Good evening,
A major security vulnerability has been discovered which allows execution in ProFTPD
code as root. Versions since 1.3.2 are vulnerable.
The latest version 1.3.3c fixes this flaw.
All OVH releases are not impacted.
PLESK / PARALLELS
---------------
Users of Plesk 9.5 and 10 under Linux and SMB
are in danger and need to take steps to COMPLETELY AND QUICKLY
update their Plesk web interface or command line:
-------------------------------------------------- ------------
/usr/local/psa/admin/sbin/autoinstaller -select-product-id plesk -select-release-current -reinstall-patch -install-component base
-------------------------------------------------- ------------
It's very simple and quick. It is only after this update that things get complicated:
you will still see version 1.3.2e. The
version number does not change ... A small downside
However, the hole in security is corrected ...
So to check that you have the latest micro-patch for
Plesk, you should type:
-------------------------------------------------- ------------
# Cat /root/.autoinstaller/microupdates.xml
-------------------------------------------------- ------------
And the output will read:
-------------------------------------------------- ------------
Xml version = "1.0" encoding = "UTF-8" standalone = "yes"?>
-------------------------------------------------- ------------
Also, look at the version in the example "version 6"
Accordingly, if you have:
- Plesk 9.5.2
The version must be # 6
- Plesk 9.5.3
The version should be # 1
- Plesk 10.0.1
The version should be # 1
- SMB
The version should be # 1
If you have the correct version, bravo! You won the
recognition of the admins on Friday night!!!
More:
http://bugs.proftpd.org/show_bug.cgi?id=3521
http://www.parallels.com/products/plesk/ProFTPD
Regards
Octave