Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: Package sendmail-tls with openssl vulnerability?
  • From: Sven Koch <haegar@xxxxxxxxxx>
  • Date: Thu, 19 Sep 2002 01:45:43 +0200 (CEST)
  • Message-id: <Pine.LNX.4.44.0209190144450.2419-100000@xxxxxxxxxxxxxxxx>
[repost with subscribed email-address]

On Thu, 19 Sep 2002, Hatto von Hatzfeld wrote:

> After updating the OpenSSL packages (and restarting the services )
[...]
> But on the smtp port 25 with option -s (i.e. with TLS) I get:
>
> VULNERABLE: does not detect small overflow
>
> What's wrong? Or: How to close this hole?

To the SuSE-Security-Team:

SuSE 7.1:

# rpm -qf /usr/sbin/sendmail
sendmail-tls-8.11.2-36

# ldd /usr/sbin/sendmail
libdl.so.2 => /lib/libdl.so.2 (0x4001d000)
libdb.so.2 => /lib/libdb.so.2 (0x40020000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4002e000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40044000)
libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40055000)
libc.so.6 => /lib/libc.so.6 (0x40060000)
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40173000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017a000)
libpam.so.0 => /lib/libpam.so.0 (0x401a9000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

(no libssl or libcrypto here -> openssl hardlinked!)

The last Update for 7.1 and sendmail-tls is dated Feb 9 2002, and thus
before the openssl-hole.

# rpm -qf /usr/sbin/sendmail --changelog
* Wed Aug 22 2001 - werner@xxxxxxx

- Security Update: Fix for a signedness buffer overflow in tTflag()
(bugtraq ID 3163)
[...]

How many packages are still there and hardlinked against openssl, but
without updates?

i.A.
Sven Koch
Server Management

--
com.unit GmbH http://www.comunit.net/
Eiffestr. 598 20537 Hamburg | Germany
Fon +49-40-2111 05 25 Fax +49-40-2111 05 26



< Previous Next >
Follow Ups