(sorry, inserted carriage returns below)
Hi folks,
A web server at work got cracked on Sunday, and it looks like
they used the SSL hole. The bad person left a .tar.gz file in a
directory, and we did a google search on the filename, and voila -- it
was a script (uploaded Sep 17) that exploited the vulnerability.
I heard about the SSL vulnerability before our server was
cracked, and did some reading. I didn't patch, because of:
http://www.mandrake.com/en/archives/expert/2002-09/msg00588.php
The paragraph where they wrote Linux-Mandrake 8.2 was not vulnerable
... well, maybe they were referring to it with the openssl -2.3mdk
patch.
So, patch up, even if you read something that says "this is
not vulnerable", as you may be taking it out of context, or they may
be wrong. As of Sep 17 at least, there are automated tools for script
kiddies that will exploit the hole.
Here's the 8.2 security page:
http://www.mandrake.com/en/security/mdk-updates.php3?dis=8.2
I assume this is the right one to install:
http://www.mandrake.com/en/security/2002/MDKSA-2002-046-1.php?dis=8.2
(That gives you the filename; I assume you click on FTP server mirrors
and find a mirror to actually download it. I haven't really used
Mandrake's auto-update tools.)
There is a longer discussion here:
http://www.mandrake.com/en/archives/expert/2002-09/
(search for openssl)
Jeffrey Twu
[EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
