-----Ursprüngliche Nachricht----- Von: Joachim Hummel [mailto:joachim.hummel@ebe-online.de] Gesendet: Sonntag, 15. September 2002 20:18
-----Ursprüngliche Nachricht----- Von: Konstantin (Kastus) Shchuka [mailto:kastus@tsoft.com] Gesendet: Samstag, 14. September 2002 05:04 An: suse-security@suse.com
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution
Linux.Slapper.Worm
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.
worm.html
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.
No need if you are using SuSE packages:
on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
I think it would be wise to include reusable information in the changelog, such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s). This way one must not further investigate "which buffer overflow was announced the last 30 days before the patch was made". Just my 0,02 Eur Thomas PS: CC'ed security@suse.de as indirectly requested by Roman :-)
Hi, I would like to know, which rpm is the correct AND current for a SuSE IMAP 2 server (ssl and ssh). Sometimes I have to use patches from i386/7.0 sometime from products/emailserver2.0. It's not as clear as it could be.... Wouldn't it be better to place all current rpm's for a commercial product under products/emailserver/XX.0, so I only have to check this place to look for the right rpm. Bye, Peer _________________________________________________________ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Carl-Zeiss-Promenade 10 Telefon: ++49 3641 6437-52 D-07745 Jena Telefax: ++49 3641 6437-10
On Mon, Sep 16, 2002 at 08:12:43AM +0200, Thomas Lamy wrote:
on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
I think it would be wise to include reusable information in the changelog, such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s). This way one must not further investigate "which buffer overflow was announced the last 30 days before the patch was made".
Yes, but I think the changelog isn't really the place to put this sort of thing. If you look at our advisory though you'll notice that the header section says: Package: openssl Announcement-ID: SuSE-SA:2002:027 .. bla bla bla .. Cross References: CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, CERT Advisory CA-2002-23 So you can see that it lists the CVE and CERT ids as you suggest (with the exception that when we published the advisory, the vulnerabilities had just CAN numbers, and had not been approved by the CVE board). Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (3)
-
Olaf Kirch
-
Peer-Joachim Koch
-
Thomas Lamy