http://forum.plesk.com/showthread.php?thre...15&pagenumber=1
No 'official' patch available from SWSoft yet, but the atomicturtle has provided rpm's. I personally haven't tried them yet, I simply have proftpd shut down in the meantime.
Full Version: EXPLOIT: Proftpd
ATR's rpms work fine (with a bit of tweaking and if you don't offer anonymous ftp), although there is a bug in the 1.2.9rc2 version of proftpd that prevents overwriting the files on server when you upload them, so this version wasn't the best choice to have anyway.
Plesk has released an official update for 6.0.x systems couple of hours ago, a patch for 5.0.5 is supposed to follow shortly.
I don't know why nobody posted the links in the Plesk forum, so I did it for them... They only announced it on the mailing list. So, check this thread and upgrade as soon as possible.
Plesk has released an official update for 6.0.x systems couple of hours ago, a patch for 5.0.5 is supposed to follow shortly.
I don't know why nobody posted the links in the Plesk forum, so I did it for them... They only announced it on the mailing list. So, check this thread and upgrade as soon as possible.
As a follow up, the official hotfix for 5.0.5 was announced on the mailing list this afternoon. Easy peasy to install too. If you have any special configurations in your current ProFTP you might want to make a backup copy of that before running the RPM, but other than that installation was a breeze. So get to patching the hole before it's too late!
Here are the details of the mailing list announcement for 5.0.5 for those who don't get it. I didn't see this one posted on the Plesk forum yet, but I assume it will be soon.
Squire
===snip===
SWsoft is issuing the following Patches for PSA version 5.0.5. Please download the patch and the release notes for your Corresponding Operating System. We strongly urge you to update your PSA 5.0.5 servers with this patch.
Note: These Patches are designed as HotFixes to your system and are for PSA 5.0.5 only! If you are running a previous version of PSA 5 you will need to update your system prior to running this patch.
For Questions or Comments please email bugreport@plesk.com
--------------------------------------------------------------------------------
Plesk Server Administrator 5.0.5 ProFTPd patches
Red Hat RPM versions
7.1 RPM
http://download1.plesk.com/psa5.0.5/psa5.0...i586.rpm.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...926.14.i586.txt
7.2 RPM
http://download1.plesk.com/psa5.0.5/psa5.0...i586.rpm.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...925.19.i586.txt
7.3 RPM
http://download1.plesk.com/psa5.0.5/psa5.0...i586.rpm.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...925.19.i586.txt
All FreeBSD & Red Hat Standard Installations
http://download1.plesk.com/psa5.0.5/psa5.0...pdate.sh.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...d_update.sh.txt
===snip===
Here are the details of the mailing list announcement for 5.0.5 for those who don't get it. I didn't see this one posted on the Plesk forum yet, but I assume it will be soon.
Squire
===snip===
SWsoft is issuing the following Patches for PSA version 5.0.5. Please download the patch and the release notes for your Corresponding Operating System. We strongly urge you to update your PSA 5.0.5 servers with this patch.
Note: These Patches are designed as HotFixes to your system and are for PSA 5.0.5 only! If you are running a previous version of PSA 5 you will need to update your system prior to running this patch.
For Questions or Comments please email bugreport@plesk.com
--------------------------------------------------------------------------------
Plesk Server Administrator 5.0.5 ProFTPd patches
Red Hat RPM versions
7.1 RPM
http://download1.plesk.com/psa5.0.5/psa5.0...i586.rpm.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...926.14.i586.txt
7.2 RPM
http://download1.plesk.com/psa5.0.5/psa5.0...i586.rpm.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...925.19.i586.txt
7.3 RPM
http://download1.plesk.com/psa5.0.5/psa5.0...i586.rpm.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...925.19.i586.txt
All FreeBSD & Red Hat Standard Installations
http://download1.plesk.com/psa5.0.5/psa5.0...pdate.sh.tar.gz
http://download1.plesk.com/psa5.0.5/psa5.0...d_update.sh.txt
===snip===
Hi! I too got that e-mail. I'm a newbie and thus would like to know how I go about patching my server? It's running on a Redhat 7.2 with 5.0.5 Plesk installed. Thanks!
how to make sure that the standards version's hot fix did its job?
Excellent, thanks for posting the release here, Squire.
Another thumbs-up for Plesk as well
Another thumbs-up for Plesk as well
Wirematter:
Simply log into your server via SSH, -su to root, cd to whatever directory you have set up for downloading source files and wget the tar.gz file for your flavor of Redhat. Once you're logged in as root it will be something like:
(You'll probably have to right click that link above and copy the shortcut since I'm sure the forum is going to shorten the very long URL.)
Then untar the file using tar-zxvf psa... (the whole file name). That'll stick the two rpm file into a new directory, most likely called rpm_RedHat7.2 if the 7.3 version is any indication. CD into this new directory.
Then you can call up the .txt file in your browser. It has the installation instructions. Pretty simple...all you're going to do is a single line of rpm -Uhv of the two files. You can cut and paste that directly from the .txt file if you'd like.
Then FTP into one of your sites to test that everything is working.
Murshed: The hotfix works. The way I tested it was to FTP into a couple of my sites to make sure everything still worked as it should. I downloaded and uploaded a file to make sure overwrite as still there, checked to make sure I could chmod a file, etc. Worked flawlessly for me.
The only thing I had to change from my original ProFTPD setup was to swap out ShowDotFiles (which has been depreciated) with LsDefaultOptions so that ProFTPD shows hidden files as a default. My previous config was set up that way so that I can easily see the .htaccess files which are on practically all of my sites. If you didn't have any special configuration before, the hotfix will give you the default ProFTPD setup, so you won't need to do anything else.
AutoSear: You're quite welcome. I figured others would like it ASAP because I know I had been waiting on the official patch release.
Squire
Simply log into your server via SSH, -su to root, cd to whatever directory you have set up for downloading source files and wget the tar.gz file for your flavor of Redhat. Once you're logged in as root it will be something like:
QUOTE
(You'll probably have to right click that link above and copy the shortcut since I'm sure the forum is going to shorten the very long URL.)
Then untar the file using tar-zxvf psa... (the whole file name). That'll stick the two rpm file into a new directory, most likely called rpm_RedHat7.2 if the 7.3 version is any indication. CD into this new directory.
Then you can call up the .txt file in your browser. It has the installation instructions. Pretty simple...all you're going to do is a single line of rpm -Uhv of the two files. You can cut and paste that directly from the .txt file if you'd like.
Then FTP into one of your sites to test that everything is working.
Murshed: The hotfix works. The way I tested it was to FTP into a couple of my sites to make sure everything still worked as it should. I downloaded and uploaded a file to make sure overwrite as still there, checked to make sure I could chmod a file, etc. Worked flawlessly for me.
The only thing I had to change from my original ProFTPD setup was to swap out ShowDotFiles (which has been depreciated) with LsDefaultOptions so that ProFTPD shows hidden files as a default. My previous config was set up that way so that I can easily see the .htaccess files which are on practically all of my sites. If you didn't have any special configuration before, the hotfix will give you the default ProFTPD setup, so you won't need to do anything else.
AutoSear: You're quite welcome. I figured others would like it ASAP because I know I had been waiting on the official patch release.
Squire
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.