Otra nota oficial de Plesk, indica que las versiones afectadas son Plesk 9.5.x , Plesk 10 y Parallels Small Business Panel 10.2.
Parallels strives to deliver solutions to potential vulnerability issues of component parts as soon as they are identified. Please pay attention to this notification as it contains an Important Security Notification. More information can be found on the Parallels website, by visiting: http://www.parallels.com/products/plesk/proftpd
Affected Products: Parallels Plesk Panel 9.5x and 10 include this vulnerability (no prior versions included this version of the component). Parallels Small Business Panel 10.2 is also affected.
Details of the Vulnerability or Exploit: A flaw in ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.
ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.Fixes for the Vulnerability or Exploit: Parallels has used its micro-update patch functionality in Plesk 9.5x and 10.x to fix this exploit. You can run the Parallels AutoInstaller to fix this or check the Updates section of your Plesk Panel 9.5x or 10.x to fix this. This is a file-replace, as opposed to a new install so it will be quick and reliable. To find this in the GUI:
- Parallels Plesk Panel 9.5x: “Home” -> “Updates” -> Select the Panel version which has updates -> click “Install” ?
- Parallels Plesk Panel 10.x:“Server Management” -> “Tools & Utilities” -> “Updates” -> “Update Components” -> click “Continue”
These ProFTPD fixes are also available from the Parallels AutoInstaller for Plesk 9.52, 9.53, and Plesk 10.01. You should already have downloaded this as part of Plesk. Use:
# $PRODUCT_ROOT_D/admin/sbin/autoinstaller
Or use the following parameters:
# $PRODUCT_ROOT_D/admin/sbin/autoinstaller –select-product-id plesk –select-release-current –reinstall-patch –install-component base
The patch for Parallels Small Business Panel 10.2 will be posted by 12 noon GMT on Friday November 12, 7am EST in the US)
If you have any concerns or need assistance applying these patches to your system, please contact us at: http://www.parallels.com/support/plesk/free10assistance_toc/ . A valid Plesk license key is required.Thank you for your attention to this important matter.
The Parallels Plesk Panel Team
Deja una respuesta