OVH Community, your new community space.

IMPORTANT and URGENT security fault in proftp and plesk


Winit
29-11-2010, 22:02
Less likely but still incredibly foolish to run vulnerable software.

RapidSeeds
29-11-2010, 21:44
i have a high random port so i am unlikely to get bitten by this?
and 21 is not used

Rilly
15-11-2010, 22:29
You could also download the .deb file and install it.. if you google proftpd-basic_1.3.3a-5_i386 you'll find it (eventually! took me a bit)..

though.. i'd had to update my libncurses5 every time as well...


edit: crap... just realized.. its 'c' that fixes it.. ugh.. i just went and updated everything for nothing - have to do it again

makno
15-11-2010, 19:44
yeah i noticed apt-get was still old... just closed port 21 for the moment, will update when have a little of time

LawsHosting
14-11-2010, 21:58
Quote Originally Posted by makno
is this only for plesk or any installation of proftpd on any distro?
All.. and I guess a serious flaw.

NB: apt-get/etc still has 1.3.1 so compiling from source is required

Razakel
13-11-2010, 15:53
Quote Originally Posted by makno
is this only for plesk or any installation of proftpd on any distro?
I think any installation of proftpd.

makno
13-11-2010, 15:50
is this only for plesk or any installation of proftpd on any distro?

yonatan
12-11-2010, 22:19
Quote Originally Posted by Myatu
You stole the stars from the admin Friday night
nuff said.
good night folks ...

Myatu
12-11-2010, 21:52
Good evening,
A major security flaw in ProFTPD allows code execution as root. Versions since 1.3.2 are vulnerable. The latest version 1.3.3c fixes the flaw.

The OVH releases are not impacted.

PLESK / PARALLELS
---------------
Users of Plesk 9.5 and 10 under Linux and SMB are impacted and need to QUICKLY AND ABSOLUTELY update their Plesk web interface or command line:

Code:
/usr/local/psa/admin/sbin/autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base
It's very simple and quick. It was after that things get complicated: after the update, you'll always be in version 1.3.2e. The version number does not change ... Cons by the security flaw is corrected ...

So to check that you have the latest micro-patch Plesk, you would type:

Code:
cat /root/.autoinstaller/microupdates.xml
What you get:
Code:





And look in the version in the example "version 6"

With so if you have:
- Plesk 9.5.2
version must be # 6
- Plesk 9.5.3
version should be # 1
- Plesk 10.0.1
version should be # 1
- SMB
version should be # 1

If you have the correct version, bravo! You stole the stars from the admin Friday night

More:

http://bugs.proftpd.org/show_bug.cgi?id=3521
http://www.parallels.com/products/plesk/ProFTPD

Regards
Octave

oles@ovh.net
12-11-2010, 19:56
Good evening,

A major security vulnerability has been discovered which allows execution in ProFTPD
code as root. Versions since 1.3.2 are vulnerable.
The latest version 1.3.3c fixes this flaw.

All OVH releases are not impacted.

PLESK / PARALLELS
---------------
Users of Plesk 9.5 and 10 under Linux and SMB
are in danger and need to take steps to COMPLETELY AND QUICKLY
update their Plesk web interface or command line:
-------------------------------------------------- ------------
/usr/local/psa/admin/sbin/autoinstaller -select-product-id plesk -select-release-current -reinstall-patch -install-component base
-------------------------------------------------- ------------

It's very simple and quick. It is only after this update that things get complicated:
you will still see version 1.3.2e. The
version number does not change ... A small downside
However, the hole in security is corrected ...

So to check that you have the latest micro-patch for
Plesk, you should type:
-------------------------------------------------- ------------
# Cat /root/.autoinstaller/microupdates.xml
-------------------------------------------------- ------------

And the output will read:
-------------------------------------------------- ------------






-------------------------------------------------- ------------
Also, look at the version in the example "version 6"

Accordingly, if you have:
- Plesk 9.5.2
The version must be # 6
- Plesk 9.5.3
The version should be # 1
- Plesk 10.0.1
The version should be # 1
- SMB
The version should be # 1

If you have the correct version, bravo! You won the
recognition of the admins on Friday night!!!

More:

http://bugs.proftpd.org/show_bug.cgi?id=3521
http://www.parallels.com/products/plesk/ProFTPD

Regards
Octave