Slashdot Mirror
Linux Worm Spreading, Many Systems Vulnerable
sverrehu writes "A GNU/Linux worm exploiting a bug in OpenSSL spreads through vulnerable Apache web servers, according to Symantec. The worm, which was first reported in Europe, targets several popular Linux distributions. See also the SecurityFocus vulnerability listing for the OpenSSL bug." sionide also writes: "Netcraft recently published a report which explains that a large portion of Apache systems are still unpatched (halfway down). To protect yourself please upgrade to OpenSSL 0.9.6g."
Linux can compete with Microsoft.
Je t'aime Stéphanie
it allows anonymous cowards to attempt to do a first post. those damn bastards. first post.
People need to know that Open Source is just as vulnerable to viruses and worms as proprietory software is... The hackers target the most widespread software, which is more often than not Windowware. Apache is one of the most widespread Linux programs, and its infection is a sign of things to come as more people leave Windows.
Since they'll have to update OpenSSL anyways, any chance people will move to the new Apache at the same time?
(I doubt it, because most network admins are rightly paranoid--may as well keep the devil you know than expose yourself to the devil you don't. Still.. wishful thinking..?)
Why not just tell us what part of the source code to edit to fix this bug?
openSSL0.9.6g? I thought I recently upgraded to e... Hehe.
Well.
*taking down servers for upgrade*
The advisory at Symantec advises the reader to update their virus definitions and run a full system scan. Presumably they are talking about Symantec anti-virus products, but if they make such a product for Linux/x86, I could not detect it on their website.
I upgraded to Apache 2.0 and I love it.
Daniel
It's up my butt! Uggghhh! I'm gonna blow!!!
ppphhhhtttttblaaaaayyyyyyy!!!!!!
Awesome.
...that MS-DOS never had this many problems.
IN TEH FUCHAR, LITERSY WLIL EB OPSHANAL!!!!!111
Apache may not be perfect, but it works quite well for me. I've been using it for 2.5 years and have never had any problems with it.
Only with full disclosure, as is common in the Free software world, and with widespread availability of source code, can security holes be quickly identified and fixed.
Frankly, it's getting tired to see so many reports about Microsoft's incompetence, and I'm surprised Ashcroft hasn't yet arrested Gates for creating systems easy for terrorists to infiltrate. Perhaps if we continue lobbying as in California we will be able to eventually encourage states to only buy secure Open Source software, and problems like this will be a thing of the past.
///The worm uses a Linux shell code exploit which will run only on Intel systems. This code requires the presence of the shell command /bin/sh in order to execute properly.///
How does the worm know what type of system it's running on? Maybe I shouldn't progress to this question, but why would the virus creator leave out the code necessary to infect other chipsets?
Palaces, barricades, threats, meet promises
So, many (I'm not going to wager "most") Apache systems are OK.
Okay, so this vulnerability was published and corrected over a month ago. Of course it's still growing; a lot of people still haven't patched their servers. How is that newsworthy? It's been out for quite a while now, anyway, and nothing is different today from yesterday. Nothing horrible has happened, it's just continuing to do what it was designed to do.
Besides which, the impact is a lot less than, say, Code Red which affected a much larger number of machines -- it hit all unpatched IIS servers versus unpatched SSL-enabled Apache servers.
Again, I ask, how is this news? What has changed that made this story worth reporting again?
apache 2.0 still isn't production ready.
for me production ready means solid PHP support.
Apache has been in use much longer, I trust it more than a new rewrite of apache that has already had a huge hole in it recently.
Contrary to the slashdot post, you only need to be up to 0.9.6e to be safe. If you happen to just now be upgrading past this bug, 0.9.6g is even better, but if you're already running "e" you are safe. The article kinda alarmed me at first when I saw the "g", thinking there was a new exploit in "e" and I needed to upgrade again.
11*43+456^2
Boot sector viruses, IRQ conflicts, etc. etc. etc.
yeah, it's not perfect - it can't keep a consistant vulnerability release each week, like IIS does. :-P
The Adult Happy Meal - "I'm lovin' it!"
Most MS exploits that hit Slashdot are the SAME WAY. MS releases a fix 6 weeks before, most admins don't patch, and then the big exploit hits.
:)
Welcome to the world of mainstream.
The Apache Worm Hunter.
In this case at the very least, you should call
such a system Apache/BSD/GNU/Linux, not just GNU/Linux. for obvious reasons.
Well, I tried to be a good citizen. They must be getting hammered.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
this is an openssl vulnerability. get it right.
It isn't perfect, but it's the most widely used webserver in the world.
According to the Symantec report cited in the story, the bug in openssl is this which is reported as RHSA-2002-155, for which the the fix is openssl-0.9.6b-24.i386.rpm for RedHat 7.3 i386 (plus some other RPMs for other versions, or other RPMS for other versions of RedHat). Maybe the 'g' build from openssh.org is necessary, but RedHat seems to think they've already fixed in in their "b-24" release.
I would hope people would not have gcc installed on their web servers. No gcc NO problem. Try again.
of Winblows admins moving to *NIX, and having no patching discipline.....
No, seriously, I just come here for the articles.
haha
Of course, it was only a matter of time before hackers showed an interest in this OS. Most parts being open source, perhaps that means that holes in the OS or applications are easier to find, but that goes for both the hackers and for people on the up-and-up. I'm surprised it took so long, and it will certainly happen again. The real question is: how will the admins of the affected or vulnerable servers act, and how many are aware of the issue?
And that is where Linux is starting to lose its edge on Windows: the quality of the sysadmins. With the risk of being accused of making a crass generalisation, I'd say that many, many Windows sysadmins are of the point-and-click Mickey Mouse variety. Worse, not just the admins, but the infrastructure architects as well. After all, all you need to set up a domain is to complete one easy wizard, right? I have seen the result in all its ugly glory. Linux on the other hand required an admin who knows what he is doing, since there were no easy wizards. Much configuration was by editing files, with the how-to printouts in hand.
I say "required" in the past tense, since Linux is becoming easier and easier to set up. Some distros are close to the point where I'd be happy to give the CD to my mom and have her set up her own desktop. That is not a bad thing. Yet, I already have seen a few (very few, thankfully) "sysadmins" setting up Linux boxes for database or web services, without really knowing what they are doing. When we get to the point where managers themselves can set up Linux, they will be tempted to hire less and less qualified staff, as has already happened to a large degree with Windows NT.
My fear is that Linux servers will be run by less qualified people in the future, and that it will cause the proliferation of aggressive and effective Linux virii.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Holy Smokes, Slashdorks, you'd better hurry up and circle those wagons with claims of how this doesn't matter (or, even better, how it's probably Microsoft's fault), otherwise your humility may wind up showing! Come on losers, it's not as though you have anything else going on for the weekend.
Go! Go! Go!
Block udp port 2002 in.
-
threat neutralized.
next!!!
To put things in perspective, this kind of thing is so rare with Linux / Apache that it warrents a front page note on Slashdot.
It happens so often with Windows that it wouldn't even give a +1 informative.
If you follow the stoopid /. suggestion, and compile/install the new OpenSSL you are going to leave RPM nirvana and enter "random untracked apps linked against random untracked libraries" hell.
r pm -Fvh ftp://updates.redhat.com/X.Y/en/os/i386/openssl*
rpm -Fvh ftp://updates.redhat.com/X.Y/en/os/i686/openssl*
The correct solution is to run:
up2date -u
OR, if you don't use the free Red Hat Network., run:
rpm -Fvh ftp://updates.redhat.com/X.Y/en/os/i386/mod*
rpm -Fvh ftp://updates.redhat.com/X.Y/en/os/i386/apache*
Of course, replace X.Y with your version such as 7.0, 7.1, 7.2, 7.3, etc.
PEOPLE! Package management is GOOD. You should get and apply the updated packages from your vendor/distro. Slashdot editors/submitters should get a clue instead of recommend solutions that ultimately fsck stuff up.
Well, if you are using Debian unstable you should be at 0.9.6g-2. After reading the story I started up dselect and was surprised to see that I already had the patch. Still getting a shitload of ../winnt/system32/cmd.exe?/c+dir... requests though. Damn script kiddies
But don't a decent amount of the readers here make statments like "At least us linux admins patch our boxes regularly". And "There is a patch avadiable that night, and most linux admins patch asap; whereas MCSE's never patch".
I hope I never see another post stating that again, ok? Especially not a god damned +5 one.
I live in a giant bucket.
This is bad news especially considering many governments and institutions have adopted linux because windows was said to be 'insecure'.
GoatPigSheep, the 3 most important food groups
...non-Linux systems running Apache/OpenSSL?
I realize the binary may not run on FreeBSD/OSX/etc., but the vulnerability itself is not Linux-specific, right? Could the virus be ported?
Sorry, I'd RTFA but it's slashdotted.
SuSE has fixed this several weeks ago.
This is very old news that windoze users
just found out about and they are having
fun about it. For most of us it it a non
issue.
2. Write up a note.
3. Memorize location of controls.
4. Crawl inside microwave.
5. Set microwave to defrost for 4 minutes.
6. Close Door.
7. It would help at this point to have already mastered telekineses.
8. Turn it on.
It seems to me that some basic precautions close this hole before you are even vulnerable... first, only root should be able to run gcc... and second, the webserver daemon should not be running as root anyways... I've never administered an apache server, only AOLServer, and it won't even *let* you run it as root... so if you can't get the server to run code as root and only root can run gcc, then you've got no problems...
-jag
http://starboard.flowtheory.net/
The primary thing that has concerned me the most about most web based worms is the fact that they usually infect systems using exploits that have long since been patched. This is true for both *nix and Windows worms.
Unfortunately given human nature, we can't rely on sys admins and end users to patch their boxen. Almost every mechanism I can think of to automate this process either calls for automatically updating machines (which sucks if a patch breaks an untested scenario and also may need some legal exemptions) or some similar mechanisms to enable computers to help themselves.
Any Slashdotters have any thoughts about this?
Is anyone else rooting for the worm?
:(
No pun intended
There is a lesson to be learned here. Linux is not virus proof, opensource is not virus proof. People are lazy and it doesn't matter if the run linux or windows they still won't patch things so there will allways be problems. Opensource vs close source isn't going to change anything if admins/users don't patch. Actully if your dealing with opensource and admins/users that don't patch opensource makes things worse since the vuneralbilties of systems are spelled out to virus makers, they don't have to look for them. These are the problems faced as people go from windows to linux, the OS may change the operator does not. Apache is working on becoming the model for demonstrating this.
still don't remember my login password
recommendations
.vbs, .bat, .exe, .pif and .scr files.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as
phew, thanks symantec - now my webserver is safe from windows screensavers
How the hell is parent a troll? Stupid moderators.
Just because the source is usually open, and just because it isn't MS crapware, does not mean by any stretch of the imagination that it is immune. Start using your brains people... now about your voting habits :)
where's the microsoft FUD of reasoning stating that this is exactly why you shouldn't switch to Linux
Jesus saves souls and redeems them for valuable cash prizes
Thus no need to panic assuming you subscribe to security.debian.org in your apt and have run a "apt-get update; apt-get upgrade".
Info of course from here and here.
--Karl
IIS comes out with so many vulnerability patches because it sucked so bad to begin with. Microcrap makes me sick.
bluHatter
Or installed a standard Linux distro wthat by default puts a buggy Apache+mod_ssl+OpenSSL binary in...
It's a shame that so much stuff comes "with" all the popular linux distributions. Ideally a server should be stripped down to the bare minimum of what's truly needed, not loaded up with all sorts of junk, otherwise you spend all your time patching up the junk as it gets exploited.
This is why I subscribe to the Mandrake Security mailing list. I got an e-mail about this a little while back, did a "urpmi --auto-select", saw ssl in there, and bang. No more problem for me.
-Serp
This is offtopic but hey, I felt compelled.
You are absolutely correct in your comparison of pools, resturaunts, smoking, and peeing. However, in a free society, I should be able to run a pool that people can pee in or a resturaunt that people can smoke in. The nice thing about a free society is, people who don't like it don't have to show up.
Nowhere in the constitution does it say you have the right to make every pool be piss-free and every resturaunt be smoke-free.
Think about it.
Most of us home users don't run https servers so -- correct me if I'm wrong -- this doesn't really effect us. Putting my neck out further, would it be safe to say if you firewall port 443 (https) then you should be safe from this bug?
Execution.
the worm ONLY affects SSL-enabled Apache servers, not your run of the mill (non mod_ssl) servers.
And I didn't even have to be a 'subscription customer'. God I hate that. Why should we have to pay to get the latest updates to our FREE software? If that isn't Microsoftian, I don't know what is.
GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
A couple of days ago, I went on a standard errata gathering run, and downloaded openssl-0.9.6b-28.i386.rpm & etc. for 7.2. I don't see -24 in either the 7.2 or 7.3 directory, even though the page you linked to lists it. I would presume, however, that -28 is not vulnerable.
To be technical, Apache is perfect, OpenSSL isn't
Seems a bit more detailed.
O W:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
//cow
Here is the alert:
published: 2002-09-13
OpenSSL, the collection of libraries and programs used by many popular
programs, has had a number of security problems recently. It looks like
the problems are not over yet.
It has been discussed on several mailing lists, that aside from the
exploit known for openssl 0.9.6d, there are exploits available for
even the most recent version (0.9.6g).
As a precaution, we recommend to disable programs that use openssl as
much as possible. The exploits available so far focus on apache, which
is probably the most common exposed service that is using openssl.
As a precaution, we recommend disabling SSLv2, if you have to run an
Apache server with mod_ssl enabled. The magic configuration lines
are:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-L
One of the openssl apache exploits was found to install a DDOS agent
called 'bugtraq.c'. It uses port 2002 to communicate and can be used
to launch a variety of DDOS attacks. This program uses UDP packets on
port 2002 to communicate, not necessarily to attack.
-
cow's go muu~
And just as quickly put the source code back out there so everyone can look for the next thing to exploit in it.
it seems it's actually only a problem with Apache SSL in combination with whatever version of openssl (0.9.6b?) .... and according to the netcraft report apache 1.3.26 shouldn't be vulnerable anyway.
does anyone else have some clarificaiton on this?
please IP ban this MF!
As an administrator of mostly Windows boxes I'm feeling a little left out... Of course that might just be because they are all properly patched.
http://security.debian.org/pool/updates/main/o/ope nssl094/libssl09_0.9.4-6.woody.0_i386.deb
S
Uhm, all his sig is saying is that trying to appease non-smokers by making a separate smoking section doesn't cut it. It doesn't advocate banning smoking or peeing in pools. It's just saying "don't delude yourself thinking that a smoking section makes the non-smokers happy."
You're not paying anyone to get it, you're paying to have it automatically sent to you.
Try compiling Apache 2.0.X with a dynamic loadable module of SSL. It will break on 'make', at least on Red Hat 7.2. I had to go back to 0.9.6f.
Unstable, is at 0.9.6g and thus shouldn't be vulnerable.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Posting anonymously so I don't give away that I have a less than ideally managed linux box sitting on the network.
Sorry for being stupid, but my user name does start as with "baka" and my web address does start with "ahou"... (both are Japanese words for stupid) so I have fully accepted this fact.
I am not really the main administrator of a our Linux box but do have some responsibilities for it. What is the simplest and fastest way that I can check to see if our box is vulnerable? i.e. a command line command or a config file to read.
In fact, Microsoft has already pre-infected their own new OS, Windows XP. Maybe those draconian EULAs (you hereby agree that "M$ 0wnz j00") aren't such a dumb idea after all...
Not that I like it, but the fact is that MS is targeting the sort of people we're worrying about, giving them what it thinks they need, whether they ask for it or want it, or not. We hate this because we're tech-savvy and want to control our machines, but for the average user, having someone else "0wn" their machine is probably, ultimately, a necessity. The question is just who's going to do the owning - virus writers and crackers, or Microsoft/Symantec etc.
Lets say I have SSHD running on port 5422, will I still be open to the virus? Im guessing it runs on the standard SSHD ports?
#touch /tmp/.bugtraq.c /tmp/.bugtraq.c
#chmod 000
Thank you, try again.
While are you are correct in saying that a limited subset of users should be permitted to run the compiler, that subset should never be the superuser. Compilers have security holes too, and gcc has been no exception. (was it 2.7 or 2.8? don't recall, too tired)
Never do your compiling as root.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Although my server is up to date, it looks like it wouldn't have gotten too far on my system anyway since /tmp is mounted as no exec on all of the systems I control.
The interesting thing about the SecurityFocus site are the "solutions" being the usual canned responses. Make sure your virus software is up to date, don't open exe files... whatever.
Comment removed based on user account deletion
What does an attempt to infect a webserver look like in the access logs? This will allow those who have already fixed the problem remind those who have not...
"Almost half of the 22 million Apache HTTP sites found by the survey are running Apache/1.3.26, whilst only around a quarter of the Apache SSL sites are running this version, which fixes the chunked encoding vulnerability."
Does this statistic take into account that some Linux distros (for example, RedHat) backport the bugfixes to earlier versions of Apache/OpenSSL/etc.??
All of our servers are running Apache 1.3.23, but it's 1.3.23 release 14 which DOES include the fixes for the bugs mentioned on that page. If they are simply going by the Apache version number reported, then they may be over-estimating the number of vulnerable web servers by several million...
But you all know what they say about statistics anyway...
Sometimes the best solution to morale problems is just to fire all the unhappy people.
You might save yourself from *this* worm, but how long until someone 0wn3z you with some other 37331 worm that uses port 2003? or 2004? or 37331? or some other number? Hmmmmm?
While you could nuke GCC from your machine (ouch!) why not just patch the hole and get on with life?
--JoeProgram Intellivision!
[27/Aug/2002 20:02:19 23525] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_ MASTER_KEY:key arg too long
[27/Aug/2002 20:02:22 24087] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_ MASTER_KEY:key arg too long
Thing is though, that "key arg too long" error is part of the July patch to OpenSSL, so you won't see it if you aren't patched. Hopefully this log signature doesn't become as familiar as nimda scans.
before they attack the windows computers using this. i know we are using apache-1.3.26 with mod_ssl 2.8.9 OpenSSL 0.9.6d
checked www.modssl.org the site we got it from and they only have 'd' nothing higher. since we don't have a windows compiler and we aren't sure how they are compiled, we are stuck with d... ick
was going to wait to update mod_ssl (2.8.10) until they got the new OpenSSL
I would upgrade to apache 2.0 if I could but not all of the plugins that we need are ported yet. :/
Uh-oh. Steve "I've only stolen *BSD twice in my life" Jobs is depending on Apache for his "Mac OS X Server" product! Too bad his effete, techno-wannabe's never designed an operating system in their life, or else they could help fix the Apache bugs.
Of course, his droogs who go out and buy BSD, oops, I mean "OS X", will never know the difference. I mean, they've still go their incredibly important iTunes and iPhoto. After all, "that's why I got into computers in the first place... (moment of profound silence)".
Fags.
not until PHP officially supports it...
It's possible. I wouldn't put it past microsoft to write viri (viruses?) for linux.
And as long as they make sure their Red Hat releases have the proper number of bugs in them, they're guaranteed a revenue stream.
You don't have to pay for the latest updates. Compile them yourself if you want.
You're paying for the convenience of having it automagically installed for you by Red Hat with little need for input on your end.
How many webserver administrators have the skills to look at the Apache sourcecode (or in this case, the OpenSSL sourcecode), find the bug, and fix it?
All the skill it should take is to apt-get upgrade or up2date, or whatever the distro in question uses for updates. Debian woody had the patch posted immediately. So the skills needed to update your Apache system are no different from those needed to patch code red (Which, a year after its creation, is still roaming around)
The often tauted ability to "go in and fix things" or even to simply "contribute" is highly overrated. Who found and fixed this bug? Was it some random user, or one of the original developers?
Well, judging by the advisory from the OpenSSL team (Dated July 30, btw, this is hardly a new issue) and a cursory glance over the developer list, the advisory issue was not found by anyone on the development team. So, I'm going to have to go ahead and disagree with you. I consider the ability of users to find and patch security vulnerabilities to be a benefit of free software that simply cannot be overstated.
Having said that, I'll concede the obvious. Most end users are not skilled in the ways of finding or fixing bugs. However, there are zero end users of proprietary tools who even have the option of patching security holes in the software upon which they depend.
So, while some may say "But any user can find/fix security holes when it's free software!" I'll simply say "But any user has the freedom to find/fix security holes when it's free software!" Whether or not the user has the skills is irrelevant, what's important is that the option is there.
What makes you think everyone uses RPMs?
I like my source sunny-side-up, thank-you very much.
wrong. the entry point for the exploit is tcp/443, not udp/2002.
i see a lot of site are running very old versions of apache (1.2.x era). what keeps these people from running "# apt-get update;apt-get -y install" at least every year or so?
... yet keeping up to date with the patches is almost always ahead of the game.
some of these exploits are serious killers
so silly to have spent the time to run unix and then drop the ball by not maintaining it.
members are seeing something, your seeing an ad
It's not that IIS is all that very bad. You see, I have used it in the past. In fact I still do use it for a site which I'm designing at the moment. Try running VBscript ASP on Apache. For some things, IIS is simply easier. Every piece of software, open source or not, is bound to have bugs and be exploitable. The difference between Open Source and Closed Source is that people tend to dislike Closed Source packages more, and thus tend to exploit it. I wonder -- If they started charging for Apache, how long it would take before there'd be as many security holes in it as there ever was with IIS. Some thoughts. -- My preeecious. --
bluHatter
Use a distribution with a package manager, and don't install a compiler on your exposed servers. Just install binaries, and verify them (e.g. rpm --verify) with a cron task. Presto, you'll be warned if something gets changed.
;)
Add iptables rules to the server to block SYN outgoing packets - so only existing connections are allowed. Remove the rules when needed. Presto, your server can't be used for launching attacks.
While you're at it, add rules to only allow necessary services and trusted networks.
This stuff is really not that tough, and the only reason attacks like this happen is because of laziness. Perhaps they should add a kernel module that shuts down the machine if the administrator hasn't checked it out in the last 24 hours.
-Elentar
The wheel it turns, around and around, with an ancient rumbling sound.
Here's the gentoo way:
get the tree up to date:
emerge rsync
update your package:
emerge -u openssl
or just update the whole world at once:
emerge -u world
I don't bother updating packages or applying fixes, because it happens automatically, I use ANA!! (Automated Network Administration) http://www.wiresoft.net/
Same way I get moderated down overrated when I ask a fucking questions about the subject(that ISN'T answered in the articles, because I read before posting). Same way I get fucking moderated down as "offtopic" for an obviously on-topic post, and an obvious joke.
Fucking. Stupid. Moderators. There should be a law against retarded people getting moderatorship.
Since they'll have to update OpenSSL anyways, any chance people will move to the new Apache at the same time?
Why? I just installed a patched version from the vendor. Compiling and installing from source is a pain in the neck when the next version comes out. I had Apache 1.3.25 and PHP all setup and ready to go integrated with mod_ssl, etc. on another box when the shit hit the fan with Apache in June. Back to the drawing board and spend another 2 days building Apache and PHP. Fuck that.
whoever modded this ovverated sucks donkey dick!
OpenSSL 0.9.6e is perfectly safe. And that was available via Software Update on 30 Jul 2002.
Andreas
You'd just need PPC/whatever shell code. Fortunately, as of 08-23 any OSX users running Software Update (enabled by default) have been prompted to download the update that fixes this. It may have been perhaps a bit later than 08-23 if they're not checking daily (I think weekly is the default). Anyhow, Apple made and distributed an update shortly after the vulnerability was made public.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I always thought there was something funny about Macs.
This should indeed work only against this particular variant of the worm for servers which cannot be patched for whatever reason.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
When hackers stop bothering to hack your software, it is a sign that their love for you has grown cold and you are now irrelevant. Has anyone hacked Novell lately? :)
To be truly loved is to get hacked! Someone out there must really love Microsoft, but I am glad they are starting to share the love with the Open Source community more and more. It is a sign that the love for Microsoft may be starting to fade or maybe hackers are just plain sick of "shooting fish" in the idomatic barrel.
Either way, I am going to go block UDP on port 2002 on the fw/router and mumble to myself about buffer overflows.
Hey, that's really funny man. Especially that telekineses thing.
could someone grab
http://www.openssl.org/source/mirror.html
and post it?
Yes but the updates for Red Hat users don't come from disc space and bandwidth stolen from universities and other publicly funded sources.
Okay, no one is answering the obvious question: Is this an OpenSSL bug, a Linux bug, or a GNU bug?
The submission states "A GNU/Linux worm" and "a bug in OpenSSL". But OpenSSL runs on a heck of a lot of systems that aren't Linux. Does this exploit only affect Linux systems running OpenSSL, or does it affect any system running OpenSSL?
A Government Is a Body of People, Usually Notably Ungoverned
Gotta learn how to finish reading the bug report my friend. Then you can come back and talk. The hack is that you might have the bug but the bug will not be able to do anything.
Currently using Debian's stable woody release.
The stable release currently is using Apache 1.3.26-0 and OpenSSL 0.9.6c-2.
Does anyone know if this version is ok?
Cheers
me the trouble.
No, really.
Ok, a poll: how many of you went into the source code today and fixed the vulnerability on your own? Come on, raise your hands...
That's what I thought. People just have to wait for either the distribution to release an updated package, or at the least the package maintainer to release a patch or updated release. NOBODY (ok, not many) people go in and hack the source themseleves to fix it. It's better than closed source, but not as much as you make it apear to be.
Yes, you can coordinate with others to make a fix, but you can't sit there and tell me Joe Sysadmin will sit there and craft his own patch to close a hole. It doesn't work that way.
Go ahead, take my karma...
Hey you forgot to to mention that the worm is Microsoft's fault because uuhhmm errr .. they must have wrote it - to make Linux/Guano look bad huh!
Every Linux user should be using the packaging system to install this - otherwise, as the author above said, you'll have application with nonstandard install, no file querying or verification, nonstandard uninstalls, and further breakage of your system for apps which subsequently rely on openssl and apache.
And if your Linux distribution can't reliably install RPMs, than its not a Linux distribution but an OS which uses the Linux kernel. There is a difference, and its called the LSB.
one of the first things i tell new linux users whom i help installing their system is that they'll have to keep their distribution up to date. there's an important reason for that: many people have heard that linux is more secure than windows. in fact, it's a reason for switching i've heard many times. i'm not going to argue if this is true or not because i believe that there is an infinite number of factors that can make any system more secure or insecure for windows and linux alike. the real problem, though is the attitude; many new linux users religiously believe in an imaginary inherent security of linux while they are usually very aware of the risks linked to running a windows system. and that's why so many people sleep well while someone is hacking their computer that's running a two years old version of qpopper, apache or sendmail. not to mention that these users probably never used any of these servers, they just got installed by default and the user doesn't even know they're running.
for windows as well as for open source products, the exploits normally show up long after a hole has been fixed. so while i completely agree that it's a good thing that holes are found faster and fixed faster as well in open source software, it's not going to help if the users don't take advantage of it because they are too cool to upgrade.
it's really time to wake up for the linux community, otherwise linux will lose its reputation of reliability that most of us take for granted.
Don't forget.
Some of us admins have applications that wrap up other applications that can't always be upgraded without breaking functionality.
Best example I have is Oracle 9iAS. The engine under the hood is Apache, but it's mod'ed enough that the only safe way I have to patch it are with patches from Oracle.
I agree totally, laziness is a huge problem with human beings.
There's no profit in patches, only job security. I don't think most vendors care about mine.
yikes!
developers! developers! developers! developers! developers! developers! developers! developers! developers! developers! developers! developers! Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
> And I didn't even have to be a 'subscription customer'. God I hate that. Why should we have to pay to get the latest updates to our FREE software? If that isn't Microsoftian, I don't know what is.
You don't have to pay. That message from up2date comes out if you're trying to get updates for one of the freely-registered systems that you're allowed to get updates for, but at a lower priority than the paying customers. Try again at a later time and it's often cleared out of subs.
Yes, it means those with a free reg have to wait for the load of subs to back off, but they will still get their updates - just not as fast. That's the 'price' of the free reg vs the price of the registration. You makes your choice and pays/don't pays your money.
Nobody's forced to subscribe or miss updates. Timely updates, yes I'd agree, but not simply locked out completely.
Also as mentioned by another poster, the netcraft report about the number of unpatched apache servers is complete nonsense. This is an openSSL bug, which has nothing to do with the apache version number, which what they measure and use to conclude people haven't updated.
(presumably older apache versions don't work with the newer openSSL libraries. Guess what... that's why the fixes were backported!)
apt-rpm, autorpm, autoupdate are a couple of ways to do the same on redhat. Please check out rhn before you form an opinion on whether the cost is worth it or not (yes, I have Debian boxes as well).
Funny, I didn't pay Redhat anything to download my installation, yet I still get to use up2date on all my servers...
Please try a little research before making silly statements...
Code, Hardware, stuff like that.
Microsoft doesn't charge for updates, patches, and service packs.
Funny that, I thought I paid Microsoft $135 for Windows 98. Perhaps I'm just imaging it. Oh well, I look forward to receiving the free versions of Windows that you seem to think are out there.
Oh wait. Then I realise that your just full of BS. Hell, even Office 2000 SP2 disables installations of Office 2000 that are useing known "pirated" instalation keys. So much for "free."
Jesus, I just drank half a bottle of wine, fucked my girfriend, fired up the Thinkpad and noticed your BS, and I still make more sense than you.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Well, shit fire. Looks like it didn't take somehow. Maybe it is necessary to recompile Apache too?
Pardon me if I sound dumb, but if this is true, shouldn't someone say so instead of just "upgrade OpenSSL"?
to be funny.
HAHAHAHA
thats funny
i get it
Take those cigarettes and ram them straight up your ass, buddy.
It may be that your apache is statically linked. Or it may be that apache records the version of OpenSSL at compile time rather than at run time (dumb). Recompile anyway; you need the practice.
now we need to go OSS in diesel cars
The lazy admins are the ones whose computers are compromized and the ones who will suffer the most painful consequences. When their web server goes down, or is rooted a couple times eventually they will quit in frustration, or be fired. Of course the rest of us also suffer a little seeing web logs fill up with junk, but thats only a minor annoyance.
This being slashdot, I would have liked to think that somebody here actually knew how to update Red Hat. Three swings of the clue stick--
With Redhat 7.x, Redhat began to ship with most default package configerations "secure by default".
Maybe it is time for all the distributions to consider shipping with external services such as Apache configured to run under chroot.
Eventualy dedicated servers will require a LSM/SE Linux type enviroment to run exposed services.
Mao Tse Tung, Hitler, Stalin, Castro, Pinochet, Mussolini, Marshall Joseph Tito, Slobodan Milosevic, Idi Amin, Ho Chi Minh, Saddam Hussein, Muammar Qaddafi, Juan Peron, Ayatollah Khomeini, Ferdinand Marcos, General Suharto, Pol Pot, Fransisco Franco, and certainly the worst of the bunch, SLASHDOT's editing/moderating [read: censoring] "community"(*) ALL AGREE on ONE THING:
(*)Note, the word community used often on Slashdot, this is referring to a proto communist commune.
So, you busy little plebian proletariats, get busy, you have some censoring to do! FUN! Do the bidding of your fat, undisciplined masters who never subject themselves to peer review.
Good job you little neo-commies. Don't want to hear the other side, shoot the fucker in the head as an ENEMY OF THE STATE [In this case anyone who seeks to improve the sad state of
A few haikus to commemorate the sucktitude:
Crack Pipe Moderators
Crack smoke wafts though air
Dumb shit moderator!
Try to suck less, please
The Humorless Moderator
Crack smoke wafts through air
Humorless moderator!
Why do you hate me?
The Proletariat
Slashdotting Commie
Moderator fears new idea!
Censor him quickly
The reason China blocked Slashdot is that when Jiang Xemin saw at how good "The Editors" at Slashdot are at suppressing the community, he knew that if more of his party members saw this degree of suppressive efficacy, he would be deposed, for the good of the people, of course, in favor of Rob Malda as the all new supreme dictator and premier of China.
I have a Gun and the Constitution [Not the urinated-on pissed-on hacked fucked up one WashingTOON thinks exists, I mean the real one, with Jefferson and Madison at my side], please, give me an excuse to use them both.
SAYINGS, quips et al:
It has been said that democracy is the worst form of government except all the others that have been tried. - Sir Winston Churchill (Especially when your democratic peers twist democracy into a reason commit cencorship, to squash dissenting or unpopular opinions, and refer to them as trolls, flaimbait overrated or offtopic when they aren't any of the said)
The reason there are two senators for each state is so that one can be the designated driver. - Jay Leno.
The Constitution poses no threat to our current form of governement. (Death to those who defile the root documents of a free nation to make economic freedom Supercede Freedom! Freedom First! Free market Second!)
Occam's Razor "Entities should not be multiplied unnecessarily." "Pluralitas non est ponenda sine neccesitate" "Frustra fit per plura quod potest fieri per pauciora" "Entia non sunt multiplicanda praeter necessitatem" Translation: " "Simple explanations are preferred to complex ones" Modern fucking translation "JUST DO IT."
Reading Slashdot at anything above -1 is like trying to put a shit filter on your ass.
Get busy moderating this down, you little pack of obedient prefects of the corrupt state! You are the vanguards of purity, and dissent is not allowed!
Hmm hands up who installs a compiler on WEB SERVER?!
Me me me! I wouldn't dream of doing it on something I intended to serve web pages to the world from. But I've fired up Apache a couple times on my computer just to quickly look at something before commit. I didn't do it at all in the 3-4 days after I the exploited hole was discovered and my vendor released the patched version. I'm a programmer who occasionally writes a web page, I could do with a much simpler web server, even one written in Java that can't do buffer overflow, but that's not what is already installed....
It's not a "lazy" admin problem.
There've been too many admins who've been burned by a "security patch" that broke the system in some other way. When your computers need to be up 24-7, and you can have, at most, about 4 hours of down time, you're going to be VERY selective about what patches get added to the system. Or from another viewpoint, I just got burned by an XP "security patch" that for some reason broke my autodial functionality so that my routing table went straight into my local network. I had to reinstall Windows XP to get the functionality back... I'm not about to start putting those security patches back on. I don't like it, but my system works. (I run firewall and antivirus software as well, so its not like my butt is completely uncovered, either)
Admin's are not only responsible for the computers and OS's themselves, but the network communications layer, hard drive resources, ALL of the apps on those boxes (and their associated patches), plus help desk support, new computer setups, and old computer shut downs, and let us not forget software licensing management issues.
IT Admins also painfully understand the one part of Software Engineering that Software Engineers don't. Any change to the program WILL have functional differences.
Automating updates can work because it takes the load off of the admin. But as you point out, there are legal issues, plus there's the above issue where you don't necessarily want to install all of these patches because your system works "as is". On the flip side, Norton's LiveUpdate for their anti-virus software runs pretty well. But NAV is a very distinct application and purpose, and doesn't have ripple effects throughout the rest of the computer system.
Also there's an apple and oranges comparison to Microsoft and Linux problems here. Microsoft got its bad press not from legitimate security issues, but because Outlook allowed the very ACT of receiving an email a vector for running a virus/trojan horse through the preview pane. Because Word allowed any document to take control of the users hard drive and begin deleting files, grab the email address book and replicate itself. That's a whole different ballgame than exploiting IIS through stack overflow issues, or exploiting this loophole in OpenSSL. There's a difference between "defeating/exploiting security" and "leaving the doors wide open.". But now, thanks to Microsoft PR to spin their problems and Linux PR to make Microsoft look bad, ALL exploits are equal so that the least exploit is just as important as a truly criticial one and THAT adds to the Admin's workload, and leads back down the road of not getting these patches installed.
In the end, the power and the responsibility lie with the Sys Admin. Which is where it should be.
That was the point. Access denied.
Of course, if you've a mission critical system of course you've subscribed. But for Joe Home Users the upgrading might take a while.
Why should we have to pay to get the latest updates to our FREE software? If that isn't Microsoftian, I don't know what is.
You're totally wrong. "Free Software" Doesn't mean that you can get it for free, It refers to the freedom to redistribute it, modify it, etc... You should consider it as a privilege to be able to download it on the net because you're not paying for the server, you're not paying for the bandwith, neither for the admins who keep the whole thing up.
In the above case, wich is RedHat's up2date service, they simply shut down the free service to allow their PAYING customers to get what they pay for. And if they don't do that, it will result in a painfully slow service for both paid and free subscriptions.
In the case of Debian, the service if kept up by volounteers and donation. Would tomorown everyone stops donating and volounteering, your service will be down and you will not be able to use anymore "apt-get"
And anyway, if you can't wait, you can still download if from the ftp or some mirror.
Silly troll. Apache 0.4 is the best release and you know it.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Linux = chroot AND iptables AND ...
c /data/linux.slapper.worm.html#technicaldetails
chroot has been a part of Linux since the beginning
most of the official distros offer to use it with apache. using it (or simply using chmod gcc), there is no access to gcc for the apache account, so the worm can't work.
again, iptables/ipchains/firewalls are an important part of the linux kernel. using it the apache account can't access to UDP or open other TCP ports. so the worm can't work
and of course apt-get update/upgrade are an important part of linux distros like debian stable. openssl was updated long ago with a stable patch to prevent this hole.
see http://securityresponse.symantec.com/avcenter/ven
Finally
Linux can compete with Microsoft.
Sorry but Linux is extreemely poor comptetition in this area .. If you read the Symantec alert you will notice that :
"At this time over 350 computers have been observed performing this activity, "
"350" computers, that's not a competition, that's a joke !
And note that Symantec has a history of beeing anti-Linux in their Advisories.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
It may be that your apache is statically linked. Or it may be that apache records the version of OpenSSL at compile time rather than at run time (dumb). Recompile anyway; you need the practice.
NO, that's a stupid argument. "Need the practice?" When you go down the package management route it's like getting married. You have to stick with it and be faithful to your partner. If you start straying from the course and seeing other people and installing from source the relationship will start to sour. Eventually a few years down the road you're going to end up with dependencies that can't be satisifed and the whole thing is going to be a mess. For example, you install openssl 0.9.6g from source, you go to install a new Apache RPM that relies on the new openssl 0.9.6g RPMs from your vendor which you didn't need to install. Dependencies fail and you can't install it (sure you can force it, but that starts down the slippery slope). You need to put your full faith in the package management system and the vendor to release timely releases or you might as well build a Gentoo or OpenBSD system and just recompile EVERYTHING anyway.
You don't have to pay for the latest updates. Compile them yourself if you want.
You're paying for the convenience of having it automagically installed for you by Red Hat with little need for input on your end.
But I get that "convenience" for free with apt-get and Debian. If the site is overloaded I just choose another mirror for my apt sources file. Problem solved, update installed, I sleep peacefully at night. Can you not change the site that up2date uses to download updates?? That's kind of silly. I guess you have to resort to going to a mirror and downloading the RPMs and using rpm -F. Anyway, nice try Red Hat but if you can't change the update sources then that's a shoddy system because of exactly situations like this one. As for compiling from source, not an option unless you don't plan on using packages anymore in the future. Dependencies will get all screwed up. You'll be running the new openssl but Red Hat will think you're running the older version when you go to install software and you'll find yourself more and more typing --no-deps to get packages installed. That's ugly. Now, true, you could recompile until a patched package becomes available and then reinstall that but how many people bother once they've compiled a new version? Also, make sure you compiled the same version of Apache they have with their patches or you're going to need to recompile PHP, mod_perl, etc. what a pain in the ass.
With the risk of being accused of making a crass generalisation, I'd say that many, many Windows sysadmins are of the point-and-click Mickey Mouse variety
I've often said that Windows admins can't find the bathroom without an icon on the door.
Usually peopel smoke cigarettes with their mouth, apparantly ass and mouth confuses you. is this because you talk out of your ass so much.
... Governments are instituted among Men, deriving their just Powers from the Consent of the Governed...
Is this a list of rogue head of state puppets created by Washington's foreign policy?
... Governments are instituted among Men, deriving their just Powers from the Consent of the Governed...
Yeah, not having the source code for Windows has really protected it. Good thing nobody can write any Windows viruses. Obscurity has worked very well.
...except that often package managers have to be run as root (the only two I have, Fink and its Debian lackies, almost always must be run as root), and they call GCC. Now, it is possible that they run GCC with lower permissions than they themselves have, but I doubt it.
I wonder how many of those "350 infected" Apache installations were actually Symantec development boxes? The way Symantec has been yelling fire, compared to the reality of the 'flames' they exhibit as evidence, suggests false advertising and they should be investigated by the FTC.
m an drake+Jerry+Kreps+viruses&hl=en&lr=&ie=UTF-8&selm= xQuc9.87365%2427.1562343%40twister.rdc-kc.rr.com&r num=3
There are approximately 40 Linux 'viruses' listed on Symantec's web site. Examining each one reveals that the vast majority have been 'seen in the wild' on less that 50 boxes. And, except for Bliss and Lion, in order to be successful most of the viruses listed by Symantec need the cooperation of a user willing to run them as root. I reviewed all of Symantec's Linux 'viruses' in the following msg on alt.os.liunx.mandraie:
http://groups.google.com/groups?q=alt.os.linux.
This begs the question of how, out of millions of websites, so many 'viruses' end up at Symatec's labs? Some 'viruses' are listed as being on only a couple of boxes. Having them end up at Symantec is truely amazing and suggests that for most of the viruses either their first infection was a very poorly protected box run by a very expert Linux user able to determine what happened and immediately send a copy to Symantec (a contradiction), or they are being manufactured by Symantec coders. One only hopes that Symantec isn't releasing them into the wild to garner business.
I use the word Absurd for two reasons:
First, in the astronomically unlikely event that you have an SSL infection then patch Apache-SSL, don't leave the vulnerable version in place as it is and install a propriatary ($$$) bug 'vaccine'. This approach is stupid, to say the least. The Apache coders will generate a patch long before Symantec can 'capture' a speciman, reverse engineer it and generate a vaccine. The Apache patch it will be free for the download. In fact, most distros like Mandrake 8.2, have automatic patching/updating maintenance programs that can fix a defective app or library automatically and in seconds once the patch is posted.
Secondly, since Slashdot is now surfed by more WinXX users than Linux users the WinXX mentality seems to be expressed in a majority of postings to Slashdot. That 'mentality' is the assumption that if 'it' was a problem with WinXX 'it' must naturally be a problem with Linux.
Linux IS NOT plagued by Microsoft's problems, microsurfties, especially in the areas of SECURITY AND STABILITY. REALIZE THIS!
Look at the problem Symantec is encountering trying to generate a believable 'Linux has viruses' mindset in a vain attempt to protect their business model. Only the Microsurfties are falling for it. And, after they buy the 'vaccine' then gradually learn it isn't necessary they will feel foolish.
While some Linux newbies fresh from WinXX bondage may stupidly or lazily run as root, most do not. That is the first thing a Linux newbie learns!
I've been running Linux for five years. Exclusively for three years. I have been connected 24/7/365, except for thunderstorms. I have surfted countless websites, received tens of thousands of emails, downloaded and installed many iso sets and hundreds of tarred and rpm'd applications using RH, then SuSE and now Mandrake. While I have found hundreds of WinXX viruses in my mail box, and even fired SirCam to see what it does on a Linux system (nothing), I have yet to receive a single Linux virus, nor have I been hacked.
Viruses don't concern me, but hacking does. That's why I try to keep my box security as high as is reasonable for my circumstances: tight enough to deter the average script kiddie or cracker, but not so tight as to consume a lot of my time keeping it current up to the second. After all, professional crackers won't waste their time rooting my box, there is not enough karma or cash in doing so. What if I do get hacked? I regularly backup my data. The system and software can be reinstalled from pristine sources onto a freshly formatted drive in a couple of hours. Why sweat the small stuff... and a Linux virus is certainly small stuff.
Running with Linux for over 20 years!
I don't know much about the companies, but it look s like A.L.Digital Inc and The Bunker audited openssl in july 2002. Being the same version, this exploit looks like veery bad publicity for them.
Hello, is there some way to detect the hole (as opposed to check the version number)? I have to recheck bunch of computers (not necessarily Linux or Intel) that they're safe. But as you stated, lots of vendors backported the fix, so I can't rely on version number. Has nessus plugin, that checks for the actual bug (not version number)?
Comment removed based on user account deletion
Sorry, but as a 25 year veteran of computer systems I have rarely had to deal with buffer overflows.
The crux of many problems is this wretched idea of a null terminated string.
I have always hated null terminated strings, and always will. Far better to have a counted string
Quite apart from restricting the hazards of buffer overflow, a counted string MUST save processor time scanning to see how long a string is.
I rest my case.
(Be sure to nix the spaces!)
For us carnivores, "Sucking the marrow out of life" isn't a transcendentalist philosophy but a practical instruction.
Oh I forgot, it's only Windows vulnerabilities we actively try to *spread*
Jesus, I just drank half a bottle of wine, fucked my girfriend, fired up the Thinkpad and noticed your BS, and I still make more sense than you.
/.?
So you drink, fuck your girlfriend, then come and post on
That's dedication for you. Most people just have a smoke and go to sleep... (after fucking your girlfriend)
Who the hell would WANT to run VBscript ASP ANYWHERE. Damn, some people like stupid crap.
But I get that "convenience" for free with apt-get and Debian.
Then you have a simple choice, don't you? Switch if you want to. I hear so much about how wonderful it is that there's choice in this community, but when people are presented with a choice like this one, there's much whining about it. Sheesh!
All these years we've been told that Open Source software is immune to bugs like this. We've been told it's because all those eyes catch the bugs and the faults are caught long before production. And on top of this, the admins maintaining Apache were better because they had to learn cryptic command lines and text files rather than IIS admins having point and click. After all, if any program met these criteria it is Apache with all those eyes reviewing it for production and even more eyes studying it to create mods and all those professional *ix admins instead of MCSEs.
You mean that was all a lie and the real reasons why IIS was seeing more vulnerabilities was that nobody bothered writing exploits against Apache.
Huh. Guess it's time to rip another few pages out of "The Cathedral and the Bazaar". I think that leaves the title page and ESR's bio. On second thought, make that just the title page.
In all the hundreds of messages on this topic there are lots of discussions on how to install an automated patch, some on how to manually install the patch but NONE listing what to change in the source code.
So much for the "technical sophistication" of the community and the much publicized ability of "when a bug occurs, you fix the bug and recompile". It seems that really was "when a bug occurs, you download updated code and run a canned script". So tell me, how is that any different than Microsoft's "Windows Update" (except that it's easier to make typos)
God I hate that. Why should we have to pay to get the latest updates to our FREE software?
Blow it out your ear. Redhat needs to make money and I can't think of a better service to provide to achieve that. If you don't want to pay, take your place in queue. They're not saying no, they're saying wait, we're taking care of those who are trying to keep us afloat.
I don't use Redhat, and I don't particularly like them, but there is absolutely nothing wrong with what they're doing here.
For those admins who are careless and think open source ware is magically bug-free, this should be a wake up call. As more people switch to linux, there is no use writing worms for windows. Writing malicious programs for linux would be the order of the day. The real test for linux is to withstand the attacks then.
I've noticed this as well. Most people in #linux (regardless of which network) are BOFH wannabes, and the culture in there perpetuates this to the point that even newbies do it. Most of the time, you get such smarmy remarks because the people handing them out don't know what the hell they're talking about either.
On the undernet, #freebsd and #freebsdhelp operators have traditionally taken the view that if you're going to tell someone to RTFM, put it thusly: "The question you ask is too complicated to be answered here. See the manual at http://xxx.xxx.xxx.xxx." Unlike the enormously retarded "fuck off luser," or "RTFM," it's actually *helpful,* even though it amounts to the same thing. I wish that more people in #linux would take that advice instead of actively trying to be jerks.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Nope, won't help against that at all.
I haven't been able to update my apache servers since June's vulnerability surfaced. And a lot of us professional sysadmins have the same problem. Management doesn't see us as being "vital to operations" and sees sysadminning as a job that's best done on a part-time basis. Thus, the sysadmin ends up spending most of his/her time doing "important" things like answering tech support and sales calls (in the case of ISP's), or paper pushing and bookeeping. And when those "other things" monopolize my time and Management refuses to hire someone else to do those other things, nothing gets fixed.
To compound issues, oftentimes Management doesn't think security is important. Says my boss: "We don't need to worry about security. Hackers don't break into ISP's because they know that the attempts are logged." Well that's all great and wonderful, if anyone is actually reading them. Add to that the kids and spammers who scan networks randomly. None of you want to know what my network was like the first day I started this job.
Or you could just use FreeBSD. The ports collection will allow you to compile and install new software. The compilation process will use whatever libraries you have installed, whether from source or from binary packages. Everything ends up optimized for your system, and you still get the goodness of automatic updates and software availability.
Mmm, ports.
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
Regarding:
;*default base=/usr ;*default prefix=/usr ;*default release=cvs ;*default tag=RELENG_4 ;*default delete use-rel-suffix ; src-all], make world ; make kernel ; mergemaster -p if needed. Binary packages are also available, and this operating system can be synched up with -STABLE, source-ily or binar-ily. This system is commercially viable[JUNOS on gigantic M160 Juniper routers are FreeBSD, and I have an M10 at work that is my playground, again, FreeBSD], robust, maintainable by source or binary. FreeBSD has a great regard for coherency, real documentation and contrary to the typical FreeBSD is dying troll, the are hardly any features that Linux and FreeBSD don't have in common, with a number of the better and more important drivers and subsystems in Linux being ports of a FreeBSD endeavor, eg, SCSI, AIC7XXX, USB support, etc. I find Free BSD to be easier to maintain either bleeding edge or bleeding stable, and ports makes it laughably easy to break ranks and auto-magically place the stuff you want in a packaged manner in your system with autodeps. RedHat is notably resistant to tinkering, this is why I like FreeBSD. Unfortunately, the penguin has sucked up a lot of the attention, so certain things like Java directly from Sun are behind the curve. (e.g. JRE 1.1.8). FreeBSD does run Linux binaries - but this isn't a robust solution, but it's a meta-hack. I also like 'portupgrade' which really puts the ease of keeping ports up to the stable minute in high gear. The soft update filesystem is a big plus when compared to EXT2/EXT3/Reiser.
;p.
OpenBSD. I do not favor this, but a patch requires a diff on your local CVS, and that you only recompile the portion affected. No need to recompile everything. OpenBSD's monolithic approach to things is not my cup of tea, personally, and I would use FreeBSD in place of OpenBSD wherever it may be found.
Gentoo: I attempted to get this to work, and it failed, but I got the sense this was similar to FreeBSD, in that a portion or package could be 'emerged.'
Debian: I find this distribution to be difficult, but once working, upgrades are easy to accomplish by apt. The problem here is that Debian has a tendency to not let anything into -STABLE - sometimes on the order of months to years after its needed.
FreeBSD: My current favored system. The core OS is small enough recompile for a one off/test solution. It has a robust sense of packages. Its ports collection make everything and anything installable, packaged and remove-able - quite easily. The system is extensible and scriptable, the build is easy to invoke. cvsup supfile [*default host=cvsup3.freebsd.org
RedHat: What can you say, the status quo of GNU these days. Not good, not bad. If you need someone to "worry" about *everything* for you, and you leave you system well enough alone and have no desire for things similar to FreeBSD ports, its good. I do not agree with RedHat on the sloppy kernel patching, awful system compiler offerings, strange mangling of glibc, gcc, and the kernel, and 1500 versions of the kernel for 6.2, 7.0, 7.1, 7.2, 7.3 and Advanced Server. How can a good job be done with so many forks and branches? I also got upset with a situation like this: HP Openmail has new glibc minim requirement. Openmail runs perfect on RH 6.2 Now I have to get a new glibc for 6.2 (the same version of higher in 7.1). How do I do that without bringing the system down or upgrading it? (I bought openmail BUNDLED officially with redhat, and they dropped the ball on me. Thanks RH] Is RedHat revolting to me? No. Do I wish they did certain things differently? Yes. JFS and XFS are not supported at install by RedHat, which annoying.
Also RedHat blocks up2date-ers and tries to extort money from you so you can get your security updates. I find this practice revolting. I never download from RedHat ftp, I have to use speakeasy.rpmfind.net. I did "buy" the RedHat server that came with my Dell 1550. So I get slow ftp access and have to use an unofficial mirror, and I get no up2date priority. They say "If you want to be secure now, PAY UP." Even Microsoft offers fast and free access to updates. Not that that company is honest or honorable, but I want to take a cheap shot at RedHat and point out when a said nemesis is more honest about something, is should speak a volume about that behavior of extortion.
There is also Solaris, which is to me the no-compromise solution in maintainability. Its not everything you want, you don't get a desktop environment out of it, but in terms of commercial viability, this is probably one of the best supported environments out there. I think the thing is arcane, a strange mix of BSD-ness and SYS V-ness. It got a slow package manager, etc. But it has volumes of tracking, documentation and coherency. I am greatly disappointed by Solaris X86 having been deprecated to only the LX50 Cobalt. I do think this platform has immense value, often from the standpoint tat script kiddie assembly for x86 wont run here
Cobalt: This platform revolts me. It is a horrible bastardization of RedHat, which is why I do not fully deprecate RedHat. RedHat to me is far superior to this horror show. I have to maintain a cobalt, and there are a number of reasons I don't like this operating system.
My current viable OS choices are FreeBSD, Solaris and RedHat from the x86/SPARC perspectives. I have not enough time or experience to consider AXP or PPC's OS choices. I also use NetBSD on ancient SPARCs and much prefer this to OpenBSD.
Legalize the constitution. Think for yourself question authority.
LINUX fucking sucks. thats all there is to it.
It's not that hard to build your own openssl rpms. /usr/src/redhat/RPMS/i386/openssl*
1) Download openssl-0.9.6g.tar.gz from a mirror.
2) rpm -tb openssl-0.9.6g.tar.gz
3) rpm -Uvh
(it's got a ready made spec file in the tar.)
harik@chaos:/tmp$ ls -la .bugtraq.c .bugtraq.c
-rw-r-xr-x 1 www-data www-data 68335 Sep 14 13:32
ii openssl 0.9.6c-2 Secure Socket Layer (SSL) binary and related
Looks like it's only later builds of 0.9.6c that are patched. Either way, I couldn't compile it on my debian box, and there was no binary installed. Plus, as a singular exploit, there's no way for it to gain root access. If this hole remains unpatched, expect a combined attack (local user root exploit + remote NPU attack) to spread.
if there are any well-known local attacks, anyway. I don't know of any current widespread ones.
As far as QA, I tell you what. If the system is designed correctly, it will need very little QA. I know this because some systems can never get it right, no matter how much QA go into them, because of fundamuntal design flaws.
Chris argues that because systemically flawed systems cannot be cured by any amount of QA, it follows that systemically adequate designs do not require more than "very little QA." Not only is this a logical fallacy, it is also dead wrong.
QA is an essential part of any system development methodology -- no matter how good the design, human beings implement it, and humans make errors. Relying on design alone (or even primarily) is a terrible error. Humans cannot help but make errors -- and design alone cannot prevent this. QA gets short shrift enough in the best of systems -- it is inherently and necessarily an essential part of product development.
They always burn the bread or toast it unevenly. Or the toast gets stuck when it's supposed to jump up, and I end up electrocuting myself while trying to get it out with a knife. There's a lot of room for improvement in that interface.
Once I see a Linux user running Debian installing glibc from an RPM, I'll believe them :).
Once I see widespread support for apt with rpms, I'll believe that rpm is a credible package management system. -_^
Admittedly it's been a while since I've used an rpm-based system ... but there are REASONS for that. Can one, now, do the equivalent of "apt-get install task-kde3" and have it not die with a billion and one "cannot install: libxxx required but not found" errors? If so, then rpm has finally matured to the point where apt was a few years ago.
Otherwise, in my mind, rpm is a nice convenient way to install single packages, but it doesn't meet my requirements for a package management system. The only problem I have with rpm is that (at least the last time I used it) it was stupid about dependencies. Has that changed?
All that having been said ... I run LFS. :)
Once I see widespread support for apt on rpm
There's other package management front ends available, some people would consider better than apt. But yes, if you want apt on your Red Hat box, just visit www.freshrpms.net. It works the same as any rpmlib frontend.
Can one, now, do the equivalent of "apt-get install task-kde3" and have it not die with a billion and one "cannot install: libxxx required but not found" errors?
Yes, one has been able to do so for 2 years now. up2date -u kdebase.
If so, then rpm has finally matured to the point where apt was a few years ago.
That statement makes absolutely no sense - its like comparing Linux to Microsoft Word. Apt is nott a package manager, never was, and never will be. Its just a front end that indexes dependencies.
The only problem I have with rpm is that (at least the last time I used it) it was stupid about dependencies. Has that changed?
Yes, it has, a while ago. But like most people who knock RPM, I'm sure that doesn't matter, and you'll continue to form your opinions based on that fact that You Like Debian And Can't Be Bothered Hearing About Anything Else or Bothering To Understand Why Standards Are Good.
Comment removed based on user account deletion
Ok. I'll bite. Who's to say that there will not be a modded worm out in 36 hours that doesn't do what you expect? You? No thanks, I'll take my word over the comments of an Anonymous Coward...and suggest that everyone else does the same. The issue here is not stopping the spread of the worm that exploits the hole, but rather closing the hole in the first place.
Cart --> Horse, not the other way around.
Who the hell would WANT to run VBscript ASP ANYWHERE. Damn, some people like stupid crap
Yes, usually the employers....
-Tolerate my intolerance
That statement makes absolutely no sense - its like comparing Linux to Microsoft Word. Apt is nott a package manager, never was, and never will be. Its just a front end that indexes dependencies.
Ick. Well, that's true. My bad. And I'm usually saying rpm wasn't originally meant to do anything but work with single packages.
Yes, it has, a while ago. But like most people who knock RPM, I'm sure that doesn't matter, and you'll continue to form your opinions based on that fact that You Like Debian And Can't Be Bothered Hearing About Anything Else or Bothering To Understand Why Standards Are Good.
Well, that's not fair. I stopped using Debian and started using LFS because the little things in Debian got in the way from time to time ^^; And yes, I've used Red Hat. And yes, I like standards. To the point that I'm wary of anything that's blatantly noncomformant of major standards in its field. (Usually I'm the one that is harping on others on this point, so this is amusingly ironic.) Although given the usual audience on /., I can't say I particularly blame your cynicism, but it's misplaced, much as my post was not only misinformed, but outdated.
If I came off anti-rpm, my apologies. Mostly because I've had annoying experiences in the past, and having foregone most distributions long ago, I honestly don't know what kind of progress has been made, and projected some stupid assumptions and misremberances. (I was aware of apt-rpm though, but it seems characterized as a "nice option" ... do most modern rpm-based have some sort of package indexer installed -by default- that their installers plug into? I think that would be a great step towards "making Linux useable", whatever that means to you. It would also make me happy ^_^ )
Like most viruses and worms it was created with support from Symantec or McAfee or simular company. Most viruses now days are (not back in the old days). And not counting email viruses that are done using the microsoft virus creation platform called VBScript and Outlook.
emerge sync; emerge -u world
Well to tell you the truth this worm has been known for sometime and it seems as if the admins are doing nothing about it And look at openssl in apache over 50% of admins leave the default password open on that what is the world coming to
Here you can find bugtraq.c:
http://isc.incidents.org/exploitcode/bugtraq.c