Results 1 to 10 of 10

Thread: ProFTPD 1.3.3e - PCI complian scan failed

  1. #1

    Default ProFTPD 1.3.3e - PCI compliance scan failed

    Hello
    I just completed a clients container upgrade from 10.3 to 10.4.4 (media Temple Plesk Parallels panel) specifically to fix the issue with ProFTPD.
    I just ran a new pci scan, and it failed on ProFtpD( http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-4130), It lists the solution as "upgrade to 1.3.3g".
    current version: psa-proftpd 1.3.3e-cos5.build1013111101.14
    according to the knowledgebase(http://www.parallels.com/products/pl...ation/proftpd/) the current version should be fine, is this true, should I contact security metrics and submit some type of mitigation?

    Is this version available for upgrade? would I have to do a command line micro upgrade (my panel does not list any upgrades for the container)?
    thank you for your help
    Last edited by snowfire; Mar 7, 2012 at 12:39 PM.



  2. #2
    Mega Poster
    Join Date
    Nov 2011
    Posts
    152

    Default

    snowfire, you might also be interested in http://forum.parallels.com/showthread.php?t=257843 - they're tightly related and have a common cause, that is Plesk patching a 1.3.4a installation using with the wrong proftpd binary, one that doesn't even have DSO support, making it impossible to load modules at runtime.



  3. #3
    Mega Poster
    Join Date
    Nov 2011
    Posts
    152
    Last edited by burnleyvic; Mar 9, 2012 at 12:24 AM.



  4. #4

    Default

    thanks for the update burnleyvic.
    can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
    my client is very insistent that this get fixed asap, because their shopping cart is currently not pci compliant.
    thank you



  5. #5

    Default

    can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
    others with the same issue:
    http://forum.parallels.com/showthread.php?t=257515
    can anyone from plesk please update if there is a patch available.
    thank you



  6. #6

    Default Cve-2011-4130

    Quote Originally Posted by snowfire View Post
    can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
    others with the same issue:
    http://forum.parallels.com/showthread.php?t=257515
    can anyone from plesk please update if there is a patch available.
    thank you
    Also need a resolution of this issue. This update was released 9 Nov 11.
    According to scan this is a severity 9 issue.



  7. #7

    Default

    Quote Originally Posted by AcerPalmatum View Post
    Also need a resolution of this issue. This update was released 9 Nov 11.
    According to scan this is a severity 9 issue.
    since the previous ProFtp vulnerability was released in nov 2010 - and not patched until nov 2011,
    how much you want to bet this won't be fixed until 2013 ?
    looks like others patch proftp themselves:
    http://forum.parallels.com/showthread.php?t=108791



  8. #8

    Default Agreed

    Yea,

    This was what our hosting company recommended as well...
    Uh, kind of defeats the point of having a hosting company/using Plesk.
    I should have just gone with Amazon.



  9. #9

    Default

    thanks for the link, works like a champ & will be careful of the microupdates...



  10. #10

    Default

    did that patch update you to 1.3.3g?
    I haven't tried it yet myself, just found it. any issues with ftp afterwards?



Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •