Another security issue found, now in ProFTPD 1.3.0

[pucky]

Affected package: proftpd-1.3.0
Type of problem: proftpd -- Remote Code Execution Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/cca97f5f-7435-11db-91de-0008743bf21a.html>

1 problem(s) in your installed packages found.

So whats new? This is as bad as phpbb2 issues. Its never ending. Where is pure-ftpd? It about time DA gives it too us instead of this sucky proftpd. I think we have all asked and feature asked it.

Sure, wait till you box is hacked via proftpd. Then we will see how many people will be demaning and not asking for an alternate ftp software. The sad fact is, those who dont have a clue why their boxes were hacked will never know that it was actually via proftpd. Thats the sad thing!

 

[paix]

Re: Another security issue found, now in 1.3.0

Affected package: proftpd-1.3.0
Type of problem: proftpd -- Remote Code Execution Vulnerability.Reference: <http://www.FreeBSD.org/ports/portaudit/cca97f5f-7435-11db-91de-0008743bf21a.html>

This issue was found some days ago.
Just update your ports and reinstall proftpd.

More detailed this issue and the solution described here http://www.freebsd.org/cgi/query-pr.cgi?pr=105510

I think every software can be vulnerable.
The only way to ensure security is to keep the server software and the underlying OS up-to-date all the time.

 

[pucky]

Database created: Thu Nov 23 02:40:13 EST 2006

Checking for packages with security vulnerabilities:

Affected package: proftpd-1.3.0
Type of problem: proftpd -- Remote Code Execution Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/cca97f5f-7435-11db-91de-0008743bf21a.html>

proftpd is not installed via ports on my boxes. Its the default installation that was installed by DA on our FreeBSD 6.1 boxes.
I dont see any updates.

What is everyone who is not running FreeBSD doing about this?

 

[patrik]

But just install it from ports instead!
pkgdb -F, then skip down until you see ftp/da_proftpd, choose NOT do skip, chose no also on "Browse the CVSweb for the port's history". Then it guesses and probably correct also (ftp/proftpd). "Change the origin to this?", yes!
Okay, now run a portupgrade:
cd /usr/ports/ && portupgrade ftp/proftpd
The binary will read wrong configuration file so we need to fix this:
mv /usr/local/etc/proftpd.conf /usr/local/etc/proftpd.conf.PORTS
and created the symbolic link:
ln /etc/proftpd.conf /usr/local/etc/proftpd.conf
Now restart proftpd: /usr/local/etc/rc.d/proftpd restart
Voilá!

 

[pucky]

What about the startup script? You should probably rename the origional to something else so that ports can install the new one as DA will have a problem starting and stopping using the default startup script.

 

[kke]

If this effect proftpd package that provided by DA, then DA should provided the updated package ASAP.

Then DA customer can easily patch.
with pkg_delete and pkg_add command.

 

[patrik]

What about the startup script? You should probably rename the origional to something else so that ports can install the new one as DA will have a problem starting and stopping using the default startup script.

DA doesn't seem to have any problem with the startup script that comes with the port as long as it's named correctly. Just mv /usr/local/etc/rc.d/proftpd.sh /usr/local/etc/rc.d/proftpd should do it.

 

[paix]

What about the startup script? You should probably rename the origional to something else so that ports can install the new one as DA will have a problem starting and stopping using the default startup script.

Yes, you should use default DA startup script

--- mini howto - upgrading proftpd for freebsd--

cp /usr/local/etc/rc.d/proftpd /usr/local/etc/rc.d/proftpd.bak

pkg_delete old version

cd /usr/ports/ftp/proftpd
make install clean

mv /usr/local/etc/rc.d/proftpd.bak /usr/local/etc/rc.d/proftpd
rm -f /usr/local/etc/rc.d/proftpd.sh

mv /usr/local/etc/proftpd.conf /usr/local/etc/proftpd.conf_new
ln -s /etc/proftpd.conf /usr/local/etc/proftpd.conf

/usr/local/etc/rc.d/proftpd restart

--
Good luck!