• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Recent Nginx Security Issues - Anything Similar With Plesk's Own Nginx Packages?

learning_curve

learning_curve

Golden Pleskian
A couple of days ago, Nginx identified some issues which they have fixed by releasing a stable version of 1.14.1
Subsequently, Ubuntu have identified these security issues affect their own OS Nginx packages on these releases:
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
The full details and all of Ubuntu's own OS fixes are shown HERE

Like most Plesk users (we think...) we run the Nginx packages provided by Plesk (that are prepared by and come with Plesk) so we don't have the Ubuntu OS Nginx packages on our server anyway. However, on Ubuntu 18.04 LTS, the Ubuntu OS Nginx Package was 1.14.0 but the Plesk Nginx package on Plesk 17.8.11 is based on the slightly earlier 1.13.8 Nginx release...

The question then? Are the same issues as those identified above, also present, within the Plesk Nginx Packages, seeing as they are slightly earlier Nginx releases? We're guessing possibly not, as intended fix notifications would probably have been issued by now, but maybe Plesk can confirm?
 
Last edited:
I just can say that at the moment this is under investigation of our security team. The result of the investigation is expected very soon. Then it will be decided whether to update our nginx packages.
 
FWIW and again, this is only guessing / speculating... but IF the Plesk Nginx packages ARE updated, as a result of the security flaws mentioned above ^^ then the upgrade package would also need to include (sw-cp-server) i.e. the Plesk Panel too wouldn't it? For the same reasons... ;) The Plesk sw-cp-server package is scheduled to be updated before the end of 2018 anyway, according to THIS post (made in a different thread concerning coverage of TLSv1.3 when using Plesk) So maybe, IF the main Plesk Nginx package upgrades are released, then both the Plesk Nginx package updates will be released at the same time.
 
I have received a conclusion from developers - Nginx shipped with Plesk is not affected, because it is built without ngx_http_mp4 module.
 
Thanks @IgorG We don't have a need for that particular module (as it happens) and so have no issues anyway when using the current Plesk Nginx packages. The one question that remains, is the HTTP/2 releated CPU usage errors? HTTP/2 is used by nearly all current release Plesk users we would have thought? The image below shows the three separate bugs that Nginx (and then Ubuntu) have rasied, but then fixed themselves and the ngx_http_mp4 module being the most serious. We're guessing, that the other two (low priority) bugs will be dealt with in the Plesk 17.9.* release then?
Nginx.png
 
Regarding HTTP/2 vulnerability, developers informed me that they are preparing updates for 17.9 and earlier versions too. They do not provide me with any ETA.
 
You must log in or register to reply here.

Similar threads

learning_curve
Resolved Permissions on some of the files packaged by Plesk are incorrect[ERROR] - Post 18.0.69 Upgrade
Replies
19
Views
971
learning_curve
learning_curve
learning_curve
Issue Plesk updates when running Ubuntu 24.04.1 LTS - Possible Installer Plesk bug?
Replies
2
Views
1K
learning_curve
learning_curve
learning_curve
Issue Plesk Related Issues Arising After Upgrading Ubuntu Server OS (22.04 LTS to 24.04 LTS)
Replies
6
Views
3K
learning_curve
learning_curve
A
Resolved Installation Issue with Plesk Email Security Pro on Plesk Obsidian Version 18.0.57 Update #4
Replies
3
Views
1K
awaymohamed
A
J
Resolved Can't login at Plesk admin panel (Plesk Onyx 17.0.17)
Replies
6
Views
10K
JVG
J
Back
Top