Last Updated on April 14, 2017 by Dave Farquhar
There’s a nasty vulnerability in recent SSL libraries that an Apache-based worm is currently exploiting. The patch is obviously the most critical on machines that are running secure Apache sites. But if you don’t like vulnerabilities, and you shouldn’t, go get your distribution’s latest updates.
This is why I like Debian; a simple apt-get update && apt-get upgrade brings me right up to speed.
CERT pointed out that Apache installations that contain the ServerTokens ProductOnly directive in their httpd.conf file aren’t affected. (I added it under the ServerName directive in my file–it’s not present at all in Debian by default.) This will hurt Linux’s standings in Netcraft, but are you more interested in security or advocacy? Increasingly, I’m more interested in security. No point in bragging that you’re more secure than Windows. Someone might make you prove it. I’d rather let someone else prove it.
While you’re making Apache volunteer as little information as possible, you might as well make the rest of your OS as quiet as possible too. You can find some information on that in an earlier post here.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.