• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved fault http_proxy or not impacted?

@SpAcEDeViL imho it's not correct way to fix it and to bad there is no official answer yet from Plesk.

Well here is the short quick fix:

Code: 
cat >> /etc/httpd/conf.d/a_httpoxy.conf <<EOF
# httpoxy fix jul 2017
<IfModule mod_headers.c>
   RequestHeader unset Proxy early
</IfModule>
EOF

And then:
Code: 
service httpd restart

Notes:
This fix only works if you use nginx with apache for PHP(fcgi). If your using NGINX and PHP-FPM this fix will not work and the fix should be done in NGINX.

About NGINX:
But getting it in NGINX is quiet some work. Well the actuall fix is easy for nginx, add:
proxy_set_header Proxy "";
in the location / directive of the vhost. Problem is that there There is no way to set the proxy_set_header Proxy directive globaly (to my knowledge). So to get it to work it needs
to be in every vhost config. You either have to make a custom nginx config template for Plesk or you have to wait till Plesk updates the vhost template.
 
Apache (search CVE-2016-5387) is already fixed by all Linux OS vendors:
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
https://security-tracker.debian.org/tracker/CVE-2016-5387
https://www.suse.com/security/cve/CVE-2016-5387.html
https://rpmfind.net/linux/RPM/cento...httpd-tools-2.4.6-40.el7.centos.4.x86_64.html
https://rpmfind.net/linux/RPM/cento...ckages/httpd-2.2.15-54.el6.centos.x86_64.html
https://rpmfind.net/linux/RPM/centos/updates/5.11/x86_64/RPMS/httpd-2.2.3-92.el5.centos.x86_64.html

All workarounds, if you want to do this manually, are well described in https://httpoxy.org/

Workarounds for nginx (you are affected only if you use FPM application served by nginx PHP handler) and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
 
AndreyZ said:
Apache (search CVE-2016-5387) is already fixed by all Linux OS vendors:
[...] and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
Click to expand...
Any word yet on this and which versions of Plesk for Windows will be updates?
 
AndreyZ said:
Apache (search CVE-2016-5387) is already fixed by all Linux OS vendors:
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
https://security-tracker.debian.org/tracker/CVE-2016-5387
https://www.suse.com/security/cve/CVE-2016-5387.html
https://rpmfind.net/linux/RPM/cento...httpd-tools-2.4.6-40.el7.centos.4.x86_64.html
https://rpmfind.net/linux/RPM/cento...ckages/httpd-2.2.15-54.el6.centos.x86_64.html
https://rpmfind.net/linux/RPM/centos/updates/5.11/x86_64/RPMS/httpd-2.2.3-92.el5.centos.x86_64.html

All workarounds, if you want to do this manually, are well described in https://httpoxy.org/

Workarounds for nginx (you are affected only if you use FPM application served by nginx PHP handler) and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
Click to expand...
ok, thank verify..
 
Upcoming MU will completely close this security issue on Linux and Windows Plesk versions.
 
You must log in or register to reply here.

Similar threads

G
Question WP installs are quarantined daily.
Replies
4
Views
620
Bobbbb
B
Liwindo
Issue Issue for nextcloud for sodium / argon2i on Ubuntu 18
Replies
3
Views
798
Hangover2
Hangover2
learning_curve
Resolved Plesk 18.0.52 System Updates / Extensions / Cron - Multiple Failures
Replies
7
Views
1K
floh
F
marvin
Issue IMAP requires security certificate? Maybe?
2 3
Replies
40
Views
4K
Peter Debik
P
G
Question MariaDB 10.6 — MySQL Tuner Questions!
Replies
12
Views
2K
zed2007
Z
Back
Top