OpenSSL Vulnerability
This looks to be pretty new and I haven't found anything addressing the issue as of yet. Just curious... OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution Linux.Slapper.Worm http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.h... Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3. ------------------------------ TheClerk.com Networks Webmail
- in reference to SuSE 8.0 # rpm -qa |grep openssl openssl-0.9.6c-80 openssl-devel-0.9.6c-80 openssl-doc-0.9.6c-80 Quoting bryan@theclerk.com:
This looks to be pretty new and I haven't found anything addressing the issue
as of yet.
Just curious...
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution
Linux.Slapper.Worm
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.h...
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.
------------------------------ TheClerk.com Networks Webmail
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
------------------------------ TheClerk.com Networks Webmail
* bryan@theclerk.com (bryan@theclerk.com) [020913 15:42]: :: - in reference to SuSE 8.0 :: ::# rpm -qa |grep openssl ::openssl-0.9.6c-80 ::openssl-devel-0.9.6c-80 ::openssl-doc-0.9.6c-80 Roman could correct me, but from what I know this OpenSSL worm takes advantage of an OpenSSL bug from a month or so ago. SuSE updated OpenSSL after that bug was announced. Their policy as has been stated on this list over and over again is that they do not upgrade the version number. They instead patch the exist version and make new package as not to break deps within the system. Most likely there could be 5 new openssl bugs in the next year and unless it was absolutely unavoidable..the package number for 8.0 will be 0.9.6c. If you think about everything that has been compiled against this version that would have to be recompiled and put out again. -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
On Fri, Sep 13, 2002 at 05:33:24PM -0500, bryan@theclerk.com wrote:
This looks to be pretty new and I haven't found anything addressing the issue as of yet.
Just curious...
Just run "rpm -q openssl --changelog"
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution
Linux.Slapper.Worm http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.h...
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.
No need if you are using SuSE packages: on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de - Added security patch for remotely exploitable buffer overflows on 8.0 (openssl-0.9.6c-80) * Fri Jul 26 2002 - okir@suse.de - Added security patch for remotely exploitable buffer overflows Regards, -Kastus
Hello all is the vulnerability in the /usr/lib/apache/libssl.so ? I was downloading the new version of openssl and compiled successfull the "openssl" binary... make test was ok ! Now how must compile the new libssl.so for apache ? Or what must i do for rebuild a non vulnerability version of openssl ? Many thanks for help in advance. Greetings Joachim -----Ursprüngliche Nachricht----- Von: Konstantin (Kastus) Shchuka [mailto:kastus@tsoft.com] Gesendet: Samstag, 14. September 2002 05:04 An: suse-security@suse.com
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution
Linux.Slapper.Worm http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper. worm.html
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.
No need if you are using SuSE packages: on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de - Added security patch for remotely exploitable buffer overflows
On Fri, 13 Sep 2002, Konstantin (Kastus) Shchuka wrote:
on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
on 8.0 (openssl-0.9.6c-80) * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
At one time there was another build on the servers that shows a more recent changelog entry - I don't know why that is missing from the Aug 22 build 150 - can anyone tell me if the tweak was security-related or not? for 7.3 openssl-0.9.6b-147.i386.rpm (i386 tree) Release : 147 Build Date: Mon 29 Jul 2002 12:53:17 PM EDT * Mon Jul 29 2002 - okir@suse.de - Another iteration of the security patch from the OpenSSL team dproc
Just run "rpm -q openssl --changelog"
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution
Linux.Slapper.Worm http://securityresponse.symantec.com/avcenter/venc/data/linux.slapp er.worm.html
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.
No need if you are using SuSE packages:
on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
on 8.0 (openssl-0.9.6c-80) * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
Regards, -Kastus
How about SuSE 7.0? Do I have to upgrade, or will patched versions come to this version?
On Mon, Sep 16, 2002 at 12:37:14AM +0200, Stefan Nilsen wrote:
How about SuSE 7.0?
Do I have to upgrade, or will patched versions come to this version?
Please look at http://www.suse.com/de/security/2002_027_openssl.html openssl-0.9.5a-59.src.rpm is the patched package for 7.0 Regards, -Kastus
participants (6)
-
Ben Rosenberg -
bryan@theclerk.com -
dproc@dol.net -
Joachim Hummel -
Konstantin (Kastus) Shchuka -
Stefan Nilsen