Proftpd source servers compromised - backdoor inserted in proftpd-1.3.3c source

[Mshaker]

Please see:
http://sourceforge.net/mailarchive/...00.1012011542220.12930@familiar.castaglia.org

Are the plesk microupdate or atomics psa-proftpd packages affected?

 

[Mshaker]

It seems that both atomics psa-proftpd rpms and plesks own micro-update are not affected by the compromise

 

[atomicturtle]

Definitely not. The source tar.gz's are also signed with proftpd's upstream GPG key, and part of our build system is an automatic validation against that key. Were it to have occurred when we built the 1.3.3c packages (October 29th) it would have failed right there.

Furthermore proftpd is one of the packages I personally maintain at atomicorp. Due to the number of modifications Ive made to it I have to go over all the changes from upstream to the source code manually to re-integrate my patches to it every time they make an update.

Last but not least, all atomicorp packages are signed with our GPG key before they go out. That private key does not live on any publicly accessible system, and furthermore aside from a copy kept in our safe (in case I get hit by a train) only I know the pass phrase to that key.