Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
URGENT - Hotfix required all versions due to openssl upgrade
- Thread starter 105547111
- Start date
Michael MacDonald
Basic Pleskian
This solution covers CentOS. I am running RHEL4. It is noted in the start of this that Fedora is also broken by this problem. What are the packages we need to download for Fedora and, most importantly to me, Redhat EL 4? When will a complete hotfix be published?
Thank you.
Thank you.
Your current options you've given are leave your server vulnerable to exploit, or run your server in a way that violates PCI compliance guidelines (run the interface insecurely) for hosts who are handling ecommerce sites; either one is not a viable solution. Can we get the existing code recompiled against the current RedHat openSSL so we can at least get up and running and then worry about a version that's not hard coded to the openssl version later?
There's quite a few reasons which should be obvious:
1) First and foremost, Parallels has no compatibility list that I've ever seen other than the base operating system name and version, such as CentOS 5, RedHat Enterprise 4. Are you saying one exists that actually states "Plesk Panel 9.x on RedHat Enterprise 5 REQUIRES OpenSSL RPM version 0.9.8e-12.el5_4.1 and will NOT function with version 0.9.8e-12.el5_4.6"? I doubt it does, but even if there were such a list, I would doubt it would be updated quickly enough for server operators to sit around on a known security issue waiting for someone from Parallels to tell us if we can patch our servers.
2) Because in the past this has not been an issue, which is why Plesk 8.x runs just fine with the new OpenSSL patch. It's only the poorly written version 9.x that has an issue with a minor version change. In fact, the whole point of using an operating system like RedHat Enterprise is because they keep the major version the same and apply later patches to software into their stable version so that compatibility issues are minimized. Of course, if Parallels hard codes Plesk Panel 9.x to expect and rely on a specific version, all the work of RedHat to keep things working is wasted.
3) Because some of us have servers hosting customers' businesses, i.e. in many cases we host someone's sole form of income, they rely on us to keep their business running, we rely on RedHat to immediately release patches to issues that could jeopardize our customers' businesses, which a remotely exploitable ssl-related vulnerability could very well do. So when an update comes out for something the RedHat advises could *potentially* contain a remotely exploitable issue allowing the execution of arbitrary code, you better believe I'm going to apply the update whether Parallels says it's ok or not.
So, with that being said, can you answer me one little question; why is Plesk 9.x hard coded to a specific version of openssl when 8.x didn't seem to need that?
Hi Sergius,
Yes. I use fedora and updates are either by yum, or PackageKit and your notified on the desktop updates.
If plesk has to be hard compiled against specific versions of OpenSSL the only way to acheuve this is modifying the repo for updates and updates-testing excluding OpenSSL.
However I for one think this is very dangerous as if updates ate pushed it means either a bug fix or security fix.
In the case of security fix who denies an update?
It means the system is explotable.
Then why bother running a maintained OS, may as well go and I install fedora 4.
Surely since plesk is closed source, you should either not link to specific versions that break on an update, or provide updates quickly.
Denying OS updates is purely a recipy to self destruction, particarily core packages that other packages depend on.
Thanks!
Yes. I use fedora and updates are either by yum, or PackageKit and your notified on the desktop updates.
If plesk has to be hard compiled against specific versions of OpenSSL the only way to acheuve this is modifying the repo for updates and updates-testing excluding OpenSSL.
However I for one think this is very dangerous as if updates ate pushed it means either a bug fix or security fix.
In the case of security fix who denies an update?
It means the system is explotable.
Then why bother running a maintained OS, may as well go and I install fedora 4.
Surely since plesk is closed source, you should either not link to specific versions that break on an update, or provide updates quickly.
Denying OS updates is purely a recipy to self destruction, particarily core packages that other packages depend on.
Thanks!
N
nedry
Guest
<rant>
Your question suggests that there is a means for checking the version numbers of every piece of software that Parallels has qualified to work with Plesk Control Panel. It also seems to imply that it is Parallels' customers fault that the openssl update broke Plesk Panel.
Please, do tell, how does someone determine compatibility of a software update? Which document should I have read before updating openssl? Parallels' knowledgebase* says to read the release notes, which I did prior to installing Plesk. I also read them again today. It only says that Plesk Panel requires CentOS 5. It doesn't even say which version of CentOS 5! And it certainly doesn't say anything about openssl. Grrrr.
</rant>
Please, just fix the problem as soon as possible!
* http://kb.odin.com/220
So it's now the users / customers fault ?
Sheesh
Then if parallels insist we now all have to start to check every blasted yum package update then you list all the packages and put in a requirement that plesk requires yum updates to be disabled unless verified.
So now I have to waste 10 minutes a day verifying updates with some non existent lust that give it a week will be so out of date!
Just compile packages properly and stop directly tagging specific library files exactly.
How come on Fedora I can compile a php or httpd packages and later update other packages without having to rebuild them?
Sheesh
Then if parallels insist we now all have to start to check every blasted yum package update then you list all the packages and put in a requirement that plesk requires yum updates to be disabled unless verified.
So now I have to waste 10 minutes a day verifying updates with some non existent lust that give it a week will be so out of date!
Just compile packages properly and stop directly tagging specific library files exactly.
How come on Fedora I can compile a php or httpd packages and later update other packages without having to rebuild them?
105547111, you are right the openssl package is the one package that sw-cp-server was not compatible with, but the mod_ssl update also depended on this new openssl package, so you needed to downgrade mod_ssl as well. And that also required downgrading the httpd package...
I've just tested the updated sw-cp-server packages at http://kb.odin.com/en/8338 and they indeed seem to be compatible with the new openssl package.
I've just tested the updated sw-cp-server packages at http://kb.odin.com/en/8338 and they indeed seem to be compatible with the new openssl package.
E
EvertonY
Guest
Also looking for RHEL5 update
Can we expected the fix for RHEL5?
Any thought from Parallels staff?
Can we expected the fix for RHEL5?
Any thought from Parallels staff?
I have attached fix for FC11 yesterday.
I have attached patch for RHEL5.
E
EvertonY
Guest
Thank you IgorG, I have installed all working fine. 
You are great!
You are great!
M
MapfreB
Guest
I have the same problem with openSUSE 11.1.
Can we expected the fix for openSUSE 11.1?
Can we expected the fix for openSUSE 11.1?
W
WladislawH
Guest
I have also trouble with openSUSE 11.1
Please be so kind and fix the problem as soon as possible!
Please be so kind and fix the problem as soon as possible!