Hi folks,
A web server at work got cracked on Sunday, and it looks like they used the
SSL hole. The bad person left a .tar.gz file in a directory, and we did a google
search on the filename, and voila -- it was a script (uploaded Sep 17) that exploited
the vulnerability.
I heard about the SSL vulnerability before our server was cracked, and did
some reading. I didn't patch, because of:
http://www.mandrake.com/en/archives/expert/2002-09/msg00588.php
The paragraph where they wrote Linux-Mandrake 8.2 was not vulnerable ... well, maybe
they were referring to it with the openssl -2.3mdk patch.
So, patch up, even if you read something that says "this is not vulnerable",
as you may be taking it out of context, or they may be wrong. As of Sep 17 at least,
there are automated tools for script kiddies that will exploit the hole.
Here's the 8.2 security page:
http://www.mandrake.com/en/security/mdk-updates.php3?dis=8.2
I assume this is the right one to install:
http://www.mandrake.com/en/security/2002/MDKSA-2002-046-1.php?dis=8.2
(That gives you the filename; I assume you click on FTP server mirrors and find a
mirror to actually download it. I haven't really used Mandrake's auto-update tools.)
There is a longer discussion here:
http://www.mandrake.com/en/archives/expert/2002-09/
(search for openssl)
Jeffrey Twu
[EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
