proftpd security vulerability??? Where can I find more info?

[BianchiDude]

proftpd security vulerability??? Where can I find more info?

was this on Bug Traq, I dont remember seeing anything on it.

Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net

[aaronray]

I also can't find anything on this other than at cPanel. We have this on some of our other non cPanel machines and it's working OK, and I really don't want to switch to Pure due to its poor scalability. Can we get input from someone at cPanel as to a specific Secunia advisory or a specific bug that's reported in Bugzilla?

[dbarclay]

I have attempted to switch from proFtp to pureFtp but it fails.

WHM 9.9.9 cPanel 9.9.9-R14
SuSE 8.2 i686 - WHM X v3.1.0

thoughts?

[cpanelnick]

proftpd security vulerability??? Where can I find more info?

was this on Bug Traq, I dont remember seeing anything on it.

Security At this time, it is recommended that all customers using proftpd Switch to pure-ftpd as soon as possible to eliminate a potential security hole. Please note that all released versions of proftpd are belived to be affected and the exact problem is not yet known. Customers who experience the problems switching are welcomed to bypass the normal support procedure and submit a ticket directly at http://support.cpanel.net

This has yet to be offically confirmed. However I was personally able to get root with proftpd 1.3.0rc1, and I've been told others have had success doing so with 1.2.0.

[manokiss]

ok, but what about all the bugs pure-ftpd have? like the quota setup and those things? there will be any fix today?

[cpanelnick]

ok, but what about all the bugs pure-ftpd have? like the quota setup and those things? there will be any fix today?

The only known problem with pure-ftpd is editting the quota..which may already be fixed in edge (waiting for qa verification)

[fubfub]

Just out of curiousity: Is this also an issue with a grsec patched kernel?

[manokiss]

that will be great Nick, thank you!

[BianchiDude]

This has yet to be offically confirmed. However I was personally able to get root with proftpd 1.3.0rc1, and I've been told others have had success doing so with 1.2.0.

How did you get root?

[cPanelBilly]

How did you get root?

That will not be released publicly

[BianchiDude]

That will not be released publicly

Kindly tell me in a Private Message.

[cPanelBilly]

Kindly tell me in a Private Message.

This also will not be done.

[fubfub]

Well, anything that is hindering you from "releasing publicly" if this is also an issue with grsec? :-)

[fubfub]

Well, apparently there is. Too bad :-(.

[cpanelnick]

Well, anything that is hindering you from "releasing publicly" if this is also an issue with grsec? :-)

We were not able to confirm it on more then one machine so far. At this point, its just an advisory. We feel its better to be proactive instead of reactive in the event it does turn out to be a major problem. Given that pure-ftpd has a better security history then proftpd, we feel this is the wisest course at this time.