> I was very interested by your posting - according to the various news > reports, the slapper worm affects only Linux and was fixed from openSSL > 0.9.6e onwards. However, you're saying that, although your server is > unable to be infected, it still crashes when probed by the worm. Goes unresponsive, not crashes. And by searching for the log messages generated (same as in the security report), I've found at least 20 other reports of the same thing on both Solaris sparc and intel, AND on Linux systems with the proper patches. The only "fix" is to change the Server: string so that the worm doesn't even try. Which is only a fix until the next mutation, as we well know.
> May I ask, is it just the daemon which happens to handle the worm > request which dies? (I presume it is not the parent apache process!) Can > you advise on a handy string to search for in the logs to see if we have > been getting hit? (We have noticed various intermittent seg faults of > apache daemons but thought that this might be due to the race conditions > reported in the latest CHANGES log, i.e. 0.9.6g to 0.9.6h). Not dies, but goes out to lunch. No segv's, but apache becomes unresponsive for the virtual host in question. Since the worm scans the entire address space, every virtual host becomes unresponsive within the space of 20-30 seconds. It stays unresponsive for the configured 'Timeout' period. See the same questions on this same list, about Apache going away for 5 minutes - which is the default configuration for Timeout. Searches find many people lowering the timeout to minimize the effect on their already patched and supposedly 'safe' servers. Thus my confusion on this topic -- people are feeling the brunt, and there are numerous posts about changes to minimize the effect. But all of these fixes are either (1) breaking something else or (2) security through obscurity. We should definitely be investigating a real fix, and I'm not seeing anything which indicates this. And again, my money behind my mouth. But given that this bug clearly affects everyone, I believe strongly that a lot of people could pool together and pay for a fix. -- Joe Rhett Chief Geek [EMAIL PROTECTED] ISite Services, Inc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
