• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Yet another PCI failure, Plesk 11/10/9/etc.

I reported this via a Plesk support ticket in August and was advised the following:



Passing this response or similar for multiple PCI scans seem to appease SecutiryMetrics in each instance.

That's very odd considering their reason for failure was the version no longer being supported. Are you thinking SM decided to pass it because they're satisfied that Parallels is patching the 3.0.8 version even though the Courier author has abandoned it?
 
Waiting for another SecurityMetrics scam to finish before we know the results, but I have a question:

What did this update change to Courier? What version is Courier being upgraded to and where should we see the change once our panel has been upgraded? I got an e-mail this morning saying the upgrade was applied, but when looking at the RPM packages the version number is still the same for the PSA Courier package.

Thanks!
 
What did this update change to Courier?

The update makes something that PCI scanners should not fail on scanning Courier IMAP.

What version is Courier being upgraded to?

Courier IMAP will be updated to 4.11 in Plesk in further updates. ETA Q4'12.
 
Security by obscurity...

Not quite. Plesk ships patched Courier IMAP 3.0.8 that is not vulnerable. So it's securely.

SystemMetrics and some other PCI scanners don't actually check software for vulnerabilities but make decision based on indirect indicators. We have hidden these indicators.
 
Last edited:
Security by obscurity...
Not quite. Plesk ships patched Courier IMAP 3.0.8 that is not vulnerable. So it's securely.

SystemMetrics and some other PCI scanners don't actually check software for vulnerabilities but make decision based on indirect indicators. We have hidden these indicators.

You describe security by obscurity in your response, which is:

a principle in security engineering, which attempts to use secrecy of design or implementation to provide security.

When can we expect information about the changes implemented in this release? Did you guys change a version number to make SecurityMetrics happy? The version number didn't change from any scans I've ran, but the SecurityMetrics scam is returning okay now. Something across the wire has changed, what is that something? Refusing to say what the change is makes no sense if there is no real security principle here.
 
Back
Top