lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20020914221251.GB94761@trance.org>
From: niels=netsys at bakker.net (Niels Bakker)
Subject: CERT..(the linux ssl issue) CA-2002-027

* len@...sys.com (Len Rose) [Sat 14 Sep 2002, 23:30 CEST]:
> Of course the alert is great, but to reiterate my point,
> too limited in scope and may lead to a false sense of
> complacency for non-linux sites.

I concur.  I sent the mail below to the moderator of Bugtraq after he
rejected the posting included at the end. (I've removed his words.)


	-- Niels.

----- Forwarded message -----

Date: Fri, 13 Sep 2002 21:17:06 +0200
From: Niels Bakker <niels=bugtraq@...ker.net>
To: Dave Ahmad <da@...urityfocus.com>
Subject: Re: bugtraq.c httpd apache ssl attack

Hi David,

Thanks for your quick reply.

[ david here states that he thinks my quoted statements were
  superfluous, as the remedies proposed by some bugtraq posters
  were only temporary measures. ]

I think it needs to be stated.  Stopgap measures like those proposed by
those two subscribers give a false sense of security.

"Whew!  /tmp/.bugtraq.c created and gcc disabled.  I'm safe now!"

The reverse is true.

Given that most Outlook-borne viruses/worms continue to spread literally
years after Microsoft has made patches public that fix the holes these
exploit to spread, the message to patch your systems cannot be repeated
too often, in my opinion.

If I were a script kiddie, I'd quickly make a bugtraq2.c that used
mktemp() to select a filename and had appropriate workarounds for a
disabled gcc (i.e., carry a binary payload as well, or the ability to
download one from somewhere).  It'd be reasonably successful, too, due
to wrong advice like that below being handed out on well-known forums
like Bugtraq.

No, the life of a security-conscious person isn't easy; on the contrary,
it's hard work staying on top of things.  You're bound to miss things,
but you shouldn't make things worse by actively ignoring them.


>> Won't it be easiest to just upgrade to a non-vulnerable version of
>> OpenSSL and mod_ssl?
>>
>> Obviously way better than a stopgap measure that blocks one particular
>> implementation of an extremely wide range of attacks, I'd say.


Regards,


	-- Niels.

-- 
"Patient" is Latin for "sufferer".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ