• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Yet another PCI failure, Plesk 11/10/9/etc.

I reported this via a Plesk support ticket in August and was advised the following:



Passing this response or similar for multiple PCI scans seem to appease SecutiryMetrics in each instance.

That's very odd considering their reason for failure was the version no longer being supported. Are you thinking SM decided to pass it because they're satisfied that Parallels is patching the 3.0.8 version even though the Courier author has abandoned it?
 
Waiting for another SecurityMetrics scam to finish before we know the results, but I have a question:

What did this update change to Courier? What version is Courier being upgraded to and where should we see the change once our panel has been upgraded? I got an e-mail this morning saying the upgrade was applied, but when looking at the RPM packages the version number is still the same for the PSA Courier package.

Thanks!
 
What did this update change to Courier?

The update makes something that PCI scanners should not fail on scanning Courier IMAP.

What version is Courier being upgraded to?

Courier IMAP will be updated to 4.11 in Plesk in further updates. ETA Q4'12.
 
Security by obscurity...

Not quite. Plesk ships patched Courier IMAP 3.0.8 that is not vulnerable. So it's securely.

SystemMetrics and some other PCI scanners don't actually check software for vulnerabilities but make decision based on indirect indicators. We have hidden these indicators.
 
Last edited:
Security by obscurity...
Not quite. Plesk ships patched Courier IMAP 3.0.8 that is not vulnerable. So it's securely.

SystemMetrics and some other PCI scanners don't actually check software for vulnerabilities but make decision based on indirect indicators. We have hidden these indicators.

You describe security by obscurity in your response, which is:

a principle in security engineering, which attempts to use secrecy of design or implementation to provide security.

When can we expect information about the changes implemented in this release? Did you guys change a version number to make SecurityMetrics happy? The version number didn't change from any scans I've ran, but the SecurityMetrics scam is returning okay now. Something across the wire has changed, what is that something? Refusing to say what the change is makes no sense if there is no real security principle here.
 
Back
Top