• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

When can we expect a patch to the Plesk 11 root exploit from April 10th?

Why wasn't a notice of this update being made available sent to customers via email, posted on the release notes for updates page (http://download1.parallels.com/Plesk/PP11/parallels-plesk-panel-11-linux-updates-release-notes.html), posted on the RSS feed which is now seven months out of date (http://www.parallels.com/cn/products/plesk/rss), posted on the twitter feed (https://twitter.com/PleskService) or CERT made aware of it? Every time some critical security bug is found, notice, if made at all, is typically made in only one method and it's always a new one even though I've been told any number of random possibilities are the 'official' way to hear about updates. First the release notes was the official thing to monitor, then it became the twitter feed, then it was the RSS, now it's apparently none of those or no announcement was made....
 
the kb only mentions plesk 9 and above. Is that because versions under plesk 9 are not supported anymore or because they are not vulnerable?

so i would like to know:
are older plesk versions vulnerable?

regards
Jan
 
IgorG said:
What is http://www.parallels.com/cn/products/plesk/rss ??? Correct URL is http://www.parallels.com/products/plesk/rss
Click to expand...

You tell me what it is, it worked for at least eight months and was given to me by someone from Parallels; so I guess it's just another instance of Parallels giving out one thing that's "right" at the time and then telling me I'm wrong later on when I actually expect the information I was given to remain accurate. Is http://www.parallels.com/products/plesk/rss the one and only current official way of receiving notifications of security updates for the product now?
 
Hostasaurus.Com said:
You tell me what it is, it worked for at least eight months and was given to me by someone from Parallels; so I guess it's just another instance of Parallels giving out one thing that's "right" at the time and then telling me I'm wrong later on when I actually expect the information I was given to remain accurate. Is http://www.parallels.com/products/plesk/rss the one and only current official way of receiving notifications of security updates for the product now?
Click to expand...

I know nothing about RSS feed mentioned by you and who have provided it for you. I can say only that http://www.parallels.com/products/plesk/rss is main source of all Plesk news for a long time.
 
IgorG said:
Plesk 8.x is not supported now according to - http://www.parallels.com/products/plesk/lifecycle/
All other versions are mentioned in http://kb.parallels.com/115942
Click to expand...

I know it is not supported anymore and that is not what i asked. I asked if it is vulnerable.

As the creaters of plesk 8.6.0 you are still responsible for it and this security error was clearly already there when it was still supported. a Plesk computer is not like an old portable with windows xp that you can unplug from the internet when its not supported anymore. I can not make customers upgrade old dedicated or colocated servers. If it is vulnerable, i can use it as an extra reason to have people upgrade.

suexec is published under the apache licence so you must make changes that you make to the code publicly available. If plesk 8.6 is vulnerable i can study these changes you made to the suexec code and then compile suexec for plesk 8.6 myself. If it breaks, it breaks, that is my problem then, not yours.

I didnt ask you to take action, i asked if i need to take action and then the tools for me to take action with.

Jan
 
thank you that is what i wanted to know.

Can you please make the changes to the suexec public then as the apache license demands so i can make my own fix.

regards
Jan
 
Plesk 8.6 end-of-lifed in September 2012 therefore we did not test this vulnerability.
 
IgorG said:
Plesk 8.6 end-of-lifed in September 2012 therefore we did not test this vulnerability.
Click to expand...

Please let us know where we can download the source code for the Parallels version of suexec that was included in Plesk 8. As Jan pointed out, Parallels is legally bound by the apache license to publish this information.
 
Is Plesk 8 even vulnerable to this issue? As far as I can tell, it isn't. Plesk 8 did not offer the option of running php as a fastcgi, so there is no cgi_wrapper on Plesk 8 to begin with, and no trace of "cgi_wrapper" in the suexec binary.

Additionally; have the Plesk update servers not yet received the later microupdates for the pre-10.4.4 versions? A 10.2 server is showing no updates available.
 
You must log in or register to reply here.

Similar threads

J
How to deploy Plesk Onyx on Amazon EC2
Replies
0
Views
4K
joerg
J
J
Please Help with your recommendations
Replies
16
Views
5K
Sergey L
Sergey L
M
  • Locked
Plesk 11.09 makes nightly full server backup but will not upload backup to FTP server
Replies
13
Views
4K
cciecka
C
lvalics
PLESK 11 ... some thoughts.
Replies
5
Views
3K
lvalics
lvalics
T
Plesk autoupdate failure
Replies
0
Views
2K
Thomas A.
T
Back
Top