[repost with subscribed email-address] On Thu, 19 Sep 2002, Hatto von Hatzfeld wrote:
After updating the OpenSSL packages (and restarting the services ) [...] But on the smtp port 25 with option -s (i.e. with TLS) I get:
VULNERABLE: does not detect small overflow
What's wrong? Or: How to close this hole?
To the SuSE-Security-Team: SuSE 7.1: # rpm -qf /usr/sbin/sendmail sendmail-tls-8.11.2-36 # ldd /usr/sbin/sendmail libdl.so.2 => /lib/libdl.so.2 (0x4001d000) libdb.so.2 => /lib/libdb.so.2 (0x40020000) libnsl.so.1 => /lib/libnsl.so.1 (0x4002e000) libresolv.so.2 => /lib/libresolv.so.2 (0x40044000) libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40055000) libc.so.6 => /lib/libc.so.6 (0x40060000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40173000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017a000) libpam.so.0 => /lib/libpam.so.0 (0x401a9000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) (no libssl or libcrypto here -> openssl hardlinked!) The last Update for 7.1 and sendmail-tls is dated Feb 9 2002, and thus before the openssl-hole. # rpm -qf /usr/sbin/sendmail --changelog * Wed Aug 22 2001 - werner@suse.de - Security Update: Fix for a signedness buffer overflow in tTflag() (bugtraq ID 3163) [...] How many packages are still there and hardlinked against openssl, but without updates? i.A. Sven Koch Server Management -- com.unit GmbH http://www.comunit.net/ Eiffestr. 598 20537 Hamburg | Germany Fon +49-40-2111 05 25 Fax +49-40-2111 05 26