SECURITY ISSUE - Parallels Plesk Panel versions 7.6.1 - 10.3.1

[LordBull]

Just had this by em from a well-known host - and, while it may take them 48 hours to reply to a support ticket, they seem to be up with the play on this.

Hope it helps somebody - we're busy patchin'

LB

Parallels Plesk Issue

Dear Customer,

Parallels have recently informed the hosting community of a security vulnerability that affects those users of the Plesk Panel versions listed below:

Parallels Plesk Panel versions 7.6.1 - 10.3.1

Whilst you may not be directly affected by this security issue we strongly advise that you upgrade your Plesk Panel incrementally to the latest patched version.

The vulnerability allows for unauthorized access and modification to the server directory. Please note that due to the nature of this issue any affected server found will be patched on behalf of the customer.

 

[murph]

If this is the vulnerability announced on 16th feb, then it only allows hacker to login at client level through Plesk control panel. Unless this is another hole??

 

[jimm]

Top tip: Run the update in command line.
I have seen a few newer boxes which dont use qmail error with:

Unable to process patch config: PSA_9.5.4/plesk-patches-9.5.4-cos5-x86_64.inf3: Failed to parse the patch file at (line 34 column 13)
Group named ‘qmail’ is not exists on this system.

which doesnt show anything in gui and leaves you unprotected

Thats my pro bono server admin for the day