• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

MySQL 0-day vulnerabilities

custer

custer

Administrator
Staff member
Hi everyone,

Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

Thank you for your attention and stay safe.
 
custer said:
Hi everyone,

Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

Thank you for your attention and stay safe.
Click to expand...


Hello

Should we do exactly the same thing for Plesk(s) 11 ?

Thanks for your answer
 
@custer and @Everyone,

On Ubuntu the following

custer said:
We have released Plesk 12.5.30 MU#47 and 12.0.18 MU#91 to address this issue.
Click to expand...

does NOT ALWAYS apply!

Depending on the upgrade settings, the mysql server packages are upgraded to a patched (Ubuntu) package.

In essence, if the checkbox

Automatically install updates for third-party components (such as MySQL and phpMyAdmin)

is not checked (see "Tools & Settings > Update and upgrade settings"), then the patched (Ubuntu) packages will not be installed with the before mentioned micro-updates.

In the latter case, a manual installation with (the command)

apt-get update && apt-get install mysql-server mysql-server-5.5 mysql-client-core-5.5 libmysqlclient18:amd64

is required.

Moreover, if the before mentioned checkbox is checked, then the following packages

- mysql-client-core-5.5
- libmysqlclient18:amd64

are not updated to a patched (Ubuntu) package, when installing the before mentioned micro updates.

To update these (two) packages, simply run the command: apt-get update && apt-get install mysql-client-core-5.5 libmysqlclient18:amd64

Finally, some remarks have to be made with respect to step 4 in KB129745:

a) one should execute step 4, it is NOT sufficient to rely on the before mentioned micro-updates,

b) when executing step 4.a, it will show at least one account:

- one account is a system account, do not be alarmed by that,
- other accounts should be checked and, in most cases, should be removed,

c) when executing step 4.b, you

- will see that /etc/my.cnf already has the appropriate owner, group and permissions, but it can do no harm to check,
- CAN create the empy (.)my.cnf files, as suggested, but is recommended to have none of these files at all: the general idea is to have (empty) files that block the creation of other my.cnf files (which is a good approach), but any successful hack that allows root login will also allow alteration of multiple config files (that are all read by mysql server), making it harder to detect malicious changes to the configuration of mysql server (in contrast, having only /etc/my.cnf as config file, makes it very easy to detect changes in configuration).

Hope the above helps!

Regards......

PS For the interested reader, the patched (Ubuntu) packages can be found on: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html
 
For those who are using Ubuntu: you need to install MySQL updates using native OS means (apt), since we have never released our own MySQL builds for Ubuntu. In other words, Plesk on Ubuntu is always using OS-supplied MySQL.
 
You must log in or register to reply here.

Similar threads

Talistech
Resolved Backups failing since a couple days: Unable to run the backup agent
Replies
1
Views
3K
Talistech
Talistech
G
Resolved freh installation on Ubuntu 20.04 - need MariaDB Update to 10.5 (from standard 10.3)
Replies
9
Views
4K
mow
M
A
Issue Error in plesk update
Replies
0
Views
920
Andrew B
A
custer
HTTPOXY security vulnerability
Replies
1
Views
10K
trialotto
T
Servus
Question MySQL 5.7 my.cnf problem (default plesk)
Replies
5
Views
12K
Servus
Servus
Back
Top