On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
Copy from SecurityFocus.com: The OpenSSL server vulnerability exploit exists on a wide variety of platforms, but Slapper appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures.
It's easy, if you look at how things work: - apache uses mod_ssl - mod_ssl uses OpenSSL - OpenSSL has a buffer overflow So yes, everyone is talking about the "Apache/mod_ssl" worm because that's how it propagates. But the vulnerability is at a layer below that; any other service using OpenSSL's SSL implementation could probably used to propagate the worm as well (anybody out there running webmin?) So: You upgrade OpenSSL, the buffer overflow is gone, everyone is happy. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann