proFTPd security bug

ZooL · Nov 15th 2010

Hi all!

The data centre we use has disabled proftpd on our servers four days ago because of this bug. I had a look around and I see no mention of it on these forums so far.

http://cve.mitre.org/cgi-bin/cvename.cgi...-2010-3867

This potentially allows root access (apparently). I was wondering if we are in fact are affected, and if so, is there a fix for this yet? I see Plesk (Parallels) have released their own fix at http://www.parallels.com/products/plesk/proftpd

Any information greatly appreciated thank you

reported by seanatw

aseques · Nov 15th 2010

If you are on debian, you only have to worry with squeeze, lenny and previous are not affected.
If you are on squeeze, you should updated right now.
On all platforms, everything after proftpd-1.3.2rc3 was affected.

oldev01 · Nov 15th 2010

Thank you aseques for feedback.

**Nuxwin** · Nov 15th 2010

And what about Debian Bug tracker ?

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602313

**joximu** · Nov 15th 2010

maybe malte is also right: the bug is in mod_site_misc, which we do not use par default...

http://isp-control.net/forum/t…-post-90649.html#pid90649

/Joxi

oldev01 · Nov 15th 2010

Malte talk by one bug. This is the bug that you should concern.

oldev01 · Nov 15th 2010

Quote

On Mon, Nov 15, 2010 at 06:15:48PM +0200, Adrian Minta wrote:
> Any debian reaction on this ?
> http://seclists.org/fulldisclosure/2010/Nov/49

It doesn't effect the version shipped with Lenny and is fixed in testing
and unstable.

http://bugs.proftpd.org/show_bug.cgi?id=3521
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769

HTH
Sven
--
And I don't know much, but I do know this:
With a golden heart comes a rebel fist.
[ Streetlight Manifesto - Here's To Life ]

--

Reply

Forward

Reply
|
Adrian Minta
to debian-security

show details 6:51 PM (7 minutes ago)

On 11/15/10 18:41, Sven Hoexter wrote:

On Mon, Nov 15, 2010 at 06:15:48PM +0200, Adrian Minta wrote:

Any debian reaction on this ?
http://seclists.org/fulldisclosure/2010/Nov/49

It doesn't effect the version shipped with Lenny and is fixed in testing
and unstable.

http://bugs.proftpd.org/show_bug.cgi?id=3521
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769

HTH
Sven

Thank you !

--

Display More

**Nuxwin** · Nov 15th 2010

great

proFTPd security bug

Share

Similar Threads

VSFTPD / Net2FTP - FTP Login Problem

Update to 1.5.1 - You have held broken packages

i-MSCP 1.5.0 RELEASED

MariaDB 10.2 and PhpSwitcher 3.0.6 / Error with needed Packages

i-MSCP 1.4.7 - Could not restart imscp_traffic service - ERROR: could not insert 'ip6_tables'

Howto install Fail2ban from Stretch repository on Debian Jessie

Daily visitors