Apache and OpenSSH Vulnerabilities

June 26th, 2002 by Don Marti in

Get your ounce of prevention now.
Your rating: None

While our web site is not a security warning site (we strongly recommend subscribing to your distribution's security mailing list), we feel there are two serious Linux security problems of which you should be aware, even if you don't think your Linux box is a "server".

Both Apache and OpenSSH have had remotely exploitable vulnerabilities reported in the past week.

If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check.

Please check your distribution's security page for an upgrade, and either install it now or, if for any reason you cannot upgrade, disconnect your systems running Apache or OpenSSH from the network until you deal with it or hire someone who can.

Do not take our word for it. Never type anything as root because you read it in some e-mail, even an e-mail with a respectable From address. Go to the source you trust for Linux packages.

You probably haven't read about these Apache and OpenSSH security problems on the mainstream news sites or seen them on TV. Nobody's web site is being defaced, and no viruses are spreading because of them. That's because in the world of free software, we fix problems early instead of waiting for them to bite us.

But these security holes will get some of us and show up in the mainstream media, probably starting early next week. Exploits are in the hands of a few people now and will be widespread within days. If these exploits are built into a worm, there will be a massive compromise of Linux systems everywhere very quickly. (An already-built worm that's only waiting for a plugin exploit to arm it could be out soon.)

On Monday morning, a big dumb story will appear in the Mainstream Media about how Open Source Security is Really Lame And Nobody Should Run Linux Ever, along with comments from all the proprietary OS vendors. There will be a screenshot of a defaced web site, or worse. Do you want to smirk at the inaccuracies in the story over your morning coffee, or do you want to spend Monday morning replacing your Linux boxes with something else because it was your web site?

Linux isn't the most secure of the popular OS choices because it's naturally secure; it's secure because we fix things before it's too late. Fix your systems now.

Call to Action

  • If you don't know how to make security fixes on your Linux systems or do not have permission to do them, remove the systems from the Net until you or someone else can fix them.

  • Check your distribution's security updates page for new Apache and OpenSSH packages. Install them.

  • If you're not on your distribution's security mailing list, subscribe now.

  • If you built Apache and OpenSSH from source, get the new versions and install them. Don't forget to replace the "spare" or "emergency" static sshd you might have running on a high port.

Don Marti is technical editor of Linux Journal.

email: dmarti@ssc.com

__________________________

Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

Post new comment

Please note that comments may not appear immediately, so there is no need to repost your comment.
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd> <i> <b>
  • Lines and paragraphs break automatically.

More information about formatting options

Newsletter

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.
Sign up for our Email Newsletter

Tech Tip Videos

See more Linux Journal Videos

From the Magazine

July 2009, #183

News Flash: Linux Kernel 3.0 to include an on-the-go Expresso machine interface! Ok, maybe not, but Linux is definitely going mobile, from phones to e-readers. Find out more inside about Android, the Kindle 2, the Western Digital MyBook II, The Bug, and Indamixx (a portable recording studio). And if you've gone mobile and you been wanting more Emacs in your life then check out Conkeror.


To compliment the mobile we've got the stationary: parsing command line options with getopt, checking your Ruby code with metric_fu, and building a secure Squid proxy. How is this stationary you ask? What can we say? It's not. We just wanted to see if anybody actually read this part of the page :) .


All this and more, and all you have to do is get your hot sweaty hands on the latest copy of Linux Journal.





Read this issue