• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Security issues with httpd and mod_ssl ...

T

TimKelley

Guest
I'm trying to get a Plesk 10.3.1 installation (on CentOS 5.8) PCI compliant. The rpms for httpd and mod_ssl were created by Plesk, and I can't seem to find any changelog information for either of them. "rpm -q --changelog httpd" just reports "(none)" and the same for mod_ssl. Nor is there any changelog in /usr/share/doc or anywhere else I can find.

The httpd and mod_ssl versions are 2.2.19 release 11072010.


I have to account for several vulnerabilities in 2.2.19 and cannot find anywhere that this has been patched, as I could with a stock package with CentOS, by just running "rpm -q --changelog"

I found changelog for Plesk 10.x, but that only mentions one security problem fixed with httpd (here: http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html ). Is there somewhere I can find all the vulnerability patches by CVE number for the httpd package managed by Plesk?

If the Parallels built RPM is not suitable for PCI compliance (and I would say not if it is not being actively patched), is it possible to use the rpms for httpd and mod_ssl that are part of CentOS? (I mean, without breaking Plesk.)
 
Last edited by a moderator:
httpd and mod_ssl packages are not builded by Parallels. They are CentOS packages:

# rpm -qi httpd | grep Vendor
Version : 2.2.3 Vendor: CentOS

# rpm -qi mod_ssl | grep Vendor
Version : 2.2.3 Vendor: CentOS
Click to expand...

So, you can use packages from official CentOS repositories.
BTW, these packages have 2.2.3 version in Plesk 10.4.4
 
Hmmmm .....

I wonder how that is ... on this system, I get:

# rpm -qi httpd

Code: 
Name        : httpd                        Relocations: (not relocatable)
Version     : 2.2.19                            Vendor: Parallels
Release     : 11072010                      Build Date: Tue 19 Jul 2011 08:25:51 PM PDT
Install Date: Thu 26 Jan 2012 10:02:13 AM PST      Build Host: bcos5x64.plesk.ru
Group       : System Environment/Daemons    Source RPM: httpd-2.2.19-11072010.src.rpm
Size        : 3560809                          License: Apache Software License
Signature   : (none)
Packager    : Parallels <[email protected]>
Summary     : The Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

... the same for mod_ssl.

...and
Code: 
rpm -q --changelog httpd
(none)

Our provider for this is Media Temple ... is it possible they've done this? Who would build rpms that say they're from Parallels if they weren't?
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

A
Question Upgrade Almalinux 8 to 9 with Plesk installed
Replies
6
Views
4K
Sebahat.hadzhi
Sebahat.hadzhi
N
Issue Unable to open 443 port to reinstall licence key
Replies
9
Views
5K
Monty
Monty
K
Resolved Failed to update Plesk
Replies
2
Views
2K
karabo
K
R
Issue Update to plesk 18.0.40 failed
Replies
2
Views
2K
IgorG
IgorG
Ales
Issue Plesk source for Qmail, PHP ... on a RPM based hosts (source RPMs, patches)
Replies
4
Views
1K
Ales
Ales
Back
Top