Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Linux/Slapper.worm
  • From: Peter Poeml <poeml@xxxxxxx>
  • Date: Wed, 18 Sep 2002 16:35:59 +0200
  • Message-id: <20020918143559.GA16750@xxxxxxx>
Hi!

On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
> >> I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after
> >> installing i have also a vulnerable version mod_ssl !

Aha? How do you know?

> Mod_SSL or OpenSSL ? I don´t unterstand this ??
> OpenSSL is standalone application !

It is also used, as library, by other applications.

> SSL with Apache works only with file /usr/lib/apache/libssl.so

Right.

> SSL with Apache works only with file /usr/lib/apache/libcrypto.so

There is no such file, you likely mean /usr/lib/libcrypto.so. It is one
of the openssl libraries used by other applications by dynamically
loading it.

> Apache doesn´t work with /usr/sbin/openssl

/usr/sbin/openssl is in principal just another application using the
openssl lib.

> libssl.so is included in mod_ssl.rpm package !

Yes, it is the apache module (also a library, that is dynamically loaded
at runtime as a shared object). However, this lib again loads
another library at runtime -- the openssl lib.

Run ldd /usr/lib/apache/libssl.so to verify!

It will report something like this:
libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40046000)
libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40076000)
libc.so.6 => /lib/libc.so.6 (0x4014d000)
libdl.so.2 => /lib/libdl.so.2 (0x4026d000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
showing that the openssl libs are linked dynamically.

As a consequence, when your openssl package is not vulnerable, your
mod_ssl isn't either.

> I can´t find any ssl version of 0.9.6.e or 0.9.6.g
> this is recommended of securityfocus.com

Yes, there is no reason and no nedd to do risky updates from an (up to)
two year old openssl version to the newest one which could break half of
your system. Times change, compilers and other tools as well as their
usage changes... Look at the openssl changelog alone, and see how much
has changed there since then! Really, all you want is a fix for that
given security vulnerability, i.e. an appropriate source code patch.
Guess what, we add such patches to our packages :) yes, and that's why
we send out those fancy announcements...

Now how do you know that we REALLY fixed an issue (provided that you do
not trust us at all)?

I'll post a short "HowTo" to this list (in seperate mail so it is easier
to find in the archives).

> Copy of SecurityFocus.com !
> The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed
> beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade
> to the latest version as of this writing the latest version of OpenSSL is
> 0.9.6g.

One more word on annoncements like this. Of course most software vendors
recommend to update to their latest version. Simply because most
vendors/teams/developers can't or don't want to go through the effort of
providing patches for older versions (because this can be a lot of work)
and doing the necessary testing (more work). Thus, often it is us who
make the missing patches and provide them to the community. Also, in
close collaboration with software vendors/teams, we often have the
opportunity to fix our packages _before_ a vulnerability becomes
publicly known, which can mean _before_ a given fixed version of that
software is released at all. For example, openssl 0.9.6g was not born
when we fixed our packages!

I hope we can clear the confusion.

Peter

--
Thought is limitation. Free your mind.
< Previous Next >