• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Apache security Vulnerability/ Parallels Plesk Panel

M

mrweb

Basic Pleskian
Hi

i received an email on sept. 1st from Paralles to say a patch will be available but i see nothing in the update page

when the update will be available ?

thanks for your support
 
Thanks IgorG for your answer
i dont understand why we cant apply update in the plesk instead make things so complicate
 
Of course you can but if it is available. And note, that for old Plesk version admin's Apache is also vulnerable and you can't update it from OS vendor's repository because it is Apache modified by Parallels.
 
yes but for now i dont see any update available
i have plesk 10.2
do u think we will get this update soon to update ?
 
Are you sure that you have installed all available updates in Plesk Updater?
 
im sure ... if i can believe plesk upater dont show me any new update
how to be sure ?
is it a way to check it ?
thanks for your help
 
Do you have CentOS or other OS? If you have any other OS - update Apache from OS vendor's repository.
 
i see :
Parallels Plesk Panel v10.2.0 os_CentOS 5
OS Linux 2.6.28.1-xxxx-std-ipv4-32

i just tried in ssh
# /usr/local/psa/admin/bin/autoinstaller --select-release-current --upgrade-installed-components
nothing happend :(

can you help more please?
 
IgorG said:
All actual information about this problem is here - http://kb.odin.com/en/112171
Click to expand...
Two notes regarding the instructions on the page IgorG is referencing:

1) Regarding the curl command that you can use to check if your Apache install is affected by the vulnerability, be sure to change "example.com" to one of the domains that your Apache install is serving. Otherwise, you're checking whether or not example.com's Apache server has been patched, not yours. I almost missed this since the curl command is so long.

2) I'm on Plesk 10.2 and ran autoinstaller successfully. However, I see that the Apache version number (as reported by /usr/sbin/httpd -v) has not changed. Mine says (before and after autoinstaller was run):

Server version: Apache/2.2.3
Server built: May 4 2011 06:51:15

However, I *believe* I'm safe from the vulnerability since the curl command doesn't return "206 Partial Content" in the output (unfortunately I didn't check before running autoinstaller). I'm guessing that instead of upgrading Apache to a safe version (i.e., 2.2.20), the Plesk patch is changing the Apache config to disable the vulnerable functionality. It would be great to get confirmation of this.
 
Hi Luis
could you tell me please what u wrote exactly to run the installer ?
# /usr/local/psa/admin/bin/autoinstaller --select-release-current --upgrade-installed-components dont work for me
 
mrweb said:
Hi Luis
could you tell me please what u wrote exactly to run the installer ?
# /usr/local/psa/admin/bin/autoinstaller --select-release-current --upgrade-installed-components dont work for me
Click to expand...
Hi mrweb,

I do it a slightly more complicated way so I know exactly what the system is doing. Read carefully and use at your own risk! :)

Step 1: I change into the directory with the autoinstaller script
# cd /usr/local/psa/admin/bin

Step 2: I check all of the product releases that are available
# ./autoinstaller --show-all-releases
This will return a long list. Look for Plesk release ID's like PLESK_10_N_N

Step 3: I look for updates for currently installed packages within my current version (in my case, 10.2.0 -- substitute your current Plesk release ID below or else you'll be doing an upgrade to a new version):
# ./autoinstaller --select-product-id plesk --select-release-id PLESK_10_2_0 --show-components
In this output, I look for any packages that say "[upgrade]". This means the specified package has an update available.

Step 4: If there are any installed packages with updates available, I update them:
# ./autoinstaller --select-product-id plesk --select-release-id PLESK_10_2_0 --upgrade-installed-components

Step 5: I'm paranoid so I usually reboot here (although I've never heard whether or not this is necessary) and redo step #3 (to make sure all the updates were installed).

(Optionally, you can upgrade to a new version of Plesk doing steps 3-5 with the desired Plesk release ID.)
 
Thanks a lot Luis !
i will try tomorrow and let u know if all ok or... if my server said byebye :)
if u did that, i think my "own risks" should be limited :)
thanks for your time
 
Hi Luis
i did like u but nothing is installed
i have 10.2 like u and i did :
# /usr/local/psa/admin/bin/autoinstaller --select-release-id PLESK_10_2_0 --upgrade-installed-components
nothing happend and few seconds after winscp abort

i think i need to download the patch on my server but i dont know how to do it
 
mrweb said:
Hi Luis
i did like u but nothing is installed
i have 10.2 like u and i did :
# /usr/local/psa/admin/bin/autoinstaller --select-release-id PLESK_10_2_0 --upgrade-installed-components
nothing happend and few seconds after winscp abort

i think i need to download the patch on my server but i dont know how to do it
Click to expand...
I'm afraid I really don't know. I believe winscp is a transfer program so maybe your server can't talk to the Parallels server where the Plesk files are downloaded from? I'd check if your server is connected to the Internet and has a route to the Parallels server (unfortunately I don't know the hostname).
 
If your version of Apache is 2.2.3 then you should be alright, because according to the vulnerability report the affected version only went upt to 2.2.19 ... someone can correct me if I'm wrong.
 
EricRB said:
If your version of Apache is 2.2.3 then you should be alright, because according to the vulnerability report the affected version only went upt to 2.2.19 ... someone can correct me if I'm wrong.
Click to expand...
I believe the vulnerability report said all versions through 2.2.19 were affected (including 2.2.3). 2.2.20 is the only 2.2.x release that has the fix.
 
So I must be reading version numbers wrong then, or don't understand them through 2.2.19 woould end at 2.2.20, and it would be my understanding that 2.2.3 would be a higher version than 2.2.19?????? It would be great if someone could shed some light on that reasoning, because I for one, would really like to know.
 
EricRB said:
So I must be reading version numbers wrong then, or don't understand them through 2.2.19 woould end at 2.2.20, and it would be my understanding that 2.2.3 would be a higher version than 2.2.19?????? It would be great if someone could shed some light on that reasoning, because I for one, would really like to know.
Click to expand...
If you look at http://www.eng.lsu.edu/mirrors/apache//httpd/CHANGES_2.2 you'll see that the versions have run like this:

2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
 
CENTOS 5.6, Plesk 8.6.0

[root@xxx etc]# /usr/sbin/httpd -v
Server version: Apache/2.2.3
Server built: Apr 4 2010 17:18:37

ok, so is this a Plesk version of Apache 2.2.3 that I'm seeing or what? From what you're pointing out the offici9al Apache version is only at 2.2.20 right now ??????
 
You must log in or register to reply here.

Similar threads

D
Resolved problem with alert about a vulnerability in a plugin that's already fixed
Replies
1
Views
690
Daniel-spain
D
Z
Resolved Update Components greyed out
Replies
3
Views
249
AYamshanov
AYamshanov
G
Question WordPress Updates Digest out of date by the time I log on
Replies
4
Views
710
vbelich
V
S
Resolved Troubleshooting Plesk Obsidian 18.0.57 Update Issues
Replies
4
Views
186
sy911
S
R
Question "This site can’t provide a secure connection" in Chrome and Edge
Replies
6
Views
4K
rcacciato
R
Back
Top