RE: [suse-security] Re: OpenSSL Vulnerability
For those who want to know more about the SSL/OpenSSL vulnerability: Have a look at www.e-secure-db.us This is a very complete free online ICT Security Vulnerability database. It contains over 60,000 items, categorised over 2500 folders, in tree structure on anything to do with ICT security, vulnerabilities on product level, incl. history, security product vulnerabilities, product comparisons, and thousands of other subjects. Specific info on the SSL worm: Suse folder: http://www.e-secure-db.us/dscgi/ds.py/View/Collection-229 Although we also make refernece to it in the Apache and modssl folders, all info on SSL worm is combined in: SSL/OpenSSL folder: http://www.e-secure-db.us/dscgi/ds.py/View/Collection-348 In there you find a very complete audittrail on Slapper/SSL worm. Batch updated up to Sept 16 3 AM New Zealand Time (GMT +12) Comments (very) welcome. Best regards, Arjen de Landgraaf New Zealand www.e-secure-it.co.nz -----Original Message----- From: Thomas Lamy [mailto:Thomas.Lamy@netwake.de] Sent: Monday, 16 September 2002 6:13 p.m. To: 'Joachim Hummel'; suse-security@suse.com Cc: 'security@suse.de' Subject: [suse-security] Re: OpenSSL Vulnerability
-----Ursprüngliche Nachricht----- Von: Joachim Hummel [mailto:joachim.hummel@ebe-online.de] Gesendet: Sonntag, 15. September 2002 20:18
-----Ursprüngliche Nachricht----- Von: Konstantin (Kastus) Shchuka [mailto:kastus@tsoft.com] Gesendet: Samstag, 14. September 2002 05:04 An: suse-security@suse.com
OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability http://online.securityfocus.com/bid/5363/solution
Linux.Slapper.Worm
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.
worm.html
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.
No need if you are using SuSE packages:
on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
I think it would be wise to include reusable information in the changelog, such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s). This way one must not further investigate "which buffer overflow was announced the last 30 days before the patch was made". Just my 0,02 Eur Thomas PS: CC'ed security@suse.de as indirectly requested by Roman :-) -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (1)
-
Arjen De Landgraaf