Article ID: 9318, created on Nov 15, 2010, last review on May 10, 2014

  • Applies to:
  • H-Sphere 3.3


hsphere-ftp in H-Sphere releases starting from 3.2 Patch 2 should be updated.


ProFTPD versions 1.3.2 (H-Sphere 3.2 Patch 2), 1.3.2a (H-Sphere 3.3 and 3.4) contain vulnerability: Telnet IAC stack overflow vulnerability (ZDI-CAN-925); ProFTPD team fixed it in version 1.3.3c.

Additionally, ProFTPD 1.3.2c works around the vulnerability found in SSL/TLS protocol during renegotiation (CVE-2009-3555).


Update to ProFTPD 1.3.2e with the patch from 1.3.3c applied to it. This new version is shipped in the new hsphere-ftp package (version 1.3.2-7).


To install the new package, use CP or installer/updater, and make:

* a private update - on H-Sphere 3.2 Patch 2, e.g., with the following shell command:

sh U32.0P2 update hspackages private

* a private update - on H-Sphere 3.3 Patch 1, e.g., with the following shell command:

sh U33.0P1 update hspackages private

* a usual update - on H-Sphere 3.4, e.g., with the following shell command:

sh U34.0 update hspackages

NOTE: As usual, if you want to update only some of your physical boxes, you can specify their IP addresses at the end of the commands mentioned above, in the following format:



To verify that the package is properly installed, check the installer/updater output (it must say that hsphere-ftp version 1.3.2-7 is installed). You can also check the ProFTPD version on boxes with the following shell command:

proftpd --version

The version should be 1.3.2e.

f213b9fa8759d57bee5d547445806fe7 6311ae17c1ee52b36e68aaf4ad066387 3fce07d43dd909dcf7cad8a0e8c377eb

Email subscription for changes to this article
Save as PDF