[BlueOnyx:10450] Is there a why to upgrade this

Richard Barker rc at probass.com
Sat May 5 18:54:00 -05 2012 

Fail of PCI / DSS compliance

Description: possible vulnerability in ProFTP 1.3.3e Severity: Area of 
Concern CVE: CVE-2011-4130 
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4130> Impact: 
Attackers exploiting these vulnerabilities may be able to execute 
arbitrary commands, perhapswith root privileges, gain unauthorized 
access, or disrupt service on a target system. Resolution Upgrade 
[http://www.proftpd.org] ProFTPD to version 
[http://www.proftpd.org/docs/RELEASE_NOT ES-1.3.3g 
<http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3g>] 1.3.3g (stable) or 
greater. Please see the ProFTPD Project's general instructions on 
[http://www.proftpd.org/docs/howto/Upgra de.html 
<http://www.proftpd.org/docs/howto/Upgrade.html>] upgrading the 
software. If your copy of the ProFTPD server daemon is part of a larger 
software distribution, check with your software vendor for a newer or 
patched version. All FTP server processes must run as root, at least 
during some parts of their operation, in order to bind to the reserved 
low-numbered network ports that are specified in the 
[http://tools.ietf.org/html/rfc959] FTP standard. The ProFTPD Project 
reminds administrators that, for greater security, the server should be 
configured to [http://www.proftpd.org/docs/howto/Confi 
gFile.html#Identity 
<http://www.proftpd.org/docs/howto/ConfigFile.html#Identity>] run under 
an unprivileged user ID at all times when root privileges are not 
essential. Administrators with even stronger security requirements may 
want to configure the server to [http://www.proftpd.org/docs/howto/Nonro 
ot.html <http://www.proftpd.org/docs/howto/Nonroot.html>] run entirely 
without root privileges, at the cost of some inconvenience. In some 
cases, disallowing anonymous ftp access, or removing write permissions 
from all directories accessible by anonymous ftp could serve as a 
workaround. However, this will only be an effective *Solution* for those 
vulnerabilities which, as noted above, require the attacker to create 
files or directories on the server. You will still need to upgrade 
ProFTPD to fix the other vulnerabilities. Finally, ftp access can be 
restricted by using [ftp://coast.cs.purdue.edu/pub/tools/unix 
/netutils/tcp_wrappers] TCP wrappers. Vulnerability Details: Service: 
ftp Received: 220 ProFTPD 1.3.3e Server (ProFTPD server)


Thanks in advance for any help
RC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120505/b1f675bf/attachment.html>

More information about the Blueonyx mailing list