1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

MySQL 0-day vulnerabilities

Discussion in 'Official Announcements' started by custer, Sep 14, 2016.

  1. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    Hi everyone,

    Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

    To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

    Thank you for your attention and stay safe.
     
  2. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
  3. MARS_NETWORKS

    MARS_NETWORKS New Pleskian

    5
    70%
    Joined:
    May 18, 2015
    Messages:
    13
    Likes Received:
    0

    Hello

    Should we do exactly the same thing for Plesk(s) 11 ?

    Thanks for your answer
     
  4. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    We're planning to release a MU for Plesk 11.5 that fixes this issue on affected systems.
     
  5. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @custer and @Everyone,

    On Ubuntu the following

    does NOT ALWAYS apply!

    Depending on the upgrade settings, the mysql server packages are upgraded to a patched (Ubuntu) package.

    In essence, if the checkbox

    Automatically install updates for third-party components (such as MySQL and phpMyAdmin)

    is not checked (see "Tools & Settings > Update and upgrade settings"), then the patched (Ubuntu) packages will not be installed with the before mentioned micro-updates.

    In the latter case, a manual installation with (the command)

    apt-get update && apt-get install mysql-server mysql-server-5.5 mysql-client-core-5.5 libmysqlclient18:amd64

    is required.

    Moreover, if the before mentioned checkbox is checked, then the following packages

    - mysql-client-core-5.5
    - libmysqlclient18:amd64


    are not updated to a patched (Ubuntu) package, when installing the before mentioned micro updates.

    To update these (two) packages, simply run the command: apt-get update && apt-get install mysql-client-core-5.5 libmysqlclient18:amd64

    Finally, some remarks have to be made with respect to step 4 in KB129745:

    a) one should execute step 4, it is NOT sufficient to rely on the before mentioned micro-updates,

    b) when executing step 4.a, it will show at least one account:

    - one account is a system account, do not be alarmed by that,
    - other accounts should be checked and, in most cases, should be removed,

    c) when executing step 4.b, you

    - will see that /etc/my.cnf already has the appropriate owner, group and permissions, but it can do no harm to check,
    - CAN create the empy (.)my.cnf files, as suggested, but is recommended to have none of these files at all: the general idea is to have (empty) files that block the creation of other my.cnf files (which is a good approach), but any successful hack that allows root login will also allow alteration of multiple config files (that are all read by mysql server), making it harder to detect malicious changes to the configuration of mysql server (in contrast, having only /etc/my.cnf as config file, makes it very easy to detect changes in configuration).

    Hope the above helps!

    Regards......

    PS For the interested reader, the patched (Ubuntu) packages can be found on: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html
     
  6. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    For those who are using Ubuntu: you need to install MySQL updates using native OS means (apt), since we have never released our own MySQL builds for Ubuntu. In other words, Plesk on Ubuntu is always using OS-supplied MySQL.
     
  7. themew

    themew Basic Pleskian

    13
    35%
    Joined:
    Oct 29, 2015
    Messages:
    71
    Likes Received:
    8
  8. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    Hi everyone,

    Plesk 11.0.9 MU#64 & Plesk 11.5.30 MU#55 are now available.

    Plesk 11.0.9 MU#64: https://kb.plesk.com/en/123799
    Plesk 11.5.30 MU#55: https://kb.plesk.com/en/129827

    These updates address the latest MySQL vulnerability.

    With the release of these updates, all MySQL 5.5 servers that were released by Plesk team are patched for all non-EOLed Plesk versions.
     
    UFHH01 likes this.
Loading...