| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: The last word on the Linux Slapper worm although redhat's fixes only directly address the slapper worm issue, and are based on openssl d or e, and there have been found other issues with open ssl such that they are recommending that folks upgrade to the current of openssl g. <buffer overflow fixes once again I believe> Thanks, Ron DuFresne On Mon, 23 Sep 2002 John.Airey@...b.org.uk wrote: > There has been a lack of information about the potential for damage around > the Linux Slapper worm, and posts to the bugtraq list ranging from the > sublime to the ridiculous. I am hoping that this post will clear up any > doubts people may have about the vulnerabilities of their systems. It > appears that the Linux vendors and openssl had been working together to > produce an update to the vulnerability that was exploited by this worm. > However, none of the openssl maintainers other than Mark Cox of Red Hat > knows anything about this from what I can gather. > > Red Hat have a statement on their home page regarding the vulnerability of > their systems. > > http://www.redhat.com/support/alerts/linux_slapper_worm.html > > Suse recently posted to the bugtraq list that their systems weren't > affected. Of these two, only Red Hat have updated the recent CERT > notification at http://www.cert.org/advisories/CA-2002-27.html. I haven't > seen any other vendors post information to either this list or bugtraq, and > apologise now if I've missed one. > > The bottom line is that the update for openssl that was released around the > beginning of August protects systems against the Linux Slapper worm. I > haven't checked other Linux vendors sites, but a search of this list's > archives should hopefully show the exact dates of the update. > > On a personal note, I contacted Red Hat directly by telephone having not > seen an update almost six weeks since the original vulnerability was > released and was advised to log this as a bug. At this point it was my > (mis)understanding that an update was still due to come out. I duly did this > via their "bugzilla" site: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312 > > I then informed the openssl support list of this bug report with the promise > to let them know the result. At this point I found out what I've stated > above. I never saw the link from Red Hat's home page because it was too far > down the page and anyway I was looking for information on the errata pages > (http://www.redhat.com/errata/). These pages do not contain enough > information to reassure system administrators that their systems are > protected against the vulnerability that this worm exploits. Neither does > the "changelog" of the affected package (which I am assured will be better > in future). > > I do not believe that I am the only Linux admin who has been waiting for an > update from my vendor when in fact none was needed. Worse still, the media > who have covered this have also got their facts wrong. For example, Computer > Weekly stated falsely that you need to upgrade to openssl 0.9.6g > http://www.cw360.com/bin/bladerunner?REQSESS=ri42U88C&REQAUTH=0&2149REQEVENT > =&CARTI=115793&CARTT=1&CCAT=1&CCHAN=13&CFLAV=1 > > In the end Linux Slapper is a non-event, as responsible admins would have > had their systems up to date well before this worm was written, especially > as the update doesn't require a reboot like in the "evil" Windows world. I > believe that the whole disclosure of both the vulnerability and the > existence of the worm has been badly handled by CERT, Bugtraq and all of the > Linux Vendors. Were I writing a school report, I'd put "could do better"! > > It's probably worth me pointing out that I sent a version of the above to > the bugtraq list which has yet to be approved, if at all. > > - > John Airey, BSc (Jt Hons), CNA, RHCE > Internet systems support officer, ITCSD, Royal National Institute of the > Blind, > Bakewell Road, Peterborough PE2 6XU, > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk > > Reality TV - the ultimate oxymoron > > - > > NOTICE: The information contained in this email and any attachments is > confidential and may be legally privileged. If you are not the > intended recipient you are hereby notified that you must not use, > disclose, distribute, copy, print or rely on this email's content. If > you are not the intended recipient, please notify the sender > immediately and then delete the email and any attachments from your > system. > > RNIB has made strenuous efforts to ensure that emails and any > attachments generated by its staff are free from viruses. However, it > cannot accept any responsibility for any viruses which are > transmitted. We therefore recommend you scan all attachments. > > Please note that the statements and views expressed in this email > and any attachments are those of the author and do not necessarily > represent those of RNIB. > > RNIB Registered Charity Number: 226227 > > Website: http://www.rnib.org.uk > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists