• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

MySQL 0-day vulnerabilities

custer

custer

Administrator
Staff member
Hi everyone,

Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

Thank you for your attention and stay safe.
 
custer said:
Hi everyone,

Two zero-day security vulnerabilities were recently reported for MySQL, Percona and MariaDB (link).

To read the latest information regarding how it can affect you and what can be done, refer to the following KB article: https://kb.plesk.com/en/129745. The article will be updated after the corresponding Plesk MUs will be released later this week.

Thank you for your attention and stay safe.
Click to expand...


Hello

Should we do exactly the same thing for Plesk(s) 11 ?

Thanks for your answer
 
@custer and @Everyone,

On Ubuntu the following

custer said:
We have released Plesk 12.5.30 MU#47 and 12.0.18 MU#91 to address this issue.
Click to expand...

does NOT ALWAYS apply!

Depending on the upgrade settings, the mysql server packages are upgraded to a patched (Ubuntu) package.

In essence, if the checkbox

Automatically install updates for third-party components (such as MySQL and phpMyAdmin)

is not checked (see "Tools & Settings > Update and upgrade settings"), then the patched (Ubuntu) packages will not be installed with the before mentioned micro-updates.

In the latter case, a manual installation with (the command)

apt-get update && apt-get install mysql-server mysql-server-5.5 mysql-client-core-5.5 libmysqlclient18:amd64

is required.

Moreover, if the before mentioned checkbox is checked, then the following packages

- mysql-client-core-5.5
- libmysqlclient18:amd64

are not updated to a patched (Ubuntu) package, when installing the before mentioned micro updates.

To update these (two) packages, simply run the command: apt-get update && apt-get install mysql-client-core-5.5 libmysqlclient18:amd64

Finally, some remarks have to be made with respect to step 4 in KB129745:

a) one should execute step 4, it is NOT sufficient to rely on the before mentioned micro-updates,

b) when executing step 4.a, it will show at least one account:

- one account is a system account, do not be alarmed by that,
- other accounts should be checked and, in most cases, should be removed,

c) when executing step 4.b, you

- will see that /etc/my.cnf already has the appropriate owner, group and permissions, but it can do no harm to check,
- CAN create the empy (.)my.cnf files, as suggested, but is recommended to have none of these files at all: the general idea is to have (empty) files that block the creation of other my.cnf files (which is a good approach), but any successful hack that allows root login will also allow alteration of multiple config files (that are all read by mysql server), making it harder to detect malicious changes to the configuration of mysql server (in contrast, having only /etc/my.cnf as config file, makes it very easy to detect changes in configuration).

Hope the above helps!

Regards......

PS For the interested reader, the patched (Ubuntu) packages can be found on: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6662.html
 
For those who are using Ubuntu: you need to install MySQL updates using native OS means (apt), since we have never released our own MySQL builds for Ubuntu. In other words, Plesk on Ubuntu is always using OS-supplied MySQL.
 
You must log in or register to reply here.

Similar threads

Talistech
Resolved Backups failing since a couple days: Unable to run the backup agent
Replies
1
Views
4K
Talistech
Talistech
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
G
Resolved freh installation on Ubuntu 20.04 - need MariaDB Update to 10.5 (from standard 10.3)
Replies
9
Views
5K
mow
M
Denis Gomes Franco
Question Tracking down periodic high usage
Replies
13
Views
4K
Denis Gomes Franco
Denis Gomes Franco
A
Issue Error in plesk update
Replies
0
Views
1K
Andrew B
A
Back
Top