mlovick
06-27-2002, 11:33 AM
Hosts.. You better upgrade.
http://httpd.apache.org/info/security_bulletin_20020620.txt
http://httpd.apache.org/info/security_bulletin_20020620.txt
 | View Full Version : In case you dont know yet. akashik 06-27-2002, 01:34 PM there was a thread about this a few days ago I think. Already at 1.3.26 over here :) Greg Moore clocker1996 06-27-2002, 01:53 PM feel bad for the so many that don't bother upgrading mwatkins 06-27-2002, 01:58 PM I've upgraded, but as I read the issue, its quite bad for Windows and Novell platforms; but only a bother for *nix, unless you are running a 64 bit *nix. Still worth upgrading, for the whole 22 seconds it takes to do so if you use mod_* approach. Rich2k 06-28-2002, 05:00 AM Don't flame me ;) but what's the easiest way to perform the upgrade? (redhat 7.1 / plesk server) linuxnewbie 06-28-2002, 07:09 AM im using ensim 3.0 ..... can i upgrade or will this affect how ensim handles things? magnafix 06-28-2002, 08:56 AM mwatkins - that's incorrect. There is a remote exploit available for *BSD, and supposedly for Linux too. mwatkins 06-28-2002, 09:39 AM The linked reference reads a little differently than the text and reports that were going around a day or so prior. In them, and even in the one linked at the top of this thread, it does suggest that Windows / Netware platforms suffer more due to architecture. I did not intend to suggest that for *nix platforms that the issue is trivial, only that its orders of magnitude less bad than on Windows/Netware. Always worth fixing these things, especially when the remedy is as simple as make install clean Upgrading OpenSSH was more of a bother and a worry... be sure to enable telnet on your box 'just in case' magnafix 06-28-2002, 09:52 AM Sorry for my terse post earlier -- what I am saying is that the Apache hole is bad for both Windows and *nix, perhaps equally so. The original advisory said that it was "merely" a DoS for *nix and a remote exploit for Windows, but that was later revised due to the release of an exploit by security group "Gobbles" on OpenBSD which allowed a cracker to get a shell account on the server! Gobbles later released a version which works on FreeBSD and NetBSD and asked the security community whether it made sense to doubt that they also had a Linux exploit. To spell it out for newbies: if you're running a version of Apache prior to 1.3.26, it is likely possible for a knucklehead to 'log into' your webserver with no username and password and delete or deface your website. One report is here: http://online.securityfocus.com/news/493 mwatkins 06-28-2002, 10:22 AM John - thanks for the update. I saw the initial advisories but not the scalp.c issue. |