1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Vulnerabilities on fresh OpenSuse 11.2 with Plesk 9.3

Discussion in 'Plesk 9.x for Linux Suggestions and Feedback' started by steff0815, Feb 2, 2010.

  1. steff0815

    steff0815 Guest

    0
     
    There are more than one Vulnerability. Here i listed only things that can be fixed.
    Why do you need so long time parallels to fix all these thing in your packages?


    1. ProFTPD
    1.1. ProFTPD Long Command Handling Security Vulnerability
    Affected Software/OS :proFTPD Project versions 1.2.x on Linux, ProFTPD Project versions 1.3.x on Linux
    Fix : Fixed is available in the SVN repository --> http://www.proftpd.org/cvs.html

    1.2. ProFTPD Server SQL Injection Vulnerability
    Affected Software/OS: ProFTPD Server version 1.3.1 through 1.3.2rc2
    Fix: Upgrade to the latest version 1.3.2rc3, http://www.proftpd.org/

    1.3. ProFTPD mod_tls Module NULL Character CA SSL Certificate Validation Security Bypass Vulnerability
    Affected Software/OS: Versions prior to ProFTPD 1.3.2b and 1.3.3 to 1.3.3.rc1 are vulnerable
    Fix: Upgrade to the latest version 1.3.2rc3, http://www.proftpd.org/

    2. Apache
    2.1. Apache mod_proxy_http.c Denial Of Service Vulnerability
    Affected Software/OS: Apache HTTP Server version prior to 2.3.3
    Fix: Fixed in the SVN repository. http://svn.apache.org/viewvc?view=revbr>

    2.2. Apache mod_deflate Denial Of Service Vulnerability
    Affected Software/OS: Apache HTTP Server version 2.2.11 and prior
    Fix: Fixed in the SVN repository. http://svn.apache.org/viewvc?view=revbr>


    3. OpenSSH
    3.1. OpenSSH CBC Mode Information Disclosure Vulnerability
    Affected Software/OS: Versions prior to OpenSSH 5.2 are vulnerable. Various versions of SSH Tectia are also affected.
    Fix: Upgrade to higher version, http://www.openssh.com/portable.html


    I think you need to update your packages as quickly as possible.
    First of all the psa-proftp package!!!!!!!!
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,564
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    I have forwarded it to developers. Let's wait their answer.
     
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    The apache and openssh vulnerabilities are likely false positives. We've made an updated psa-proftpd package in the atomic repo to resolve the other vulnerabilities (available for centos/rhel and fedora). You can probably port that to suse without too much trouble.
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,564
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    I have received information from developers that they have submitted bug regarding ProFTPd problems. All other packages should be updated by OS vendor with usual methods.
     
Loading...