I’m running Virtualmin 3.82.gpl on Ubuntu Server 10.04.1 with proftpd-basic 1.3.2c-1ubuntu0.1 and I’m just wondering if this version is secure or if it still contains the security hole in the pr_netio_telnet_gets() function.
Judging by a log entry from the lucid-security team and the fact that I haven’t any availible updates I would say (or better hope) it is secure but I’m a bit concerned that it isn’t…
If you have concerns about security issues like that, you can always browse to packages.ubuntu.com, look up the package in question, then check out the “Ubuntu Changelog” link on the right. The changelog would mention whether or not a security update was applied.
For example, the following is the changelog for proftpd in Lucid:
There is potentially another problem with proftpd (at least on centos). The log file xferlog in /var/log/ is wide open (644). You should check that on your system.