- Plesk Onyx for Linux
ProFTPD 1.3.5 is affected by CVE-2015-3306 vulnerability. Does it mean that ProFTPD 1.3.5 shipped with Plesk is vulnerable too?
Note: non-technical guys: no, it is not affected.
Plesk Onyx 17.0 and 17.5 are shipped with ProFTPD package 1.3.5d compiled without "
mod_copy" module, and therefore, are not vulnerable.
For example, Plesk Onyx 17.5 on CentOS 6:
# rpm -qa | grep psa-proftpd
# /usr/sbin/proftpd -V | grep -i configure | grep mod_copy
To make sure that ProFTPd is not vulnerable:
# telnet localhost 21
Connected to localhost.
Escape character is '^]'.
220 ProFTPD 1.3.5 Server (ProFTPD) [::1]
site cpfr /etc/passwd
500 'SITE CPFR' not understood
Note: Plesk Onyx 17.8 and Obsidian are shipped with proFTPd 1.3.6 which are built without "
mod_copy" module and therefore, are not vulnerable.