• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

When can we expect a patch to the Plesk 11 root exploit from April 10th?

Why wasn't a notice of this update being made available sent to customers via email, posted on the release notes for updates page (http://download1.parallels.com/Plesk/PP11/parallels-plesk-panel-11-linux-updates-release-notes.html), posted on the RSS feed which is now seven months out of date (http://www.parallels.com/cn/products/plesk/rss), posted on the twitter feed (https://twitter.com/PleskService) or CERT made aware of it? Every time some critical security bug is found, notice, if made at all, is typically made in only one method and it's always a new one even though I've been told any number of random possibilities are the 'official' way to hear about updates. First the release notes was the official thing to monitor, then it became the twitter feed, then it was the RSS, now it's apparently none of those or no announcement was made....
 
the kb only mentions plesk 9 and above. Is that because versions under plesk 9 are not supported anymore or because they are not vulnerable?

so i would like to know:
are older plesk versions vulnerable?

regards
Jan
 
IgorG said:
What is http://www.parallels.com/cn/products/plesk/rss ??? Correct URL is http://www.parallels.com/products/plesk/rss
Click to expand...

You tell me what it is, it worked for at least eight months and was given to me by someone from Parallels; so I guess it's just another instance of Parallels giving out one thing that's "right" at the time and then telling me I'm wrong later on when I actually expect the information I was given to remain accurate. Is http://www.parallels.com/products/plesk/rss the one and only current official way of receiving notifications of security updates for the product now?
 
Hostasaurus.Com said:
You tell me what it is, it worked for at least eight months and was given to me by someone from Parallels; so I guess it's just another instance of Parallels giving out one thing that's "right" at the time and then telling me I'm wrong later on when I actually expect the information I was given to remain accurate. Is http://www.parallels.com/products/plesk/rss the one and only current official way of receiving notifications of security updates for the product now?
Click to expand...

I know nothing about RSS feed mentioned by you and who have provided it for you. I can say only that http://www.parallels.com/products/plesk/rss is main source of all Plesk news for a long time.
 
IgorG said:
Plesk 8.x is not supported now according to - http://www.parallels.com/products/plesk/lifecycle/
All other versions are mentioned in http://kb.parallels.com/115942
Click to expand...

I know it is not supported anymore and that is not what i asked. I asked if it is vulnerable.

As the creaters of plesk 8.6.0 you are still responsible for it and this security error was clearly already there when it was still supported. a Plesk computer is not like an old portable with windows xp that you can unplug from the internet when its not supported anymore. I can not make customers upgrade old dedicated or colocated servers. If it is vulnerable, i can use it as an extra reason to have people upgrade.

suexec is published under the apache licence so you must make changes that you make to the code publicly available. If plesk 8.6 is vulnerable i can study these changes you made to the suexec code and then compile suexec for plesk 8.6 myself. If it breaks, it breaks, that is my problem then, not yours.

I didnt ask you to take action, i asked if i need to take action and then the tools for me to take action with.

Jan
 
thank you that is what i wanted to know.

Can you please make the changes to the suexec public then as the apache license demands so i can make my own fix.

regards
Jan
 
Plesk 8.6 end-of-lifed in September 2012 therefore we did not test this vulnerability.
 
IgorG said:
Plesk 8.6 end-of-lifed in September 2012 therefore we did not test this vulnerability.
Click to expand...

Please let us know where we can download the source code for the Parallels version of suexec that was included in Plesk 8. As Jan pointed out, Parallels is legally bound by the apache license to publish this information.
 
Is Plesk 8 even vulnerable to this issue? As far as I can tell, it isn't. Plesk 8 did not offer the option of running php as a fastcgi, so there is no cgi_wrapper on Plesk 8 to begin with, and no trace of "cgi_wrapper" in the suexec binary.

Additionally; have the Plesk update servers not yet received the later microupdates for the pre-10.4.4 versions? A 10.2 server is showing no updates available.
 
You must log in or register to reply here.

Similar threads

J
How to deploy Plesk Onyx on Amazon EC2
Replies
0
Views
4K
joerg
J
J
Please Help with your recommendations
Replies
16
Views
6K
Sergey L
Sergey L
M
  • Locked
Plesk 11.09 makes nightly full server backup but will not upload backup to FTP server
Replies
13
Views
4K
cciecka
C
lvalics
PLESK 11 ... some thoughts.
Replies
5
Views
4K
lvalics
lvalics
T
Plesk autoupdate failure
Replies
0
Views
2K
Thomas A.
T
Back
Top