Facebook
TwitterWhen Plesk sends a notification about a “critical security update”, the only information we receive is the short message shown on the changelog. There is no CVE, no affected component, and no severity score.
Looking at the inf3 files in the autoinstall directory, it’s difficult to determine which specific change addresses the reported security issue. The files often cover many package updates at once, making it unclear what the actual security fix is.
For a professional control panel in this price range, this level of detail feels insufficient. Server administrators need this information to:
A security mailing list would help all administrators, regardless of how their license was purchased, and would make security notifications easier to follow.
This would be a simple but meaningful improvement.
Looking at the inf3 files in the autoinstall directory, it’s difficult to determine which specific change addresses the reported security issue. The files often cover many package updates at once, making it unclear what the actual security fix is.
For a professional control panel in this price range, this level of detail feels insufficient. Server administrators need this information to:
- Understand the actual risk
- Plan maintenance properly
- Decide how urgent an update really is
- Check whether existing security measures already cover the issue
- CVE identifiers
- Affected components
- CVSS scores
- A short description of the impact
- Publish a short security bulletin for each critical update
- Offer a dedicated mailing list for security announcements
- Add at least CVE references and affected components to the release notes
A security mailing list would help all administrators, regardless of how their license was purchased, and would make security notifications easier to follow.
This would be a simple but meaningful improvement.
