1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

MAJOR security fix released for Plesk 9 (and 10)

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by Hostasaurus.Com, Oct 8, 2012.

  1. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Hope others in the forum find this post before they get hacked. Parallels has sent no notice about this to Plesk users but a microupdate #24 was released three days ago to fix what is described as "major security fixes" to 9.5.4:

    http://kb.parallels.com/114891

    There appear to be two public-facing php files (index.php, login_up.php) that are replaced and eight other Plesk admin-related files replaced.

    v10 users should verify that they got microupdate 43 and 44 too, hopefully automated:

    http://download1.parallels.com/Ples...el-10-linux-updates-release-notes.html#104444
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    You are wrong. 9.5.4MU#24 has been announced 4.10.2012 via RSS and twitter channels.
     
  3. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Just to confirm you're actually serious, are you saying the company's current official method of letting its customers know there's a MAJOR security issue is RSS and twitter? You realize that is in direct contrast to what your support people tell the customers right? And if that's the case, you never let your customers know a change in the method in which you announce security updates had occurred. I'm really getting sick of this.
     
  4. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    To expand on that, this is the specific text that has been sent to me by two different people in support and one account manager over the span of two months earlier this year:

    Notice it says "always". It does not say "sometimes we'll send via this mailing list, sometimes we'll post it on twitter, sometimes we might do an RSS update, or maybe we will issue a CVE five months after the issue, or perhaps we just won't tell you." It says always, so either they lied to me and it's not always, or someone changed the policy and didn't bother to tell those of us who pay for your product.
     
  5. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    Why you are not subscribed to RSS feed, which is on the Plesk main page?
    Why you are not follower of Plesk Service Team twitter?
    Why you do not read forum announcements?
     
  6. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    I have stated twice now that I was told multiple times by support and account staff at your company that the one and only official method of receiving notices of security updates is by the mailing list, that I already quoted for you. So are they lying to me, are you lying to me or does no one there have any idea how security notices are sent? Please go on the record right now and tell me that with no question, security updates are no longer sent via the mailing list and that they are only sent via a twitter account. If that is the case then I will inform your support department and our account manager that they are both completely incorrect. If that is not the case, then you are incorrect AND someone screwed up by not sending any of these updates via the mailing list.
     
    Last edited: Oct 9, 2012
  7. DenitS

    DenitS New Pleskian

    15
    60%
    Joined:
    Apr 23, 2010
    Messages:
    2
    Likes Received:
    0
    Does anyone know what the major security issue is exactly ?
     
  8. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    I strongly recommend you use RSS feed channel as most comprehensive and authoritative source of information on all matters relating to the Plesk.
    Also all news from RSS feed automatically duplicated in our twitter and Facebook.
     
  9. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    When we fix well known security issue we publish corresponding CVE. When we fix security issue which was found with help of internal audit we can't provide any information because it is security question and we do not want to give any hint to intruders. But we provide indicator for customers - Minor, Major or Critical security update. I think it is enough for most customers for making decision about importance of this security MU.
     
  10. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Just wanted to refresh the thread for anyone in the Plesk 9 forum to see; a new critical security update came out yesterday. It was not emailed yet again. I noticed it did get posted to the service team twitter feed. I do find it pretty funny that there are only 17 people following that twitter feed yet Parallels feels it is an official method of notification. Why email your customers about security issues when you can post them to a twitter feed no one is following....
     
  11. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    You are wrong. We have 163 followers but not 17.
    And official method of notification is RSS feed. All initial notifications in RSS are synchronized automatically to twitter and Facebook.
    So use RSS feed as our official channel (~3500 subscribers).
     
    Last edited: Oct 26, 2012
  12. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    Ah, looks like 164 now, congrats on picking up an additional subscriber since yesterday.

    So you honestly think that the majority of your customers currently subscribe to your RSS feed and/or twitter? If you do not think that, which I can't imagine anyone would, you are doing a disservice to your customers by not emailing them security notices. You have their email addresses, there is simply no justifiable reason to not email them. You just posted a remotely exploitable vulnerability; what possible reason do you have for not putting forth the effort to notify users of your software in every way possible to help prevent them from being exploited?!
     

    Attached Files:

Loading...