1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Apache security Vulnerability/ Parallels Plesk Panel

Discussion in 'Plesk 10.x for Linux Suggestions and Feedback' started by mrweb, Sep 3, 2011.

  1. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    Hi

    i received an email on sept. 1st from Paralles to say a patch will be available but i see nothing in the update page

    when the update will be available ?

    thanks for your support
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
  3. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    Thanks IgorG for your answer
    i dont understand why we cant apply update in the plesk instead make things so complicate
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Of course you can but if it is available. And note, that for old Plesk version admin's Apache is also vulnerable and you can't update it from OS vendor's repository because it is Apache modified by Parallels.
     
  5. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    yes but for now i dont see any update available
    i have plesk 10.2
    do u think we will get this update soon to update ?
     
  6. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Are you sure that you have installed all available updates in Plesk Updater?
     
  7. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    im sure ... if i can believe plesk upater dont show me any new update
    how to be sure ?
    is it a way to check it ?
    thanks for your help
     
  8. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Do you have CentOS or other OS? If you have any other OS - update Apache from OS vendor's repository.
     
  9. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    i see :
    Parallels Plesk Panel v10.2.0 os_CentOS 5
    OS Linux 2.6.28.1-xxxx-std-ipv4-32

    i just tried in ssh
    # /usr/local/psa/admin/bin/autoinstaller --select-release-current --upgrade-installed-components
    nothing happend :(

    can you help more please?
     
  10. LuisN

    LuisN New Pleskian

    20
     
    Joined:
    Sep 20, 2009
    Messages:
    19
    Likes Received:
    0
    Two notes regarding the instructions on the page IgorG is referencing:

    1) Regarding the curl command that you can use to check if your Apache install is affected by the vulnerability, be sure to change "example.com" to one of the domains that your Apache install is serving. Otherwise, you're checking whether or not example.com's Apache server has been patched, not yours. I almost missed this since the curl command is so long.

    2) I'm on Plesk 10.2 and ran autoinstaller successfully. However, I see that the Apache version number (as reported by /usr/sbin/httpd -v) has not changed. Mine says (before and after autoinstaller was run):

    Server version: Apache/2.2.3
    Server built: May 4 2011 06:51:15

    However, I *believe* I'm safe from the vulnerability since the curl command doesn't return "206 Partial Content" in the output (unfortunately I didn't check before running autoinstaller). I'm guessing that instead of upgrading Apache to a safe version (i.e., 2.2.20), the Plesk patch is changing the Apache config to disable the vulnerable functionality. It would be great to get confirmation of this.
     
  11. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    Hi Luis
    could you tell me please what u wrote exactly to run the installer ?
    # /usr/local/psa/admin/bin/autoinstaller --select-release-current --upgrade-installed-components dont work for me
     
  12. LuisN

    LuisN New Pleskian

    20
     
    Joined:
    Sep 20, 2009
    Messages:
    19
    Likes Received:
    0
    Hi mrweb,

    I do it a slightly more complicated way so I know exactly what the system is doing. Read carefully and use at your own risk! :)

    Step 1: I change into the directory with the autoinstaller script
    # cd /usr/local/psa/admin/bin

    Step 2: I check all of the product releases that are available
    # ./autoinstaller --show-all-releases
    This will return a long list. Look for Plesk release ID's like PLESK_10_N_N

    Step 3: I look for updates for currently installed packages within my current version (in my case, 10.2.0 -- substitute your current Plesk release ID below or else you'll be doing an upgrade to a new version):
    # ./autoinstaller --select-product-id plesk --select-release-id PLESK_10_2_0 --show-components
    In this output, I look for any packages that say "[upgrade]". This means the specified package has an update available.

    Step 4: If there are any installed packages with updates available, I update them:
    # ./autoinstaller --select-product-id plesk --select-release-id PLESK_10_2_0 --upgrade-installed-components

    Step 5: I'm paranoid so I usually reboot here (although I've never heard whether or not this is necessary) and redo step #3 (to make sure all the updates were installed).

    (Optionally, you can upgrade to a new version of Plesk doing steps 3-5 with the desired Plesk release ID.)
     
  13. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    Thanks a lot Luis !
    i will try tomorrow and let u know if all ok or... if my server said byebye :)
    if u did that, i think my "own risks" should be limited :)
    thanks for your time
     
  14. mrweb

    mrweb Basic Pleskian

    17
    35%
    Joined:
    Nov 12, 2010
    Messages:
    38
    Likes Received:
    0
    Hi Luis
    i did like u but nothing is installed
    i have 10.2 like u and i did :
    # /usr/local/psa/admin/bin/autoinstaller --select-release-id PLESK_10_2_0 --upgrade-installed-components
    nothing happend and few seconds after winscp abort

    i think i need to download the patch on my server but i dont know how to do it
     
  15. LuisN

    LuisN New Pleskian

    20
     
    Joined:
    Sep 20, 2009
    Messages:
    19
    Likes Received:
    0
    I'm afraid I really don't know. I believe winscp is a transfer program so maybe your server can't talk to the Parallels server where the Plesk files are downloaded from? I'd check if your server is connected to the Internet and has a route to the Parallels server (unfortunately I don't know the hostname).
     
  16. EricRB

    EricRB New Pleskian

    17
     
    Joined:
    Aug 30, 2011
    Messages:
    14
    Likes Received:
    0
    If your version of Apache is 2.2.3 then you should be alright, because according to the vulnerability report the affected version only went upt to 2.2.19 ... someone can correct me if I'm wrong.
     
  17. LuisN

    LuisN New Pleskian

    20
     
    Joined:
    Sep 20, 2009
    Messages:
    19
    Likes Received:
    0
    I believe the vulnerability report said all versions through 2.2.19 were affected (including 2.2.3). 2.2.20 is the only 2.2.x release that has the fix.
     
  18. EricRB

    EricRB New Pleskian

    17
     
    Joined:
    Aug 30, 2011
    Messages:
    14
    Likes Received:
    0
    So I must be reading version numbers wrong then, or don't understand them through 2.2.19 woould end at 2.2.20, and it would be my understanding that 2.2.3 would be a higher version than 2.2.19?????? It would be great if someone could shed some light on that reasoning, because I for one, would really like to know.
     
  19. LuisN

    LuisN New Pleskian

    20
     
    Joined:
    Sep 20, 2009
    Messages:
    19
    Likes Received:
    0
    If you look at http://www.eng.lsu.edu/mirrors/apache//httpd/CHANGES_2.2 you'll see that the versions have run like this:

    2.2.1
    2.2.2
    2.2.3
    2.2.4
    2.2.5
    2.2.6
    2.2.7
    2.2.8
    2.2.9
    2.2.10
    2.2.11
    2.2.12
    2.2.13
    2.2.14
    2.2.15
    2.2.16
    2.2.17
    2.2.18
    2.2.19
    2.2.20
     
  20. EricRB

    EricRB New Pleskian

    17
     
    Joined:
    Aug 30, 2011
    Messages:
    14
    Likes Received:
    0
    CENTOS 5.6, Plesk 8.6.0

    [root@xxx etc]# /usr/sbin/httpd -v
    Server version: Apache/2.2.3
    Server built: Apr 4 2010 17:18:37

    ok, so is this a Plesk version of Apache 2.2.3 that I'm seeing or what? From what you're pointing out the offici9al Apache version is only at 2.2.20 right now ??????
     
Loading...