Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: OpenSSL Vulnerability
  • From: Thomas Lamy <Thomas.Lamy@xxxxxxxxxx>
  • Date: Mon, 16 Sep 2002 08:12:43 +0200
  • Message-id: <656F04F343FC25409463829A15B5FDDC08AF53@xxxxxxxxxxxxxxxxxxxxx>


> -----Urspr√ľngliche Nachricht-----
> Von: Joachim Hummel [mailto:joachim.hummel@xxxxxxxxxxxxx]
> Gesendet: Sonntag, 15. September 2002 20:18
>
> -----Urspr√ľngliche Nachricht-----
> Von: Konstantin (Kastus) Shchuka [mailto:kastus@xxxxxxxxx]
> Gesendet: Samstag, 14. September 2002 05:04
> An: suse-security@xxxxxxxx
> >
> >
> > OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow
> > Vulnerability http://online.securityfocus.com/bid/5363/solution
> >
> > Linux.Slapper.Worm
> >
> http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.
> > worm.html
> >
> > Users are strongly encouraged to upgrade existing versions
> of OpenSSL
> > to
> > version 0.9.6e or 0.9.7beta3.
>
> No need if you are using SuSE packages:
>
> on 7.3 (openssl-0.9.6b-150):
> * Fri Jul 26 2002 - okir@xxxxxxx
>
> - Added security patch for remotely exploitable buffer overflows
>
I think it would be wise to include reusable information in the changelog,
such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s).
This way one must not further investigate "which buffer overflow was
announced the last 30 days before the patch was made".

Just my 0,02 Eur

Thomas

PS: CC'ed security@xxxxxxx as indirectly requested by Roman :-)

< Previous Next >