lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3.0.5.32.20040108223825.08299960@pop.fuse.net>
Date: Thu, 08 Jan 2004 22:38:25 -0500
From: David Kennedy CISSP <david.kennedy@....org>
To: "Lachniet, Mark" <mlachniet@...uoianet.com>,
	<cisspforum@...oogroups.com>, <bugtraq@...urityfocus.com>,
	<pen-test@...urityfocus.com>
Subject: Re: Openssl proof of concept code?


-----BEGIN PGP SIGNED MESSAGE-----

At 03:46 PM 1/8/04 -0500, Lachniet, Mark wrote:

>Its been a while now, and responsible vendors should have already
>issued patches.  

I'm not aware of any POC code, but inferring the community is safe
because the patches have been out for a while may not be correct. 
Yesterday, HP revised HPSBUX0310-284   SSRT3622 to include:

>**REVISED 02**
>IMPACT:   Potential Denial of Service, remote execution of
> --->     arbitrary code and disclosure of sensitive information.
>

Previously it was DOS-only.  

It may just be that HP discovered their 10/1 patch needed more work. 
Or it could be someone has done some more testing and we're going to
see some patch announcements in the next few days.  Given that HP is
not known for excellence in issuing advisories and patches on the
first day a problem is discovered, it seems more reasonable they're
fixing their patch.  But that's just another inference.  

OTOH their action probably stimulated others to re-look their patches
too.  "What does HP know that we don't?"

<address list trimmed|I won't feed trolls on FullofDis>


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.

iQCVAwUBP/4h6/GfiIQsciJtAQF7rgP/WoHz3NXdI9DGNgirqwPIDZN9G7SPm1iy
aKwfJvaV+G7+0t3R899dRIb0U1S1HLuKrcnkAOMoo+ewXbPBLHNY0SkxYwRhuRZ7
9rMi+njnWqR2y59kRaWnDKj9E9A0aCDqICpnwfPloR2jMWLl/Ixl4w9pWmNiIyuL
s+5rf8j+WTg=
=z0tv
-----END PGP SIGNATURE-----

-- 
Regards,
                                          /"\
David Kennedy CISSP                       \ / ASCII Ribbon Campaign
Protect what you connect;                  X  Against HTML Mail
Look both ways before crossing the Net.   / \


---------------------------------------------------------------------------
----------------------------------------------------------------------------



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ