hsphere-ftp in H-Sphere releases starting from 3.2 Patch 2 should be updated.
ProFTPD versions 1.3.2 (H-Sphere 3.2 Patch 2), 1.3.2a (H-Sphere 3.3 and 3.4) contain vulnerability: Telnet IAC stack overflow vulnerability (ZDI-CAN-925); ProFTPD team fixed it in version 1.3.3c.
Additionally, ProFTPD 1.3.2c works around the vulnerability found in SSL/TLS protocol during renegotiation (CVE-2009-3555).
Update to ProFTPD 1.3.2e with the patch from 1.3.3c applied to it. This new version is shipped in the new hsphere-ftp package (version 1.3.2-7).
To install the new package, use CP or installer/updater, and make:
* a private update - on H-Sphere 3.2 Patch 2, e.g., with the following shell command:
sh U32.0P2 update hspackages private
* a private update - on H-Sphere 3.3 Patch 1, e.g., with the following shell command:
sh U33.0P1 update hspackages private
* a usual update - on H-Sphere 3.4, e.g., with the following shell command:
sh U34.0 update hspackages
NOTE: As usual, if you want to update only some of your physical boxes, you can specify their IP addresses at the end of the commands mentioned above, in the following format:
To verify that the package is properly installed, check the installer/updater output (it must say that hsphere-ftp version 1.3.2-7 is installed). You can also check the ProFTPD version on boxes with the following shell command:
The version should be 1.3.2e.