The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

openssl security alert - are we safe?

Discussion in 'Security' started by pfmartin, Sep 15, 2002.

  1. pfmartin

    pfmartin Well-Known Member

    Joined:
    Aug 18, 2001
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    This was released recently:

    http://linuxsecurity.com/articles/security_sources_article-5699.html

    I noticed that we are running an older version of openssl. Should we upgrade? Or is it automatic?
     
  2. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:a4ea3e5e20][i:a4ea3e5e20]Originally posted by pfmartin[/i:a4ea3e5e20]

    This was released recently:

    http://linuxsecurity.com/articles/security_sources_article-5699.html

    I noticed that we are running an older version of openssl. Should we upgrade? Or is it automatic?[/quote:a4ea3e5e20]
    You are not vulnerable if you've updated your system
     
  3. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    Any word on this, will the upgrade happen automatically if we upgrade CPanel or do we need to download all the updates. (6 in total)?

    Jaz
     
  4. kt

    kt Active Member

    Joined:
    May 4, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I just had to upgrade...

    Someone got into mine.....but, I fixed it for now.

    I had to upgrade to make it more secure. Actually my NOC upgraded it for me. I would reccomend it. These guys are trying to take out everyone.

    KT
     
  5. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    Anyone know what versions aren't succeptable. The advisory doesn't really state this. I'm showing I have 0.9.6-13 installed on my box.
     
  6. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Who's your NOC?
     
  7. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    Rackshack via Saburovo. They aren't doing auto updates.

    Jaz
     
  8. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    kt, who's your NOC?
     
  9. CWIMike

    CWIMike Member

    Joined:
    Jul 27, 2002
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Upgrading OpenSSL ourselves

    I need to do the upgrade myself on my box; anything special I need to know other than getting the engine version of OpenSSL? I believe I can find the paths with no problem, but are there any special configuration options I need?
     
  10. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    &The worm seems to pick its targets by server banners; for Apache, you can set the ServerTokens option to &ProductOnly& to keep it from reporting its operating system and version information.&

    You can use this as a temporary workaround.
     
  11. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [b:3795c560d4]Attention: You are not vulnerable if..[/b:3795c560d4]

    you use these builds

    Red Hat 6.2 : OpenSSL 0.9.5a-29
    Red Hat 7 : OpenSSL 0.9.6-13
    Red Hat 7.1 : OpenSSL 0.9.6-13
    Red Hat 7.2 : OpenSSL 0.9.6b-28
    Red Hat 7.3 : OpenSSL 0.9.6b-28

    Don't be confused, Red Hat has applied security patches to above releases and they are not vulnerable like OpenSSL 0.9.6e

    The security issues which were fixed are:
    CAN-2002-0655
    CAN-2002-0656
    CAN-2002-0657
    CAN-2002-0659
    (and all previous security issues)

    Red Hat hasn't provided OpenSSL 0.9.6e RPM package as of yet (date of this post)

    I used that worm and tried to exploit (in a test environment) also tried DoS attack but it is impossible if you have those builds.
     
  12. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    Will performing an RPM upgrade to OpenSSL via an SSH connection pose a problem?

    Jaz
     
  13. abandoned User

    Joined:
    Sep 16, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    It won't cause any problem, remember to restart the box (So it restarts SSHD, Apache, etc which use OpenSSL)
     
  14. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:9e9c69a431][i:9e9c69a431]Originally posted by CPanel User[/i:9e9c69a431]

    It won't cause any problem, remember to restart the box (So it restarts SSHD, Apache, etc which use OpenSSL)[/quote:9e9c69a431]
    It is not necessary to restart the box,
    If you have selected Automatic update in cpanel or try /scripts/upcp you are not vulnerable
     
  15. abandoned User

    Joined:
    Sep 16, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    You'd needa restart SSHD and Apache atleast:p
     
  16. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:71977cf120][i:71977cf120]Originally posted by CPanel User[/i:71977cf120]

    You'd needa restart SSHD and Apache atleast:p [/quote:71977cf120]
    It is not necessary to restart if you use /scripts/upcp or Automatic/manual cpanel updates
     
  17. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    [quote:330ad2cbc1][i:330ad2cbc1]Originally posted by itf[/i:330ad2cbc1]

    [quote:330ad2cbc1][i:330ad2cbc1]Originally posted by CPanel User[/i:330ad2cbc1]

    You'd needa restart SSHD and Apache atleast:p [/quote:330ad2cbc1]
    It is not necessary to restart if you use /scripts/upcp or Automatic/manual cpanel updates[/quote:330ad2cbc1]

    Are you saying that I don't need to manually upgrade the rpm if I've just manually upgraded cp?

    Jaz
     
  18. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:31debe80ff][i:31debe80ff]Originally posted by jsteel[/i:31debe80ff]

    [quote:31debe80ff][i:31debe80ff]Originally posted by itf[/i:31debe80ff]

    [quote:31debe80ff][i:31debe80ff]Originally posted by CPanel User[/i:31debe80ff]

    You'd needa restart SSHD and Apache atleast:p [/quote:31debe80ff]
    It is not necessary to restart if you use /scripts/upcp or Automatic/manual cpanel updates[/quote:31debe80ff]

    Are you saying that I don't need to manually upgrade the rpm if I've just manually upgraded cp?

    Jaz[/quote:31debe80ff]
    NO you don't need to manually upgrade it, read my posts please
     
  19. bdraco

    bdraco Guest

    If you have security updates enabled you shouldn't have to worry about this.
     
  20. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
    I see that 28 was finally installed last night via a security update, however, when I do a 'rpm -qa openssl*', it shows this:

    openssl-devel-0.9.6b-28
    opensll095a-0.9.5a-18
    openssl-0.9.6b-28
    opensll096-0.9.6-13

    Why do the second and fourth entries show up as installed? Both of these are succeptable versions.

    Jaz
     
Loading...

Share This Page