Critical Security Patch - Plesk 10.3.1

[ScottT]

Hello,

The critical security patch notification released 2/9/2012 suggests updating to Plesk 10.3.1 MicroUpdate #6 or later to resolve the vulnerability. My version of Plesk does not list MicroUpdate number. Instead Plesk gives this version: psa v10.3.1_build20110630.16. Is my version of Plesk vulnerable? Where do I find MicroUpdate number in Plesk 10.3.1? Thank you.

 

[rick.pri]

Hmmm, I'd like to know the answer to this too. I'd also like to know, if this is only a risk to Plesk Panel if access to the the control panel is publicly available.

 

[IgorG]

You can find number of installed microupdate with following command:

# cat /root/.autoinstaller/microupdates.xml

It is described in KB article Using Micro-Updates in Parallels Plesk Panel 9.x, 10.x, and Parallels Small Business Panel

 

[ScottT]

These instruction are for linux/unix. How do I find microupdate# in Windows?

 

[IgorG]

Look at C:\PleskInstaller\microupdates.xml

 

[ScottT]

My server does not have a PleskInstaller directory. I located microupdates.xml in another directory. Here are the contents:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="panel" version="10.3.1">
<patch version="10" timestamp="" />
</product>
</patches>

So, it appears I have MU #10 and my server is not vulnerable. Thanks for your help.

 

[IgorG]

Yes, you have installed this microupdate - http://kb.parallels.com/en/112463