• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

How to implement RFC 5746 and fix CVE-2009-3555 on Plesk 10.3.1

T

thekman

Guest
We are currently running Plesk 10.3.1 and are aware of the need to update our server to fix CVE-2009-3555 (RFC 5746) SSL/TLS vulnerability. I have seen a few posts from last year when people tried to update Plesk 9 and found a raft of problems which were later resolved, however we are on 10.3.1 and still have this problem. I believe it has something to do with requiring the latest mod_ssl which is part of apach 2 however my knowledge in this area is not great.

I have tried executing as root > yum update mod_ssl however I am told that no updates are available.

One thought I had is that like many people I too have Plesk 10.3.1 components that will not install and wondered if that might be the cause of why apache / mod_ssl isn't already updated.

It is very important to us to perform this update as our customers are complaining of warnings in firefox's error console about our ecommerce website being vulnerable to MIM type attacks.

I would be grateful if someone from Plesk could confirm whether 10.3.1 should already have the latest apache / mod_ssl versions which implement RFC 5746. If you could also find a solution to the components not updating problem that would be great too.

Many thanks,
thekman.
 
I have now managed to update to the 10.3.1 components and they had no effect. If someone could please offer any advice on how we resolve this issue it would be much appreciated.
 
Plesk just uses whatever httpd and mod_ssl packages are provided by your OS vendor. So first question: what OS are you running?
 
Hi Breun,

Thanks for the reply, I am running CentOS 5, details from Plesk are as follows. I was under the impression that Plesk was responsible for the updating of Apache and modules etc, I take it that isn't the case. As I mentioned in my post, I did try to update mod_ssl etc but it stated there were no updates.

CPU - AuthenticAMD, Quad-Core AMD Opteron(tm) Processor 2352
Version - Parallels Plesk Panel v10.3.1_build1013110726.09 os_CentOS 5
OS - Linux 2.6.18-028stab092.1

Many thanks.
 
thekman said:
I was under the impression that Plesk was responsible for the updating of Apache and modules etc, I take it that isn't the case.
Click to expand...

You'll need to keep your OS up-to-date yourself and by default Plesk uses the httpd package provided by your OS vendor. (Unless you choose the option to use Apache with SNI support, I believe you get a custom httpd package from Parallels in that case.)

thekman said:
As I mentioned in my post, I did try to update mod_ssl etc but it stated there were no updates.
Click to expand...

What versions do you have installed currently? Run rpm -q httpd mod_ssl to check.

According to http://www.redhat.com/security/data/cve/CVE-2009-3555.html the security update for httpd in EL5 was released in November 2009: https://rhn.redhat.com/errata/RHSA-2009-1579.html
 
Here are my versions, and yes I think I am running Apache with SNI but for the life of me I cannot remember why. I am sure it had something to do at the time with how are SSL certificate was implemented but I will need to look into that.

httpd-2.2.21-11092115
mod_ssl-2.2.21-11092115

Many thanks.
 
SNI lets you use multiple SSL certificates on a single IP address. I don't know if Plesk's httpd/mod_ssl packages with SNI support contain a fix for CVE-2009-3555.
 
You must log in or register to reply here.

Similar threads

M
Question Are Plesk servers susceptible to TLS BREACH attacks? (cve-2013-3587)
Replies
1
Views
642
scsa20
scsa20
Y
Question Issue Implementing Dynamic CORS Headers in Plesk’s Additional NGINX Directives
Replies
1
Views
376
yfain
Y
M
Question How to set up and actually use existing SSH Keys for Plesk Accounts
Replies
2
Views
455
MHC_1
M
JerryTek101
Issue AtomicCorp Advanced Mod Security ruleset not installing latest rules - Debian 12 - Version 18.0.67
Replies
2
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
E
Issue Plesk update / Pb Symfony / redis
Replies
1
Views
726
Erwan
E
Back
Top