Zeus Technology has uploaded new binaries to fix the root compromise bug in the Zeus Webserver reported by Rain Forest Puppy yesterday. The bug affects all versions of Zeus prior to 3.3.2. It is recommended that customers upgrade as soon as possible. Customers who are not making use of the search module are not affected, and need only upgrade if they plan to start using it in the future. Full details of how to upgrade to the new binaries are at: http://support.zeustechnology.com/news/exploit.html Customers upgrading from version 3.1.9 or earlier will need to follow the upgrade instructions at: http://support.zeustechnology.com/faq/entries/z33migrate.html It is worth noting also, that provided you had set the webserver to run as non-privileged user, the risk from the search module bug is relatively slight, as someone exploiting it under those circumstances would find it difficult to compromise root, provided you have chosen a secure password for access to the admin server. This should serve as reminder always to run your web process as a non-root user. To ensure that the Zeus admin server is as secure as possible, you should restrict access to the admin server port (9090 by default) to designated machines. You can do this with by setting access restrictions on the "Security Settings" configuration page for the admin server, and/or by configuring your firewall appropriately. You should also ensure (to prevent Crack-type attacks on your admin server password), that you choose a password for the admin server which is as secure as one you choose for root on your machine. (Ie, mixture of alphanumeric and punction characters, mixture of upper and lowercase, no dictionary words or parts thereof, etc.) -- Julian Midgley Technical Support Manager jmidgleyat_private Zeus Technology http://www.zeustechnology.com For technical support queries, email supportat_private, being sure to include your customer account number in the subject header.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:48 PDT