OpenSSL Security Leak for PSA Enviroment

[g4marc]

Because of the Heart-Bleeding issue i just updated my OpenSSL Versions on our Servers, but i recognize, that PLESK work in its own enviroment, so we have to wait for a update for plesk?
the customer domains are fixed after this update, but not the login over std.-plesk link!
i tested it with the PLESK login and PORT 8443 at this site: http://filippo.io/Heartbleed/ and get this vulnerable-issue.

so is there a micro-update or something to fix this issue?

THX
Marc

 

[atomicturtle]

So the this depends on your OS first. EL5 (RHEL/CentOS/Cloudlinux) is not affected by this vulnerability unless you had upgraded to the plesk distributed httpd & openssl to support SNI. If you had done this, then yes you will need to get an updated openssl for that system from parallels, and change your certificates in both httpd and the plesk daemon

If you are using EL6 (RHEL/CentOS/Cloudlinux)the plesk daemon (sw-cp-serverd) is linked against the OS's openssl library. Updating to the latest version from the OS updates channel (openssl-1.0.1e-16.el6_5.7) would resolve the vulnerability, and you would need to update your certificates.

Also note that other services that implement TLS are affected by this, that includes courier-imap, dovecot (plesk 12), qmail, and postfix. Certificates for all these services would need to be updated as well. Openssh is *not* affected