ProFTPd 2 open security issues

[ygoe]

Hi,

so ProFTPd currently has 2 open security issues in Ubuntu 10.4 LTS (ProFTPd 1.3.2c-1ubuntu0.1). The Telnet IAC processing stack overflow from 2010-10-29, fixed in 1.3.3c, and the newer mod_sql pre-authentication remote root issue from Mid-November, still unpatched by the ProFTPd authors.

I'm running that FTP server on my system and I'm concerned about my system security. At least the first patch should have been ported a month ago, but the USN list doesn't mention ProFTPd for a long time.

Should I consider switching to another FTP server, Pure-FTP has been mentioned elsewhere? Or does Ubuntu have a somehow modified version that didn't have those issues in the first place, but nobody mentioning it?

[imbjr]

Hi,

so ProFTPd currently has 2 open security issues in Ubuntu 10.4 LTS (ProFTPd 1.3.2c-1ubuntu0.1). The Telnet IAC processing stack overflow from 2010-10-29, fixed in 1.3.3c, and the newer mod_sql pre-authentication remote root issue from Mid-November, still unpatched by the ProFTPd authors.

I'm running that FTP server on my system and I'm concerned about my system security. At least the first patch should have been ported a month ago, but the USN list doesn't mention ProFTPd for a long time.

Should I consider switching to another FTP server, Pure-FTP has been mentioned elsewhere? Or does Ubuntu have a somehow modified version that didn't have those issues in the first place, but nobody mentioning it?

Have a look at vsftpd to see if it will meet your needs.

[cariboo]

You could also stop using an ftp server and use sftp, most ftp clients support sftp.

[ygoe]

You could also stop using an ftp server and use sftp, most ftp clients support sftp.

I've been thinking about that, but I'm not sure all of my webhosting clients could handle that. Maybe I should just ask them to find out.

[CharlesA]

I've been thinking about that, but I'm not sure all of my webhosting clients could handle that. Maybe I should just ask them to find out.

Would be a good idea.

sftp > ftp and a whole heck of a lot easier to set up.

[ygoe]

But still, until this is evaluated, ProFTPd remains highly insecure on Ubuntu!

[CharlesA]

But still, until this is evaluated, ProFTPd remains highly insecure on Ubuntu!

File a bug report on launchpad referencing the vulnerabilities.

[ygoe]

Oh, it seems that the first bug was already resolved with the current version. There wasn't even a notice about it. Only the Launchpad entry suggests it.

The second bug is in mod_sql which is not a standard module of ProFTPD. So I'm not sure whether we can expect a fix for that.

[OpSecShellshock]

Just read this morning that the source code for ProFTPd was compromised some time prior to last weekend (maybe?). I don't think that would necessarily be a problem for applying updates to an already-installed version, but it might be something to keep at the back of your mind. Looking for a link...

[OpSecShellshock]

Just read this morning that the source code for ProFTPd was compromised some time prior to last weekend (maybe?). I don't think that would necessarily be a problem for applying updates to an already-installed version, but it might be something to keep at the back of your mind. Looking for a link...

Got it:

http://www.zdnet.com/blog/security/o...urce-code/7787