-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20-Sep-2002/13:35 +0100, James Wilson <[EMAIL PROTECTED]> wrote: >Red-Hat's security announcement about the slapper worm >http://www.redhat.com/support/alerts/linux_slapper_worm.html > >Directs users to the follwoing page which is dated before the Worm ( >2002-08-05 !! ) http://rhn.redhat.com/errata/RHSA-2002-160.html
Red Hat says that the fix for the vulnerability exploited by the worm was backported to the 0.9.6d RPMs. The worm takes advantage of a vulnerability that already had an existing fix. The problem is that too many sysadmins have not applied the fix. You could probably release a Code Red equivalent today and find vulnerable IIS systems. Does that mean that the year-old fix did not actually fix the problem? (Actually, yes, because the problem is the sysadmins). The point is that the fact that the worm was written later does not mean that the existing fix is not a fix. It just means that the worm writer knows that many sysadmins do not apply patches like they should. >These rpm versions of OpenSSL are pre 0.9.6e and still vunerable to the >worm [snip] Did you actually verify this before posting? I did. >A Vunerability checker is available here: > >http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php > >Looks like its time to update OpenSSL from src :( Not so fast. I downloaded, compiled, and ran the checker you referenced above. The author says "However, if we overrun the buffer by only a few bytes, the vulnerable version (without check) does NOT crash. This way, we can tell 0.9.6e from previous, vulnerable versions:" When I ran the checker, I got this: 127.0.0.1 443 PATCHED: detects small overflow, but crashes (0.9.6e) In other words, my OpenSSL 0.9.6d-28 RPM patched system shows up as a not-vulnerable 0.9.6e version. A lot of people read this list. Please verify your facts before posting things like this. Tony - -- Anthony E. Greene <mailto:[EMAIL PROTECTED]> OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: <http://www.pobox.com/~agreene/> Linux: the choice of a GNU Generation. <http://www.linux.org/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Anthony E. Greene 0x6C94239D <[EMAIL PROTECTED]> iD8DBQE9iyEtpCpg3WyUI50RAgjOAJ9sY47ieI8yol9BIsCnF351d70XJgCgh6xc QDKe7uLJyF6jQMldfutgKko= =qxNF -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
