Resolved Update data wrong and late

[Netaction]

Server operating system version

Linux

Plesk version and microupdate number

18.0.49

Hi!
All my Wordpress sites show these warnings at the moment. Sorry I can't switch Plesk to English. There are several issues with this.

• My sites are in 6.2.1 but the current Core version is 6.2.2, not 6.2.1, Plesk does not provide the update.
• The bug shown is fixed in 5.9.3 according to the researchers, not 6.2. Maybe Plesk has its data from a crappy database.
• 6.2 is earlier than 6.2.1 so even this wrong warning message should not appear.

Expected behaviour: The site should have been updated to 6.2.2 already and the imaginary bug should not be listed.

Thomas

 

[Peter Debik]

Are you aware that the 6.2.2 update was published just three hours ago? Wordpress uses a nightly maintenance job to look for updates, and it also is not possible to update millions of servers globally all at the same time right after a patch or update has been published.

As a workaround you can login to your wordpress and look at the Dashboard menu for upgrades and install the upgrade from there if it is already offered by Wordpress.

For the "unauthenticated blind srrf" vulnerability please provide the quote where someone says that it was fixed.

 

[Netaction]

Seems all three issues are even worse than reported in my first post:

• I have five test pages outside of Plesk with extremely low traffic. All got their automatic updates to 6.2.2. See the screenshot of the mail from 14 hours ago. But all Plesk sites are still on 6.2.1 and Plesk does not even recognize the update after pressing the search button. This looks like a severe security issue of Plesk. Maybe the issue is with my specific Plesk installation, but my Plesk don't complain about missing update data or anything, so I assume all Plesk installations are affected. The excuse "not possible to update millions of servers globally all at the same time" sounds funny after Wordpress' own updaters did the updates many hours ago while Plesk does not even know about it.
• Wordpress maintainers already said the bug Plesk complains about is not handled as a security issue. #57363 (WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding) – WordPress Trac There are no exploits. I agree with Plesk that this issue has to be fixed and is worth a warning. But an issue that is not planned to be fixed should not clog the security warnings of Plesk. Admins will only learn to ignore these messages. Plesk already offers a good workaround and warns if it is not used, this might be enough in my oppinion.
• The warning jumped from "WordPress <= 6.1.1" to "WordPress <= 6.2" without any logical basis. The issue will not resolved soon an is not resolved in 6.2.1.

 

[Netaction]

I have 3 servers with Plesk and they all did the update to 6.2.2 this night between 2AM and 7AM. Plesk delayed the updates by around 20 hours compared to pages that do not use Plesk.