Server Vulnerability!!!!!

[Rayn]

After the hacking of one of my friends site a guy I know took a look into the server I am on "Dragon" He was worried about the status of my site and found a hole in openssl... here is a link he gave me.

http://www.cert.org/advisories/CA-2002-23.html

This is serious. He was able to easily exploit this...

Not good.

[Polski]

I am on Dragon too. Hope Jaguar closes the hole asap.

[Zacrifice]

Well i hope that you have actually emailed Jag about this before posting it in the forum for other to see and possibly exloit.. and i also hoped you waited for them to fix it so that only a few people would know (And not all the users and possible onlookers to this forum) so that it could remain quite untill it is fixed

I mean. I truely do hope you emailed jag and had them fix it before opening your trap to the hole world

We wouldn't want everyone to know about this before it was fixed do we? because that would just be letting people know they can get in easly! and we don't want that!

[LeeUmm]

I have to totally agree with Zac here.
Please tell me you emailed jag or got a hold of him first before posting this.

[lookout]

Agreed, as if it's EVER appropriate to post such info in a public forum, anyway.

The scheduled Dragon move is only a few days away now. It was sooner, but it's been bumped. Might make all this moot. Keeping my fingers and toes crossed for as smooth a transition as possible. Worried that we may be taking a step backward though. Dragon seems like it has been one of the more reliable, well built servers. Not at all assured by the non-SCSI disk drives that Jag seems to favor, but that of course is matter of personal experience.

[megmond]

I don't think posting about a security hole is such a big problem. True, it's possibly better not to do it and just email support/whoever responsible, but the news is already 'out there' anyway, and 'real' hackers are most likely already aware of these holes before anyone gets around to post about it anyway.

And then at least it's good to know about the hole so you know what's going on if anything happens, or something can be done about it.

[lookout]

Understood that such holes are often already published and available elsewhere. But no need to advertise them further, IMHO. Kind of like inviting would be mischief makers to a promising target.

As a server, rather than client issue, the Jaguar support staff are the appropriate people to inform in these matters. At least that way they may have the opportunity to analyze and address the matter proactively, rather than reactively, in a way that they see fit. If for whatever reason they choose to do nothing, one can only hope that any potential vulnerabilities will remain undiscovered by those who might exploit them.