[PLUG] [plhofmei at zionlth.org: Fwd: bugtraq.c httpd apache ssl attack]

Don Buchholz don at truedisk.com
Sat Sep 14 00:25:54 UTC 2002


Use 'rhn_register' to register your box w/ RedHat.

Then use 'up2date' to update all RPM's to the latest version
RedHat has released for your distribution.


Steven Raymond wrote:

>So, being anxious by the threat and afraid of breaking my system, what is
>the best path to upgrade?
>Would prefer to upgrade with an rpm, but a few hours ago RedHat & RPMFind
>did not have updated OpenSSH nor Apache rpms out yet.
>Is it difficult to patch an existing RPM installtion?  Doesn't patching
>require recompilation- something impossible from a binary-installed RPM? 
>How well would installing the binary file available on apache.org play
>with my already-installed rpm?
>Thanks for the advice!
>
>  
>
>>On 13 Sep 2002, Jon Jacob wrote:
>>
>>    
>>
>>>Okay, I need to upgrade OpenSSL but it also sounded like it would best
>>>to upgrade Apache as well or is the OpenSSL upgrade part of that.
>>>      
>>>
>>You'll want to upgrade Apache as well because every version that's
>>shipped with RedHat (even up to 7.3) is vulnerable to the chunk encoding
>>stack overflow vulnerability.
>>
>>    
>>
>>>If the thing is running as Apache, then it shouldn't have access to a
>>>whole lot, right?  Or am I being naive?
>>>      
>>>
>>Correct.  The worm wouldn't have root access, but it can still infect
>>other computers and be used in DDoS attacks, for example.
>>
>>
>>_______________________________________________
>>PLUG mailing list
>>PLUG at lists.pdxlinux.org
>>http://lists.pdxlinux.org/mailman/listinfo/plug
>>    
>>
>
>
>
>
>_______________________________________________
>PLUG mailing list
>PLUG at lists.pdxlinux.org
>http://lists.pdxlinux.org/mailman/listinfo/plug
>
>
>  
>






More information about the PLUG mailing list