1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

HTTPOXY security vulnerability

Discussion in 'Official Announcements' started by custer, Aug 1, 2016.

  1. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    Hi everyone,

    As some of you might know, there was a new security vulnerability for server-side web applications discovered recently. It's called HTTPOXY -- we suggest you to visit https://httpoxy.org/ to learn more details about it in general.

    In response to this security vulnerability we've released 3 updates:
    Plesk 12.0 MU #88 - updates PHP packaged by Plesk team
    Plesk 12.5 MU #41 - updates PHP packaged by Plesk team
    Plesk 12.5 MU #42 - fixes the issues with IIS, FPM applications served by nginx and Plesk itself.

    Apache updates have already been released by OS vendors, be sure to install them as well.

    Obviously, we strongly recommend installing Plesk updates ASAP. We've also prepared a KB article that explains the vulnerability in details, explains how to update Apache, and, most importantly, lists the workarounds available for you if you cannot install the MUs. Here's the KB: https://kb.plesk.com/en/129391

    Stay safe!
     
  2. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @custer, @Everyone,

    It really is important to install the latest Apache packages.

    Run "yum update" or "apt-get update && apt-get upgrade" (on Ubuntu/Debian).

    The micro-updates do resolve some (but not all) configuration issues, but if Apache is not updated, the improved (and secure) Nginx configuration still allows for the HTTPoxy issue.

    In short, check that you have the latest Apache update, see https://kb.plesk.com/en/129391 (and click on the links corresponding to your OS).

    Regards....
     
    themew and custer like this.
Loading...