Josh,
I believe the virus only affects systems pre-0.9.6e:
http://www.openssl.org/news/secadv_20020730.txt.
Thanks,
Christian
-
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
-Original Message-
From: Josh Chamas [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 2:43 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Linux + Apache Worm exploiting pre 0.9.6g OpenSSL
vulnerabilities on the loose
Hey,
There seems to be a worm spreading for Apache + Linux + OpenSSL
servers that I saw a discussion on at
http://apache.slashdot.org/apache/02/09/13/2315246.shtml?tid=172
Seems like we need to upgrade our apache servers to OpenSSL 0.9.6g
if we haven't already. I didn't see this posted to mod_perl
yet, forgive me if this has been sent out already.
Based on discussion at:
http://online.securityfocus.com/bid/5363/discussion/
it seems that we might need to upgrade modssl as well,
but I have not seen a release of modssl since June
( see http://www.modssl.org/news/ ), so this seems to
not be necessary, but do not take my word for it, upgrade
if you think its a good idea ( probably is anyway ).
Regards,
Josh
Josh Chamas, Founder phone:925-552-0128
Chamas Enterprises Inc.http://www.chamas.com
NodeWorks Link Checkinghttp://www.nodeworks.com