ProFTPD 1.3.3 Server

I would like to know this as well, any thoughts?

Proftpd version in 4.2.17, released May 2011:

ProFTPD Version: 1.3.3c (maint)
  Scoreboard Version: 01040003
  Built: Tue Nov 2 2010 12:59:15 PDT

Loaded modules:
  mod_lang/0.9
  mod_ctrls/0.9.4
  mod_cap/1.0
  mod_site_misc/1.4
  mod_ban/0.5.5
  mod_ifsession/1.0
  mod_rewrite/0.8
  mod_tls/2.4.1
  mod_dynmasq/0.3
  mod_auth_pam/1.1
  mod_ident/1.0
  mod_facts/0.1
  mod_delay/0.6
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/0.8.3
  mod_auth_unix.c
  mod_xfer.c
  mod_core.c

Sorry sphardy but I do not fully understand your reply. Could you please explain a bit further?

Thanks!

The question was with respect to what version of ProFTPD is installed on x86 ReadyNAS devices. I provided the answer for the latest firmware release at the time of my post (1.3.3.c)

According to the original post: "the 1.3.3d version, which was released in December, contains the fix"

I cannot give a definitive answer to the question "Does anyone know if the version in that Firmware release contains the version that's been compromised??" as I don't know - only Netgear does - but what do you conclude from the information we do have?

Ok, I understand!

I'm running a Ultra-4 with the latest firmware and my ProFTPD version is the same as yours (1.3.3.c).

On the main site these changes are listed:
1.3.3e
---------

+ Display messages work properly again.

+ Fixes plaintext command injection vulnerability in FTPS implementation
(i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for
details.

+ Fixes CVE-2011-1137 (badly formed SSH messages cause DoS). See
http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.

+ Performance improvements, especially during server startup/restarts.

1.3.3d
---------

+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
+ Fixed CPU spike when handling .ftpaccess files.
+ Fixed handling of SFTP uploads when compression is used.

Do you know if it's easy to upgrade from current 1.3.3.c to the lastest 1.3.3.e using SSH?

I wouldn't recommend trying

Netgear has been known to address specific issues with this software in the past, possibly meaning they have customised the install, and also not move to newer releases as quickly as expected due to problems they have encountered during testing suggesting that simply compiling a new version of ProFTPD and expecting it to just work without any side effects may be risky.

Rather it would be more interesting to see if the recently released 4.2.18 has a newer version of ProFTPD. (Or to get a definitive response from Netgear to this question)

I installed firmware 4.2.18 a few minutes ago and the ProFTPD version is still the same 1.3.3.c.

Xophile wrote:
I installed firmware 4.2.18 a few minutes ago and the ProFTPD version is still the same 1.3.3.c.

I take it the upgrade went well? Which version did you upgrade from? I've been hesitant about the upgrade from the stories I've read here.

I have not upgraded to 4.2.18 yet, and was hesitant about going to 4.2.16 or 4.2.17 and continued to run 4.2.12 on my two NVX units, until I did upgrade the backup to 4.2.17 on May 11. It went well. The main push behind upgrading was adding 3TB drives to the array. About two weeks later I upgraded the primary NVX as well. I have not had any problems.

Read the release notes and see if you need 4.2.18. If not, you can wait a while. But, under no circumstances try to go back to 4.2.15 or prior once you have upgraded to 4.2.16 or higher. There was a thread in which some one upgraded, then reinstalled his previous disk set and attempted to go back. He basically bricked his NAS, but Netgear was good enough to RMA the unit.

Wadester:

So far so good. I haven't experienced any issues at all. Anything in particular I should try out/verify for you?