Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
RE: [suse-security] Re: OpenSSL Vulnerability

For those who want to know more about the SSL/OpenSSL vulnerability:

Have a look at www.e-secure-db.us

This is a very complete free online ICT Security Vulnerability database.
It contains over 60,000 items, categorised over 2500 folders, in tree
structure
on anything to do with ICT security, vulnerabilities on product level, incl.
history,
security product vulnerabilities, product comparisons, and thousands
of other subjects.

Specific info on the SSL worm:

Suse folder:

http://www.e-secure-db.us/dscgi/ds.py/View/Collection-229

Although we also make refernece to it in the Apache and modssl folders,
all info on SSL worm is combined in:

SSL/OpenSSL folder:
http://www.e-secure-db.us/dscgi/ds.py/View/Collection-348

In there you find a very complete audittrail on Slapper/SSL worm.
Batch updated up to Sept 16 3 AM New Zealand Time (GMT +12)

Comments (very) welcome.

Best regards,
Arjen de Landgraaf
New Zealand
www.e-secure-it.co.nz




-----Original Message-----
From: Thomas Lamy [mailto:Thomas.Lamy@xxxxxxxxxx]
Sent: Monday, 16 September 2002 6:13 p.m.
To: 'Joachim Hummel'; suse-security@xxxxxxxx
Cc: 'security@xxxxxxx'
Subject: [suse-security] Re: OpenSSL Vulnerability




> -----Urspr√ľngliche Nachricht-----
> Von: Joachim Hummel [mailto:joachim.hummel@xxxxxxxxxxxxx]
> Gesendet: Sonntag, 15. September 2002 20:18
>
> -----Urspr√ľngliche Nachricht-----
> Von: Konstantin (Kastus) Shchuka [mailto:kastus@xxxxxxxxx]
> Gesendet: Samstag, 14. September 2002 05:04
> An: suse-security@xxxxxxxx
> >
> >
> > OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow
> > Vulnerability http://online.securityfocus.com/bid/5363/solution
> >
> > Linux.Slapper.Worm
> >
> http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.
> > worm.html
> >
> > Users are strongly encouraged to upgrade existing versions
> of OpenSSL
> > to
> > version 0.9.6e or 0.9.7beta3.
>
> No need if you are using SuSE packages:
>
> on 7.3 (openssl-0.9.6b-150):
> * Fri Jul 26 2002 - okir@xxxxxxx
>
> - Added security patch for remotely exploitable buffer overflows
>
I think it would be wise to include reusable information in the changelog,
such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s).
This way one must not further investigate "which buffer overflow was
announced the last 30 days before the patch was made".

Just my 0,02 Eur

Thomas

PS: CC'ed security@xxxxxxx as indirectly requested by Roman :-)

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

< Previous Next >
This Thread
  • No further messages