Apache and OpenSSH Vulnerabilities

June 26th, 2002 by Don Marti in

Get your ounce of prevention now.
Your rating: None

While our web site is not a security warning site (we strongly recommend subscribing to your distribution's security mailing list), we feel there are two serious Linux security problems of which you should be aware, even if you don't think your Linux box is a "server".

Both Apache and OpenSSH have had remotely exploitable vulnerabilities reported in the past week.

If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check.

Please check your distribution's security page for an upgrade, and either install it now or, if for any reason you cannot upgrade, disconnect your systems running Apache or OpenSSH from the network until you deal with it or hire someone who can.

Do not take our word for it. Never type anything as root because you read it in some e-mail, even an e-mail with a respectable From address. Go to the source you trust for Linux packages.

You probably haven't read about these Apache and OpenSSH security problems on the mainstream news sites or seen them on TV. Nobody's web site is being defaced, and no viruses are spreading because of them. That's because in the world of free software, we fix problems early instead of waiting for them to bite us.

But these security holes will get some of us and show up in the mainstream media, probably starting early next week. Exploits are in the hands of a few people now and will be widespread within days. If these exploits are built into a worm, there will be a massive compromise of Linux systems everywhere very quickly. (An already-built worm that's only waiting for a plugin exploit to arm it could be out soon.)

On Monday morning, a big dumb story will appear in the Mainstream Media about how Open Source Security is Really Lame And Nobody Should Run Linux Ever, along with comments from all the proprietary OS vendors. There will be a screenshot of a defaced web site, or worse. Do you want to smirk at the inaccuracies in the story over your morning coffee, or do you want to spend Monday morning replacing your Linux boxes with something else because it was your web site?

Linux isn't the most secure of the popular OS choices because it's naturally secure; it's secure because we fix things before it's too late. Fix your systems now.

Call to Action

  • If you don't know how to make security fixes on your Linux systems or do not have permission to do them, remove the systems from the Net until you or someone else can fix them.

  • Check your distribution's security updates page for new Apache and OpenSSH packages. Install them.

  • If you're not on your distribution's security mailing list, subscribe now.

  • If you built Apache and OpenSSH from source, get the new versions and install them. Don't forget to replace the "spare" or "emergency" static sshd you might have running on a high port.

Don Marti is technical editor of Linux Journal.

email: dmarti@ssc.com

__________________________

Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

Post new comment

Please note that comments may not appear immediately, so there is no need to repost your comment.
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd> <i> <b>
  • Lines and paragraphs break automatically.

More information about formatting options

Newsletter

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.
Sign up for our Email Newsletter

Tech Tip Videos

See more Linux Journal Videos

From the Magazine

December 2009, #188

If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.







Read this issue