Question Why did the security update for webp come so late from plesk?

[Azurel]

Server operating system version

AlmaLinux 8.8 (Sapphire Caracal)

Plesk version and microupdate number

18.0.56 Update 2

There was a lot in the media that the image format Webp has a security vulnerability that affects virtually everyone (browser, apps, servers) who uses Webp. Since mid-September there are also various bug fixes for this, also for libwebp. Maybe I missed something, but why is this important update at Plesk more than a month late (see plesk changelog), although the bugfix already existed?

It would be interesting and important to know how quickly Plesk reacts to such security problems. Seems to me now for the time being extremely slow, about a month to leave the server with the security gap.

 

[Kaspar]

The server part of this particular vulnerability mainly concerns the libwebp package. Which isn't managed by Plesk, but by the OS vendors. So the OS vendors (Ubuntu, RHEL, ect) are distributing the updates that fixes this vulnerability. Hence it is not listed in the Plesk change log. If your server is up to date, then the issue is probably already solved on your server.

 

[Azurel]

But it is explicitly listed in the changelog from plesk or I misunderstand you?

30 October 2023

Updated libwebp for GD to version 1.3.2 for PHP 8.2, 8.1.

 

[Kaspar]

You are right. Libwebp does get distributed by Plesk.

 

[Azurel]

Wrong forum? I am still interested in an answer. Am I the only one who finds it strange that such an important security fix comes so late?

 

[Peter Debik]

@Azural Your question is not a question, it is a critical statement that you are dissatisified that this in your opinion critical security update was not delivered fast enough. No matter what the answer to your question is, it makes absolutely no difference, because your intention with this thread is not to get an answer, your intention is to stir up public critique and to involve others to confirm your opinion. The sole purpose of the question are to be an ego shooter and to create a negative image of Plesk. Anyone who reads the headline of this thread is already framed to the thought that Plesk developers are slow, don't care for users etc. Which is not true, but the way your critique is presented leave uninformed users no choice but to follow this path of thinking.

For that reason I do not intend to answer your question.

It's not a question, it is a statement, and I do not like this way. Your critique has been heard, but please do not expect my sympathy for the the way it has been presented. The way this update was done was perfectly right and timely. Did you experience any negative impact on your systems? No. So what is the point?

Here is a popular story that comes to my mind when I see threads like this one:

A math professor wrote the following on the blackboard:
9x 1= 9
9x 2=18
9x 3=27
9x 4=36
9x 5=45
9x 6=54
9x 7=63
9x 8=72
9x 9=81
9×10=91

Many taunts were made in the lecture hall because the professor had made a mistake.
9×10=91!
The whole room laughed at him. The professor waited until everyone was quiet again, then he said:

"This is how you are seen in the world. I made that mistake on purpose to show you how the world behaves in the face of a single mistake. None of you congratulated me for doing everything right nine times and being right.
None who saw you do the right thing and praised you for it. But all the people hurt you, blasphemed you and humiliated you because you were wrong just once. That's life! We have to learn to appreciate people for "their successes".
There are people who do much more that is right than wrong, and - end up being judged by one mistake, - and are not judged by the other nine hits. That works for all of us. More praise and less criticism. More love and affection and less hate and cruelty. Let's learn to appreciate each other instead of destroying each other."

 

[Azurel]

How/where else should I ask this question? Just silently accept it?

Instead of accusing me of such nonsense, please tell me how the issue is being resolved. I use Plesk and love it for its simplicity, but when such important security fixes come so late, I'm legitimately worried for several reasons and would have liked to have them allayed.