Proftpd exploitable versions


Due the severity of the proftp bug, and the mixed systems and versions in the VPSs, we many customers have switched to use vsftp, others just started using sftp, regardless that we have the following notes for customers willing to enable proftpd again:

The bug affects versions >= 1.3.2rc3, for more information: http://bugs.proftpd.org/show_bug.cgi?id=3521

Here is the breakdown for most of the common installed versions.

Debian distribution package: The Debian stable package version 1.3.1-17 is bug free.

Ubuntu distribution package: Ubuntu karmic / lucid / maverick are affected, upgrade is available through the security repository, the new version is 1.3.2c-1ubuntu0.1. For more information: https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/674798 .

Centos distribution package: Centos proftpd package is not present in latest stable versions. For more Information: https://bugzilla.redhat.com/show_bug.cgi?id=651608

Ubuntu / Debian / Centos Webmin : webmin relies on distribution packages , please refer to the information above to determine if there is a problem or not.

Ubuntu / Debian / Centos Plesk:  Plesk versions 9.5.x and 10 and small bussiness 10.2 are affected. They introduced proftpd version 1.3.2b in Plesk 9.5. Solution is the one posted at http://www.parallels.com/au/products/plesk/ProFTPD/

Ubuntu / Debian / Centos Virtualmin: Virtualmin proftpd package needs manual checking, some systems require the update because proftpd is installed from virtual min packages, some other systems relay on the distribution package and are not affected.

Here are some snippets that might help with this issue:

  • To check version installed:
{ rpm -qa; dpkg -l; } | grep ftp
  • To renable the service (the opposite to the previous disable script) :
{

set -x;

cd /etc/init.d/;

chkconfig --add proftp*;

chkconfig proftp* on;

update-rc.d -f proftp* defaults;

service proftp* start;

/etc/init.d/proftpd start;

[ -e /root/ftp_psa ] && mv /root/ftp_psa /etc/xinetd.d/ && echo enabling psa_ftp && /etc/init.d/xinetd restart

grep ftp /etc/inetd.conf  && sed --in-place 's/^\# exploitable ftp/ftp/' /etc/inetd.conf && grep ftp /etc/inetd.conf &&  { /etc/init.d/inetd restart ; /etc/init.d/openbsd-inetd restart ; /etc/init.d/xinetd restart; /etc/init.d/inetutils-inetd restart;  }

set +x;

} 2>&1 | tee -a /root/proftpdrenable

Please pop in a support ticket at  http://rimuhosting.com/ticket/startticket.jsp if you want us to check your server for you.  We are happy to help you work through this issue.