• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Update data wrong and late

Netaction

New Pleskian
Server operating system version
Linux
Plesk version and microupdate number
18.0.49
Hi!
All my Wordpress sites show these warnings at the moment. Sorry I can't switch Plesk to English. There are several issues with this.

Expected behaviour: The site should have been updated to 6.2.2 already and the imaginary bug should not be listed.

Thomas
 

Attachments

  • Screenshot 2023-05-20 075559.png
    Screenshot 2023-05-20 075559.png
    80.7 KB · Views: 3
Are you aware that the 6.2.2 update was published just three hours ago? Wordpress uses a nightly maintenance job to look for updates, and it also is not possible to update millions of servers globally all at the same time right after a patch or update has been published.

As a workaround you can login to your wordpress and look at the Dashboard menu for upgrades and install the upgrade from there if it is already offered by Wordpress.

For the "unauthenticated blind srrf" vulnerability please provide the quote where someone says that it was fixed.
 
Seems all three issues are even worse than reported in my first post:
  • I have five test pages outside of Plesk with extremely low traffic. All got their automatic updates to 6.2.2. See the screenshot of the mail from 14 hours ago. But all Plesk sites are still on 6.2.1 and Plesk does not even recognize the update after pressing the search button. This looks like a severe security issue of Plesk. Maybe the issue is with my specific Plesk installation, but my Plesk don't complain about missing update data or anything, so I assume all Plesk installations are affected. The excuse "not possible to update millions of servers globally all at the same time" sounds funny after Wordpress' own updaters did the updates many hours ago while Plesk does not even know about it.
  • Wordpress maintainers already said the bug Plesk complains about is not handled as a security issue. #57363 (WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding) – WordPress Trac There are no exploits. I agree with Plesk that this issue has to be fixed and is worth a warning. But an issue that is not planned to be fixed should not clog the security warnings of Plesk. Admins will only learn to ignore these messages. Plesk already offers a good workaround and warns if it is not used, this might be enough in my oppinion.
  • The warning jumped from "WordPress <= 6.1.1" to "WordPress <= 6.2" without any logical basis. The issue will not resolved soon an is not resolved in 6.2.1.
 

Attachments

  • Screenshot 2023-05-20 221659.png
    Screenshot 2023-05-20 221659.png
    81.3 KB · Views: 3
  • Screenshot 2023-05-20 223549.png
    Screenshot 2023-05-20 223549.png
    107.9 KB · Views: 2
I have 3 servers with Plesk and they all did the update to 6.2.2 this night between 2AM and 7AM. Plesk delayed the updates by around 20 hours compared to pages that do not use Plesk.
 
Back
Top