Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt. The security update openssl release 20020812 by SuSE fixes the problem? Thanx -- .-. SECNeT /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-workshop.ch http://mfoacs.e-workshop.ch
On Mon, Sep 16, 2002 at 01:31:02PM +0200, Miguel Albuquerque wrote:
Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt.
The security update openssl release 20020812 by SuSE fixes the problem? Thanx
It does. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Sep 16, Olaf Kirch
Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt. The security update openssl release 20020812 by SuSE fixes the problem? Thanx
It does.
Olaf Why is mod_ssl.rpm from suse 7.1 dated 29-Jul-2002 13:47 ? Am I at risk???
I looked at http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.1/sec2/ Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
On Mon, Sep 16, 2002 at 04:37:02PM +0200, Markus Gaugusch wrote:
The security update openssl release 20020812 by SuSE fixes the problem? Thanx
It does.
Olaf Why is mod_ssl.rpm from suse 7.1 dated 29-Jul-2002 13:47 ? Am I at risk???
All security holes discussed in http://www.openssl.org/news/secadv_20020730.txt refer to bugs in the OpenSSL libraries themselves, i.e. libssl and libcrypto. The vulnerability exploited by the worm is not in the mod_ssl module itself, it's in these libraries. Hope this sheds some light on the issue. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Hi, the worm uses an error in the openssl package. So if you upgraded the openssl package from http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.1/sec1/ope... you should be secure. With all that people panicing around, maybe a seperate security announcement containing the necessary fixes (that are just links to the old updated packages... :P ) would be a good idea? ciao Tom Markus Gaugusch wrote:
On Sep 16, Olaf Kirch
wrote: Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt. The security update openssl release 20020812 by SuSE fixes the problem? Thanx
It does.
Olaf
Why is mod_ssl.rpm from suse 7.1 dated 29-Jul-2002 13:47 ? Am I at risk???
I looked at http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.1/sec2/
Markus
-- this is a maillist account, so please send personal replies to cso[at]trium[dot]de
Thomas Seliger wrote:
With all that people panicing around, maybe a seperate security announcement containing the necessary fixes (that are just links to the old updated packages... :P ) would be a good idea?
Whats about a small database where ppl can search announcement ID's from CERT etc. in the SuSE Security Announcements? So you see a warning somewhere about Bug/Exploit for CERT CA-2342 .. then you go the to suse-security-db and type in the CERT ID, and see the Announcements about that ID. Maybe a nice feature ... ;) So long, Sven
Hey,
FYI (and for all those who aren't subscribed to Bugtraq), here's a link
to an excellent analysis of the Modap/Slapper OpenSSL worm (in acrobat
reader format):
http://analyzer.securityfocus.com/alerts/020916-Analysis-Modap.pdf
There seems to be some misunderstanding of this worm. Its sourcecode
(read: the current OpenSSL exploit) was leaked out and immediately
posted on several security mailing lists such as Bugtraq or Full
Disclosure, and the CERT guys (together with others) published an
incident report about it, but in the wild, there are at least three
versions of a worm-like program exploiting the latest OpenSSL/Apache
vulns.
The sources are commonly called pud.c (pud = Peer-to-Peer UDP
distributed denial of service), apache-worm.c (which is a
revised/modified version of pud.c), also various SSLv2 detection
programs have been sighted with contents of both sources. However, the
source the analysis refers to is pud.c.
For those who are interested, I did some sandbox tests with both source
versions, and both of them contain some really nasty (but nicely coded)
routines. I predict a growth of OpenSSL attacks after the public release
of all the sources within a week (if not within days/hours), and given
the danger level of these programs, all SSL-aware apps and tools should
be updated/recompiled with a known-good version of openssl (0.9.6e+)
quickly.
Boris
participants (6)
-
Boris Lorenz
-
Markus Gaugusch
-
Miguel Albuquerque
-
Olaf Kirch
-
Sven 'Darkman' Michels
-
Thomas Seliger