View previous topic :: View next topic |
Author |
Message |
J4Y n00b
Joined: 29 Aug 2002 Posts: 14 Location: Toronto
|
Posted: Sun Sep 15, 2002 2:21 pm Post subject: Apache ssl worm |
|
|
Someone pointed this out on my local LUG mailing list. A worm which exploits any ssl enabled Apache webserver. Apparently all versions of Apache on Gentoo are vulnerable.
http://www.sophos.com/virusinfo/analyses/linuxslappera.html
I have emerged the latest apache(apache 1.3.26-r3) and mod_ssl(mod_ssl 2.8.10), am I still vulnerable |
|
Back to top |
|
|
pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7729 Location: Underworld
|
Posted: Sun Sep 15, 2002 2:53 pm Post subject: Re: Apache ssl worm |
|
|
I thought the problem was with openssl < 0.9.6g (which is already in portage)
emerge it!!
J4Y wrote: | Someone pointed this out on my local LUG mailing list. A worm which exploits any ssl enabled Apache webserver. Apparently all versions of Apache on Gentoo are vulnerable.
http://www.sophos.com/virusinfo/analyses/linuxslappera.html
I have emerged the latest apache(apache 1.3.26-r3) and mod_ssl(mod_ssl 2.8.10), am I still vulnerable |
|
|
Back to top |
|
|
msb21 n00b
Joined: 24 Aug 2002 Posts: 47
|
Posted: Sun Sep 15, 2002 5:18 pm Post subject: |
|
|
If you are running a version of openssl greater than .0.9.6d, according to the security release, you should be fine. I am running .0.9.6e. How do you upgrade packages? openssl-0.9.6g is available and when I ran emerge upgrade world and system it did not upgrade this package.
Thanks,
matt |
|
Back to top |
|
|
pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7729 Location: Underworld
|
Posted: Sun Sep 15, 2002 5:45 pm Post subject: |
|
|
try
Code: |
emerge rsync
emerge openssl
emerge clean
|
msb21 wrote: | If you are running a version of openssl greater than .0.9.6d, according to the security release, you should be fine. I am running .0.9.6e. How do you upgrade packages? openssl-0.9.6g is available and when I ran emerge upgrade world and system it did not upgrade this package.
Thanks,
matt |
|
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Sun Sep 15, 2002 9:20 pm Post subject: |
|
|
Make sure if you are using mod_ssl to remerge it after you have upgraded openssl. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
Messiah Tux's lil' helper
Joined: 30 Apr 2002 Posts: 139
|
Posted: Tue Sep 17, 2002 5:00 pm Post subject: |
|
|
May I ask why one has to remerge mod_ssl after remerging openssl? Does the same apply to other 'dependencies'? For instance, does one have to remerge mod_ssl (or mod_php) after remerging apache? |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 17, 2002 6:48 pm Post subject: |
|
|
Messiah wrote: | May I ask why one has to remerge mod_ssl after remerging openssl? |
It's a good question. Since mod_ssl.so is dynamically linked against openssl, you would think that it would magically pick up the new version, but it didn't for me. I checked Apache's error.log file and it would still say the old version of OpenSSL until I remerged mod_ssl.
Quote: | Does the same apply to other 'dependencies'? For instance, does one have to remerge mod_ssl (or mod_php) after remerging apache? |
It depends on the exact software in question. In your example, if you upgraded Apache from 1.3 to 2.0, I would expect Apache might have a completely different calling syntax and remerging mod_ssl and mod_php would be needed. If it's only a minor version bump, there should be no need to remerge mod_ssl and mod_php just because apache has been upgraded. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
count Apprentice
Joined: 28 May 2002 Posts: 242 Location: Dalton, MA
|
Posted: Tue Sep 17, 2002 7:01 pm Post subject: |
|
|
How do you know if you've been infected?? _________________ - Joseph Monti
_________________
This message is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. For more info visit http://joemonti.org/ |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 17, 2002 7:17 pm Post subject: |
|
|
count wrote: | How do you know if you've been infected?? |
Did you follow the link in the first post of the thread? Look for processes and files in /tmp/ named .bugtraq. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
nemo_ Apprentice
Joined: 19 Sep 2002 Posts: 167 Location: Brussels, Belgium
|
Posted: Thu Sep 19, 2002 12:52 am Post subject: openssl vulnerability checking tool |
|
|
Someone posted this on bugtraq few days ago, I think many of you might be interested. It checks for the buffer overflow the slapper worm uses, and can also check other openssl enabled services like stunnel, sendmail with TLS ...
thanks to this tool I found out my apache was still vulnerable because it was loading an old module even tho it had the patched code built in (duh
http://CERT.Uni-Stuttgart.DE/advisories/openssl-sslv2-master/openssl-sslv2-master.c |
|
Back to top |
|
|
|