[atomic] psa-proftpd 1.3.3c

Atomic repository announcements, new release notifications and other news regarding the atomic yum repository.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

[atomic] psa-proftpd 1.3.3c

Unread post by scott »

This is duplicated from the ASL 2.0 repo.

http://www.atomicorp.com/news/security-update.html

Atomicorp Security Advisory

Level: Moderate to High



This is an important security update for psa-proftpd. Versions from 1.2.10rc1 to 1.3.3b are vulnerable to certain classes of attack that would allow a malicious user to:

* create a directory located outside the writable directory
* delete a directory located outside the writable directory
* create a symlink located outside the writable directory
* change the time of a file located outside the writable directory

It is highly recommended that psa-proftpd users upgrade to 1.3.3c at their earliest opportunity.

Changelog:

- Update to version 1.3.3c

To upgrade:

yum upgrade psa-proftpd

Credits: We would like to thank BruceLee for bringing this issue to our attention, and the proftpd team for their rapid response in resolving this issue.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] psa-proftpd 1.3.3c

Unread post by BruceLee »

Thanks Scott for providing the fix so quickly.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: [atomic] psa-proftpd 1.3.3c

Unread post by faris »

Yes. this could have been a really bad problem. I'm really glad it is solved -- thanks Scott!!!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [atomic] psa-proftpd 1.3.3c

Unread post by mikeshinn »

If this vuln was actually against chroot then the ASL kernel would stop this vuln. ASL chroots are more like jails, its pretty hard to escape from them, so if they actually called the chroot function you're safe - if they use their own non-kernel enforced faux-chroot like thing, well yeah, they have a hole. :-)
camaran
Forum User
Forum User
Posts: 34
Joined: Fri Aug 21, 2009 12:28 pm

Re: [atomic] psa-proftpd 1.3.3c

Unread post by camaran »

if i install it i have error, econnrefused and i cannot connect to my ftp server
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: [atomic] psa-proftpd 1.3.3c

Unread post by mikeshinn »

Whats in your systems logs? And are you running ASL?
camaran
Forum User
Forum User
Posts: 34
Joined: Fri Aug 21, 2009 12:28 pm

Re: [atomic] psa-proftpd 1.3.3c

Unread post by camaran »

i'm not running asl but when i update this service i cannot connect to my ftp.

I use plesk

Where i can see the log?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] psa-proftpd 1.3.3c

Unread post by scott »

/var/log/secure, and /var/log/messages are good places to start
camaran
Forum User
Forum User
Posts: 34
Joined: Fri Aug 21, 2009 12:28 pm

Re: [atomic] psa-proftpd 1.3.3c

Unread post by camaran »

This filezilla log:
Stato: Connessione a ******:21...
Stato: Tentativo di connessione non riuscito con "ECONNREFUSED - Connection refused by server".
Errore: Impossibile collegarsi al server

bin /var/log/messages and in /var/log/secure i not ave logs for ftp
Last edited by camaran on Mon Nov 08, 2010 3:54 pm, edited 1 time in total.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] psa-proftpd 1.3.3c

Unread post by scott »

Im not sure what thats saying there, think you could translate that to english for me?
camaran
Forum User
Forum User
Posts: 34
Joined: Fri Aug 21, 2009 12:28 pm

Re: [atomic] psa-proftpd 1.3.3c

Unread post by camaran »

scott wrote:Im not sure what thats saying there, think you could translate that to english for me?
Done
avibodha
Forum User
Forum User
Posts: 5
Joined: Sun Nov 07, 2010 7:22 pm

Re: [atomic] psa-proftpd 1.3.3c

Unread post by avibodha »

same thing for me, yum update a fresh server with plesk 10.0.1 and now FTP doesn't work. have proftpd 1.3.3c installed.

ftp localhost gives connection refused. nothing logged in messages or secure...also proftpd.conf was wiped. copied proftpd.conf from another plesk server but still not working.

any ideas?
thanks for any help
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] psa-proftpd 1.3.3c

Unread post by scott »

You know I think breun probably figured this one out, you have to re-install the plesk xinetd package whose name escapes me at the moment.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: [atomic] psa-proftpd 1.3.3c

Unread post by BruceLee »

didn't take long and there they go:
212.xxx.xxx.xxx (85.xxx.xxx.xxx[85.xxx.xxx.xxx]) - client sent too-long command, ignoring

Thanks to atomicorp we are safe from attacks concering that vulnerability :)
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] psa-proftpd 1.3.3c

Unread post by scott »

Also I put out an update yesterday that should integrate with Plesk 10. It merges in the xinetd package from plesk 9.
Post Reply