3, Ubuntu 8.04 and Debian 4 attached for Plesk 8.6:
http://download1.parallels.com/Plesk/Autoupdate/proftpd-fix.tar.bz2

Hi Igor,

I though that Plesk 8.6 wasn't affected? Is that a typo and you mean Plesk 9?

 

[IgorG]

Hi Igor,

I though that Plesk 8.6 wasn't affected? Is that a typo and you mean Plesk 9?

It is affected by other vulnerabilities.

 

[paulieG]

It is affected by other vulnerabilities.

Excellent, we normally upgrade VPS's to Plesk 9.5 to fix that, I'll give it a test out. I take it that since its just a drop-in replacement for the proftpd binary it won't break the autoinstaller if/when we come to upgrade?

 

[jas8522]

Excellent, we normally upgrade VPS's to Plesk 9.5 to fix that, I'll give it a test out. I take it that since its just a drop-in replacement for the proftpd binary it won't break the autoinstaller if/when we come to upgrade?

Actually it did affect the autoinstaller for me. The VPS in question was running Plesk 9.3 and I had applied the ART ProFTPd update. When I ran the autoinstaller to get 9.5.3 installed, I got this:

A dependency problem is found: required package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06.i586 conflicts with psa-proftpd-1.3.3c-2.el5.art.i386. No upgrade or obsolete solution was found for psa-proftpd. Try to add psa-proftpd to removable list.Problem occured during searching conflicts for package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06.i586 ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.i386 is removed from the system.
Not all packages were installed.
Please, resolve the above problem and try installing the packages again.

Easily remedied:

rpm -e psa-proftpd --nodeps

Then ran the autoinstaller again. What's odd is that the autoinstaller resulted in the following version installed:

rpm -qa | grep proftpd
psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06
psa-proftpd-1.3.2e-cos5.build95101022.06

Should those not be 1.3.3c ?

Jordan

 

[paulieG]

[Discussing the Plesk 8.6 binaries provided by Igor]
It is affected by other vulnerabilities.

Hi Igor,

I can see that the two proftpd binaries are different for Centos x86_64, but they advertise themselves as the same version (1.3.1).

How can I demonstrate for PCI-Compliance that this is an updated version of proftpd?

Paul.

 

[Thomas Gross]

We're running several Plesk servers 9.5.2 + 9.5.3 and even with installed MU we have:

/usr/sbin/in.proftpd -vv
ProFTPD Version: 1.3.2e (maint)

Is there already an Plesk update for ProFTPD Version 1.3.3, preferably 1.3.3d ?

 

[IgorG]

psa-proftpd-1.3.3 package is used in Plesk 10.0.1 version.