Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Linux/Slapper.worm
  • From: "Joachim Hummel" <joachim.hummel@xxxxxxxxxxxxx>
  • Date: Wed, 18 Sep 2002 14:54:12 +0200 (MEST)
  • Message-id: <1578.62.158.35.85.1032353652.squirrel@xxxxxxxxxxxxxxxxxxxxx>

Peter Wiersig sagte:
> Joachim Hummel wrote:
>
>> I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after
>> installing i have also a vulnerable version mod_ssl !
>
> Who says this? The flaw is in the package openssl. What mod_ssl
> vulnerability are you talking about?

Copy from SecurityFocus.com:
The OpenSSL server vulnerability exploit exists on a wide variety of
platforms, but Slapper appears to work only on Linux systems running
Apache with the OpenSSL module (mod_ssl) on Intel architectures.


Mod_SSL or OpenSSL ? I don´t unterstand this ??
OpenSSL is standalone application !
SSL with Apache works only with file /usr/lib/apache/libssl.so
SSL with Apache works only with file /usr/lib/apache/libcrypto.so
Apache doesn´t work with /usr/sbin/openssl
libssl.so is included in mod_ssl.rpm package !
I can´t find any ssl version of 0.9.6.e or 0.9.6.g
this is recommended of securityfocus.com

I was compiled a new OpenSSL after restart apache works again
the old vulnerable version of openssl.

>
>> Doesn?t interessting this vulnerable of OpenSSL the SuSE Support ?
>
> They care and they have already packaged updates.
NO.. !!
This is older version as recommended version of 0.9.6.e
>
>> I can?t find some information about this vulnerable on SuSE Support
>> Side.
>
> http://www.suse.de/de/business/security.html

This say nothing !
>
>> I have SuSE 7.3 and 8.0 (native with Apache and SSL... what must i do
>> now SuSE ( Step by Step ) ?????
>
> Yast2 -> Software -> Online Update
> Automatic Update -> Next
i make this ....Installed vulnerably version 0.9.6.c
This helps very good !!!

Copy of SecurityFocus.com !
The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed
beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade
to the latest version as of this writing the latest version of OpenSSL is
0.9.6g.


--
Mit freundlichen Grüßen
Joachim Hummel




< Previous Next >