• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Recent Nginx Security Issues - Anything Similar With Plesk's Own Nginx Packages?

learning_curve

Silver Pleskian
A couple of days ago, Nginx identified some issues which they have fixed by releasing a stable version of 1.14.1
Subsequently, Ubuntu have identified these security issues affect their own OS Nginx packages on these releases:
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
The full details and all of Ubuntu's own OS fixes are shown HERE

Like most Plesk users (we think...) we run the Nginx packages provided by Plesk (that are prepared by and come with Plesk) so we don't have the Ubuntu OS Nginx packages on our server anyway. However, on Ubuntu 18.04 LTS, the Ubuntu OS Nginx Package was 1.14.0 but the Plesk Nginx package on Plesk 17.8.11 is based on the slightly earlier 1.13.8 Nginx release...

The question then? Are the same issues as those identified above, also present, within the Plesk Nginx Packages, seeing as they are slightly earlier Nginx releases? We're guessing possibly not, as intended fix notifications would probably have been issued by now, but maybe Plesk can confirm?
 
Last edited:
I just can say that at the moment this is under investigation of our security team. The result of the investigation is expected very soon. Then it will be decided whether to update our nginx packages.
 
FWIW and again, this is only guessing / speculating... but IF the Plesk Nginx packages ARE updated, as a result of the security flaws mentioned above ^^ then the upgrade package would also need to include (sw-cp-server) i.e. the Plesk Panel too wouldn't it? For the same reasons... ;) The Plesk sw-cp-server package is scheduled to be updated before the end of 2018 anyway, according to THIS post (made in a different thread concerning coverage of TLSv1.3 when using Plesk) So maybe, IF the main Plesk Nginx package upgrades are released, then both the Plesk Nginx package updates will be released at the same time.
 
I have received a conclusion from developers - Nginx shipped with Plesk is not affected, because it is built without ngx_http_mp4 module.
 
Thanks @IgorG We don't have a need for that particular module (as it happens) and so have no issues anyway when using the current Plesk Nginx packages. The one question that remains, is the HTTP/2 releated CPU usage errors? HTTP/2 is used by nearly all current release Plesk users we would have thought? The image below shows the three separate bugs that Nginx (and then Ubuntu) have rasied, but then fixed themselves and the ngx_http_mp4 module being the most serious. We're guessing, that the other two (low priority) bugs will be dealt with in the Plesk 17.9.* release then?
Nginx.png
 
Regarding HTTP/2 vulnerability, developers informed me that they are preparing updates for 17.9 and earlier versions too. They do not provide me with any ETA.
 
Back
Top