ProFTPD 1.3.3e - PCI complian scan failed

Discussion in 'Parallels Plesk Panel 10.x for Linux Problems, Suggested Fixes, and How-To' started by snowfire, Mar 7, 2012.

  1. snowfire

    snowfire New Member

    Messages:
    9
    ProFTPD 1.3.3e - PCI compliance scan failed

    Hello
    I just completed a clients container upgrade from 10.3 to 10.4.4 (media Temple Plesk Parallels panel) specifically to fix the issue with ProFTPD.
    I just ran a new pci scan, and it failed on ProFtpD( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4130), It lists the solution as "upgrade to 1.3.3g".
    current version: psa-proftpd 1.3.3e-cos5.build1013111101.14
    according to the knowledgebase(http://www.parallels.com/products/plesk/documentation/proftpd/) the current version should be fine, is this true, should I contact security metrics and submit some type of mitigation?

    Is this version available for upgrade? would I have to do a command line micro upgrade (my panel does not list any upgrades for the container)?
    thank you for your help
    Last edited: Mar 7, 2012
  2. burnleyvic

    burnleyvic Kilo Poster

    Messages:
    153
    snowfire, you might also be interested in http://forum.parallels.com/showthread.php?t=257843 - they're tightly related and have a common cause, that is Plesk patching a 1.3.4a installation using with the wrong proftpd binary, one that doesn't even have DSO support, making it impossible to load modules at runtime.
  3. burnleyvic

    burnleyvic Kilo Poster

    Messages:
    153
  4. snowfire

    snowfire New Member

    Messages:
    9
    thanks for the update burnleyvic.
    can any one at plesk please address this, is there an update to 1.3.3 g, or 1.3.4?
    my client is very insistent that this get fixed asap, because their shopping cart is currently not pci compliant.
    thank you
  5. snowfire

    snowfire New Member

    Messages:
    9
  6. AcerPalmatum

    AcerPalmatum New Member

    Messages:
    3
    Cve-2011-4130

    Also need a resolution of this issue. This update was released 9 Nov 11.
    According to scan this is a severity 9 issue.
  7. snowfire

    snowfire New Member

    Messages:
    9
    since the previous ProFtp vulnerability was released in nov 2010 - and not patched until nov 2011,
    how much you want to bet this won't be fixed until 2013 ?
    looks like others patch proftp themselves:
    http://forum.parallels.com/showthread.php?t=108791
  8. AcerPalmatum

    AcerPalmatum New Member

    Messages:
    3
    Agreed

    Yea,

    This was what our hosting company recommended as well...
    Uh, kind of defeats the point of having a hosting company/using Plesk.
    I should have just gone with Amazon.
  9. AcerPalmatum

    AcerPalmatum New Member

    Messages:
    3
    thanks for the link, works like a champ & will be careful of the microupdates...
  10. snowfire

    snowfire New Member

    Messages:
    9
    did that patch update you to 1.3.3g?
    I haven't tried it yet myself, just found it. any issues with ftp afterwards?

Share This Page