Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
    Stefana Muller
    Message from user @itinkoff
    Hi, on CentOS 6 Opsani incorrectly reports Apache vulnerabilities. It tells that it is vulnerable to CVE-2017-7679: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. While CentOS backported that to 2.2.15: https://access.redhat.com/security/updates/backporting
    ]# rpm -q --changelog httpd | grep CVE-2017-7679
    • Resolves: #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread

      plesk version

      Product version: Plesk Onyx 17.8.11 Update #10
      OS version: CentOS 6.9
      Architecture: 64-bit
      the same true for the bunch of vulnerabilities: CVE-2017-3169, CVE-2017-3167, CVE-2017-9798, CVE-2017-9788
      the same for ntp package
      CVE-2017-6464, CVE-2017-6463, CVE-2017-6462
    Message from user @JaycomIT_twitter
    My control panel keeps saying I have 2 issues to fix but clicking on fix all says nothing to fix?
    @JaycomIT_twitter VCTR reports all discovered vulnerabilities whether or not there is a fix currently available. Also, VCTR reports but does not fix kernel vulnerabilities, even if there is a fix available. Kernel updates typically require a system reboot and should be done as part of a general system update (VCTR does not reboot your server). For this reason you may see fixable vulnerabilities reported which VCTR does not fix.
    @itinkoff Could you please check the version of httpd installed on your Plesk system (it will list among the packages in the VCTR UI). From a brief check of the CentOS vulnerability info, CVE-2017-7679 was fixed in httpd version 2.2.15-60.el6_9.5, but CentOS 6.9, the latest repository, uses httpd version 2.2.15-59.el6.
    @30blows CentOS 6.9 uses 2.2.15-60

    yum info httpd

    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    • base: centos-mirror.rbc.ru
    • epel: fedora-mirror01.rbc.ru
    • extras: mirror.reconn.ru
    • updates: mirror.reconn.ru
      Installed Packages
      Name : httpd
      Arch : x86_64
      Version : 2.2.15
      Release : 60.el6.centos.6
      Size : 3.0 M
      Repo : installed
      From repo : updates
      Summary : Apache HTTP Server
      URL : http://httpd.apache.org/
      License : ASL 2.0
      Description : The Apache HTTP Server is a powerful, efficient, and extensible
           : web server.
    Note, that applies to other CVEs that were fixed even earlie, so you should not stick to this one.
    Message from user "John Saves The World" reposted in this channel:

    hi guys
    we have Opsani VCTR pro installed in plesk
    but is getting crash report every hour
    Subject: [abrt] a crash has been detected again

    abrt_version: 2.0.8
    cmdline: /usr/bin/python /usr/bin/yum version -v
    executable: /usr/bin/yum
    hostname: 69-64-67-195.phx.dedicated.codero.com
    kernel: 2.6.32-504.16.2.el6.x86_64
    last_occurrence: 1528924202
    machineid: sosreport_uploader-dmidecode=dca1571d14f45fc502a9341cb578e1358ba22d3616f3b14f62e7807b1636ba1b
    pkg_arch: noarch
    pkg_epoch: 0
    pkg_fingerprint: 0946 FCA2 C105 B9DE
    pkg_name: yum
    pkg_release: 81.el6.centos
    pkg_vendor: CentOS
    pkg_version: 3.2.29
    time: Wed 06 Jun 2018 04:38:20 PM MST
    uid: 491
    username: dgri-report
    do you know how to fix this?

    @John - From the [abrt] notification I suspect that the problem derives from bad permissions on yumdb directories/files. The crash occured when the VCTR agent tried to execute: yum version -v. VCTR uses yum to query and manage packages on CentOS. I expect (because I recently looked at this notification from another customer), that the full notification text indicates that yum failed because of a permission denied error on a file /var/lib/yum/yumdb/<dir>/<file>.

    A bit of digging leads to this open CentOS 6 bug: https://bugs.centos.org/view.php?id=5899. From the bug report, if a package is installed using sudo, the yumdb directories and files, which contain metadata for the package, may be created with the wrong permissions, e.g., using the umask of the user’s shell. This may prevent yum from accessing these files when it is later executed by a different non-root user, in this case the user dgri-report which executes the VCTR agent.

    Without more detail, I cannot be certain. But, you can check the full notification text, and then check the permissions of directories and files under /var/lib/yum/yumdb, where the letter directories <dir> ordinarily have permissions 755, allowing all users read/execute access, and the files <file> ordinarily have permissions 644, allowing all users read access.

    If you see permissions such as 750 for a directory or 640 for a file, then that is the likely cause of the failure. Fixing the permissions should fix the problem.

    Please let me know if this is the case, and if the suggested fix works.

    @itinkoff That is unexpected. It may be that you have more than one version of httpd installed. In this case, VCTR will report vulnerabilities for all installed versions. Could you look at the package list in the VCTR UI and see if more than one httpd package is installed. Thanks.
    @30blows only one.
    might be somehow related to env: it is Virtuozzo 7 container and Plesk 17.8
    hello, will opsani vctr plesk support debian9 in future?
    •Execution of /opt/psa/tmp/modulejzrHFA/plib/scripts/pre-install.php failed with exit code 1 and the output:
    •Pre-install check failed: Debian 9.0 is not a supported OS
    Danny Beckett
    Hi, I'm trying to fix vulnerabilities for the first time (I just bought a license), but it says there's nothing to fix; when there is! :( Any ideas?