Is ProFTPd Vulnerable on Ubuntu 14.04 LTS?


I have recently become aware of new (to me) attacks against ProFTPd on a Virtualmin Pro server running Ubuntu 14.04 LTS.


There is, apparently, no updated ‘proftpd’ package for Ubuntu 14.04 LTS and the included version is (apparently) vulnerable.

Is this something I should worry about?

Or does the Virtualmin implementation of ProFTPd mitigate this issue?

What have other Virtualmin admins done to mitigate this issue?

For now, I have commented out the mod_copy module in /etc/proftpd/modules.conf and restarted the daemon. I don’t know how successful this was nor do I know that it won’t cause problems for users. Has anyone else tried this?

Thanks in advance for any comments,



Virtualmin on Ubuntu does not mitigate the issue. It’s a bit more difficult to exploit since it needs a world-writable, predictable directory path. But if you have ProFTPd combined with that and a PHP interpreter, this is pretty disastrous.

I recently packaged the upstream fix as a backported patch for ProFTPd in 12.04 and 14.04. Please visit and indicate that you’re affected. It’s waiting on a member of the MOTU security team to review and sponsor my patch.