lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: niels=netsys at bakker.net (Niels Bakker) Subject: CERT..(the linux ssl issue) CA-2002-027 * len@...sys.com (Len Rose) [Sat 14 Sep 2002, 23:30 CEST]: > Of course the alert is great, but to reiterate my point, > too limited in scope and may lead to a false sense of > complacency for non-linux sites. I concur. I sent the mail below to the moderator of Bugtraq after he rejected the posting included at the end. (I've removed his words.) -- Niels. ----- Forwarded message ----- Date: Fri, 13 Sep 2002 21:17:06 +0200 From: Niels Bakker <niels=bugtraq@...ker.net> To: Dave Ahmad <da@...urityfocus.com> Subject: Re: bugtraq.c httpd apache ssl attack Hi David, Thanks for your quick reply. [ david here states that he thinks my quoted statements were superfluous, as the remedies proposed by some bugtraq posters were only temporary measures. ] I think it needs to be stated. Stopgap measures like those proposed by those two subscribers give a false sense of security. "Whew! /tmp/.bugtraq.c created and gcc disabled. I'm safe now!" The reverse is true. Given that most Outlook-borne viruses/worms continue to spread literally years after Microsoft has made patches public that fix the holes these exploit to spread, the message to patch your systems cannot be repeated too often, in my opinion. If I were a script kiddie, I'd quickly make a bugtraq2.c that used mktemp() to select a filename and had appropriate workarounds for a disabled gcc (i.e., carry a binary payload as well, or the ability to download one from somewhere). It'd be reasonably successful, too, due to wrong advice like that below being handed out on well-known forums like Bugtraq. No, the life of a security-conscious person isn't easy; on the contrary, it's hard work staying on top of things. You're bound to miss things, but you shouldn't make things worse by actively ignoring them. >> Won't it be easiest to just upgrade to a non-vulnerable version of >> OpenSSL and mod_ssl? >> >> Obviously way better than a stopgap measure that blocks one particular >> implementation of an extremely wide range of attacks, I'd say. Regards, -- Niels. -- "Patient" is Latin for "sufferer".
Powered by blists - more mailing lists