• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

URGENT: security fix for psa-proftpd?

Querying the repository,

Code: 
Name       : psa-proftpd
Arch       : x86_64
Version    : 1.3.2e
Release    : cos5.build95101022.10

Querying the rpm,
Code: 
lrwxrwxrwx    1 root    root                7 Oct 22 05:13 /usr/sbin/in.proftpd -> proftpd
-rwxr-xr-x    1 root    root           746376 Oct 22 05:13 /usr/sbin/proftpd

And since this issue was tracked by proftpd on the 29th of Oct, means you cannot trust the version that is available...

Soluction: grab the files from parallels and patch it yourself...

Best Regards,
Leandro
 
install pam-devel and restart xinetd

regard

PersianC said:
Hello trialot,

I did what you said and get Connection close once I try to telnet and test it.
I see this error in syslog:



my plesk is 9.3. any suggestion?
Click to expand...
 
ProFTPD issue

So I followed the instructions and updated my version 9.5.2... after the update I am now running 9.5.3... The problem though is that I do not have the most recent version of ProFTPD as the Plesk message boards suggests will happen if I apply the update: http://www.parallels.com/ca/products/plesk/ProFTPD.

So here is some more info:
[[email protected] ~]# proftpd -v
ProFTPD Version 1.3.2e
Click to expand...

[[email protected] ~]# uname -a
Linux ip-97-74-126-57.ip.secureserver.net 2.6.9-023stab051.2-smp #1 SMP Thu Sep 24 22:32:27 MSD 2009 i686 i686 i386 GNU/Linux
Click to expand...

[[email protected] ~]# cat /usr/local/psa/version
9.5.3 CentOS 5 95101022.06
Click to expand...

If anyone from Parallels can explain why the update didn't work I'd be very thankful. Also if someone could post a HOWTO for updating without using Atomic (I'd love to use Atomic - I haven't done any research on them though).

Thanks,
 
Hi everyone,

So it seems that only atomic is providing the fixed version of psa-proftpd (1.3.3c - at least for Centos 5 x86_64)

For the ones still struggling with this topic, I leave here the commands:
Code: 
rpm -Uhv http://www6.atomicorp.com/channels/atomic/centos/5/x86_64/RPMS/psa-proftpd-1.3.3c-2.el5.art.x86_64.rpm

HTH
Leandro
 
Hi,

When updating using the commands supplied by plesk:

# $PRODUCT_ROOT_D/admin/sbin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

I am getting:

# File downloading PSA_9.5.3/microupdates/MU1/dist-deb-Ubuntu-8.04-i386/proftpd: was skipped because of md5 checksum match.

Any advice?
 
was skipped because of md5 checksum match.
Click to expand...

It means that you have already installed this MU. MU will be automatically installed if you install any Plesk components.
 
Update

is there already an update from Parallels for the latest release of Proftdp?
 
For anyone experiencing problems with the atomic 1.3.3c-2 update please let me know what you're getting your logs. It was updated to include both the configuration files and obsolete the older plesk 9 psa-proftpd-xinetd and psa-proftpd-start packages.

The plesk autoupdater issue is unrelated, for the same reason Parallels needed to name their 1.3.3c update 1.3.2e. It uses a static variable instead of a dynamic one for version checking. I'd love to be able to fix that, but its on Parallels side so theres nothing I can do.
 
Fixed Problem with the proftpd-fix

Thanks
 
Last edited by a moderator:
IgorG said:
It is affected by other vulnerabilities.
Click to expand...

Excellent, we normally upgrade VPS's to Plesk 9.5 to fix that, I'll give it a test out. I take it that since its just a drop-in replacement for the proftpd binary it won't break the autoinstaller if/when we come to upgrade?
 
Paul Grant said:
Excellent, we normally upgrade VPS's to Plesk 9.5 to fix that, I'll give it a test out. I take it that since its just a drop-in replacement for the proftpd binary it won't break the autoinstaller if/when we come to upgrade?
Click to expand...

Actually it did affect the autoinstaller for me. The VPS in question was running Plesk 9.3 and I had applied the ART ProFTPd update. When I ran the autoinstaller to get 9.5.3 installed, I got this:

A dependency problem is found: required package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06.i586 conflicts with psa-proftpd-1.3.3c-2.el5.art.i386. No upgrade or obsolete solution was found for psa-proftpd. Try to add psa-proftpd to removable list.Problem occured during searching conflicts for package psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06.i586 ERROR: Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.i386 is removed from the system.
Not all packages were installed.
Please, resolve the above problem and try installing the packages again.
Click to expand...

Easily remedied:

rpm -e psa-proftpd --nodeps

Then ran the autoinstaller again. What's odd is that the autoinstaller resulted in the following version installed:

rpm -qa | grep proftpd
psa-proftpd-xinetd-1.3.2e-cos5.build95101022.06
psa-proftpd-1.3.2e-cos5.build95101022.06

Should those not be 1.3.3c ?

Jordan
 
[Discussing the Plesk 8.6 binaries provided by Igor]
It is affected by other vulnerabilities.
Click to expand...

Hi Igor,

I can see that the two proftpd binaries are different for Centos x86_64, but they advertise themselves as the same version (1.3.1).

How can I demonstrate for PCI-Compliance that this is an updated version of proftpd?

Paul.
 
We're running several Plesk servers 9.5.2 + 9.5.3 and even with installed MU we have:

/usr/sbin/in.proftpd -vv
ProFTPD Version: 1.3.2e (maint)

Is there already an Plesk update for ProFTPD Version 1.3.3, preferably 1.3.3d ?
 
You must log in or register to reply here.

Similar threads

J.Wick
Issue Multiple Vulnerabilities in PHP 5 thru 8.3.7 Could Allow for Remote Code Execution - PATCH NOW
Replies
2
Views
2K
Tobias Sorensson
T
V
Critical Kernel flaw discovered – Update your server
Replies
0
Views
1K
viktor
V
M
FTP connection problem with Filezilla to psa-proftpd Version: 1.3.4a
Replies
2
Views
4K
ZopfWare
Z
E
phpMyAdmin Upgrade: Security Flaw
Replies
1
Views
1K
EricVis
E
A
Request for proftpd 1.3.3g
Replies
4
Views
4K
Amin Taheri
A
Back
Top