Apache and OpenSSH Vulnerabilities

by Don Marti

While our web site is not a security warning site (we strongly recommend subscribing to your distribution's security mailing list), we feel there are two serious Linux security problems of which you should be aware, even if you don't think your Linux box is a "server".

Both Apache and OpenSSH have had remotely exploitable vulnerabilities reported in the past week.

If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check.

Please check your distribution's security page for an upgrade, and either install it now or, if for any reason you cannot upgrade, disconnect your systems running Apache or OpenSSH from the network until you deal with it or hire someone who can.

Do not take our word for it. Never type anything as root because you read it in some e-mail, even an e-mail with a respectable From address. Go to the source you trust for Linux packages.

You probably haven't read about these Apache and OpenSSH security problems on the mainstream news sites or seen them on TV. Nobody's web site is being defaced, and no viruses are spreading because of them. That's because in the world of free software, we fix problems early instead of waiting for them to bite us.

But these security holes will get some of us and show up in the mainstream media, probably starting early next week. Exploits are in the hands of a few people now and will be widespread within days. If these exploits are built into a worm, there will be a massive compromise of Linux systems everywhere very quickly. (An already-built worm that's only waiting for a plugin exploit to arm it could be out soon.)

On Monday morning, a big dumb story will appear in the Mainstream Media about how Open Source Security is Really Lame And Nobody Should Run Linux Ever, along with comments from all the proprietary OS vendors. There will be a screenshot of a defaced web site, or worse. Do you want to smirk at the inaccuracies in the story over your morning coffee, or do you want to spend Monday morning replacing your Linux boxes with something else because it was your web site?

Linux isn't the most secure of the popular OS choices because it's naturally secure; it's secure because we fix things before it's too late. Fix your systems now.

Call to Action
  • If you don't know how to make security fixes on your Linux systems or do not have permission to do them, remove the systems from the Net until you or someone else can fix them.

  • Check your distribution's security updates page for new Apache and OpenSSH packages. Install them.

  • If you're not on your distribution's security mailing list, subscribe now.

  • If you built Apache and OpenSSH from source, get the new versions and install them. Don't forget to replace the "spare" or "emergency" static sshd you might have running on a high port.

Don Marti is technical editor of Linux Journal.

Load Disqus comments