Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Nathan Fowler on September 24, 2003, 07:12:07 PM
-
This is something you need to be aware of, since versions of SME/E-Smith use proftpd.
http://www.securiteam.com/unixfocus/5LP0M15B5O.html
-
Any howto to patch our boxes ?
Updates blades ?
Bye.
Tuxoo
-
I don't imagine you'll be able to use the RedHat errata packages because I believe RH uses WU-FTPD, not proftpd.
Your choices are:
1) Recompile from source using the current proftpd version, or patch an older version
2) Disable FTP completely, uninstall the RPM, and just use SCP/SFTP via SSH.
3) Cross your fingers and hope that SME will release an update in a timely fashion. Hope you're not mandated to upgrade due to lack of support for "legacy" versions with an average product life-cycle of less than 4 to 5 months. Example being the OpenSSH errata packages only being provided for 5.6 and 6.0Beta with 5.5, 5.1.2, 4.1.2, and older version are still vulnerable.
-
Oh, and to beat Charlie to the punch, "if you were a paying customer, things would be different".
-
You're right, as I am a paying customer, I'm going to ask them the right way.
Just for info, I have seen rpm package proftpd-1.2.9rc2-2.i386.rpm on ftp.proftpd.org/distrib/packages/RPMS maybe we have only to upgarde this package.
Someone wants to try ? ;-)
Thanks.
Bye.
Tuxoo.
-
You're right, as I am a paying customer, I'm going to ask them the right way.
Just for info, I have seen rpm package proftpd-1.2.9rc2-2.i386.rpm on ftp.proftpd.org/distrib/packages/RPMS maybe we have only to upgarde this package.
Someone wants to try ? ;-)
Thanks.
Bye.
Tuxoo.
-
I imagine Charlie's punch would be more like "security issues should be reported to smesecurity@mitel.com", but that's just a guess...
-
Why can't people read before they send information like this.
From the notification
Impact:
An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites.
Workaround:
Successful exploitation is not possible if attackers cannot upload files to a vulnerable FTP server. Where possible it is advisable to disable the ability for users to perform FTP uploads, either with file permissions or using ProFTPD configuration parameters:
SME by default denies FTP upload (unless you have modified the template to allow it) from outside the LAN.
Also SME 5.6 and earlier do not use proftpd versions that are included in the list.
Jon
-
Jon, you're sadly mistaken. Previous versions, while not tested, are also listed as being vulnerable.
Additionally, any user capable of uploading files can exploit this vulnerability with possible root access. Examples would include a user who has a virtual domain on that server with FTP access to maintain the site could compromise the system.
You may trust your user base, others do not.
-
Note that we have now posted an advisory about this issue on the home page.
http://www.e-smith.org/article.php3&mode=threaded&order=0