URGENT - Hotfix required all versions due to openssl upgrade

[sergius]

Hello Hostasaurus.Com. Thank you so much for your reply.

1) First and foremost, Parallels has no compatibility list that I've ever seen other than the base operating system name and version, such as CentOS 5, RedHat Enterprise 4. Are you saying one exists that actually states "Plesk Panel 9.x on RedHat Enterprise 5 REQUIRES OpenSSL RPM version 0.9.8e-12.el5_4.1 and will NOT function with version 0.9.8e-12.el5_4.6"? I doubt it does, but even if there were such a list, I would doubt it would be updated quickly enough for server operators to sit around on a known security issue waiting for someone from Parallels to tell us if we can patch our servers.

Yes, we should provide compatibility list. Will do.

2) Because in the past this has not been an issue, which is why Plesk 8.x runs just fine with the new OpenSSL patch. It's only the poorly written version 9.x that has an issue with a minor version change. In fact, the whole point of using an operating system like RedHat Enterprise is because they keep the major version the same and apply later patches to software into their stable version so that compatibility issues are minimized. Of course, if Parallels hard codes Plesk Panel 9.x to expect and rely on a specific version, all the work of RedHat to keep things working is wasted.

OK. We are going to sart using native package manager (yum) on CentOS, RHEL and Fedora.

3) Because some of us have servers hosting customers' businesses, i.e. in many cases we host someone's sole form of income, they rely on us to keep their business running, we rely on RedHat to immediately release patches to issues that could jeopardize our customers' businesses, which a remotely exploitable ssl-related vulnerability could very well do. So when an update comes out for something the RedHat advises could *potentially* contain a remotely exploitable issue allowing the execution of arbitrary code, you better believe I'm going to apply the update whether Parallels says it's ok or not.

OK. Got you.

So, with that being said, can you answer me one little question; why is Plesk 9.x hard coded to a specific version of openssl when 8.x didn't seem to need that?

It does not matter "why". It's obvious that it was a mistake. Will fix.

 

[sergius]

Hi Sergius,

Yes. I use fedora and updates are either by yum, or PackageKit and your notified on the desktop updates.

If plesk has to be hard compiled against specific versions of OpenSSL the only way to acheuve this is modifying the repo for updates and updates-testing excluding OpenSSL.

However I for one think this is very dangerous as if updates ate pushed it means either a bug fix or security fix.

In the case of security fix who denies an update?

It means the system is explotable.

Then why bother running a maintained OS, may as well go and I install fedora 4.

Surely since plesk is closed source, you should either not link to specific versions that break on an update, or provide updates quickly.

Denying OS updates is purely a recipy to self destruction, particarily core packages that other packages depend on.

Thanks!

Hello 105547111. Thank you so much for your reply too.

Yes, we are going to use yum instead of own package manager.

 

[sergius]

Hello nedry. Thank you so much for your reply too.

<rant>
Your question suggests that there is a means for checking the version numbers of every piece of software that Parallels has qualified to work with Plesk Control Panel. It also seems to imply that it is Parallels' customers fault that the openssl update broke Plesk Panel.

Please, do tell, how does someone determine compatibility of a software update? Which document should I have read before updating openssl? Parallels' knowledgebase* says to read the release notes, which I did prior to installing Plesk. I also read them again today. It only says that Plesk Panel requires CentOS 5. It doesn't even say which version of CentOS 5! And it certainly doesn't say anything about openssl. Grrrr.
</rant>

Please, just fix the problem as soon as possible!

* http://kb.odin.com/220

It looks reasonable. Will provide complatibility list.

 

[AnkeP]

Where is the fix for OpenSuse 11.1 (i586)?

 

[IgorG]

Where is the fix for OpenSuse 11.1 (i586)?

In Workarounds - http://forum.parallels.com/showpost.php?p=408690&postcount=59

 

[AnkeP]

I have installed the Suse-Fix - but now the same SSL-connect-error :-(
What can I do?

 

[MarN]

I read http://kb.odin.com/en/8338 but it doesn't have the SLES 9 x86_64 fix.

Where is it?