On Tue, Sep 17, 2002 at 01:50:07PM +0100, Alex McLintock wrote: > I remember seeking moral support from the London.pm mailing list when > upgrading OpenSSL to the latest safe version.... Thanks People.
Anything above 0.9.6e should be safe, though it's possible that there are things that we missed. > but it looks like some people weren't so lucky. The problem is that people who don't upgrade give everyone else a headache. I'm firmly supportive of the idea that someone who lets their box get r00ted is not competent to have root access themselves. Of course, I'm not necessarily advocating blithely reading bugtraq and upgrading on every single patch. It's worth reviewing what you're running, and reviewing what changes the patch makes (and whether you believe they will help). In the case of OpenSSL 0.9.6e, there are some assertions called at the point where it is possible that bits of your stack have been overwritten (with additional checks to try and stop this happening). My original view on this was that this patch was almost worse than the cure, but after a large flamewar with my boss (who wrote the patches), then I'm more inclined to agree with him (at first glance it looked like his typical laziness). > SLAPPER GIVES LINUX COMMUNITY A DOSE OF SOMETHING CONTAGIOUS > http://www.silicon.com/a55550 > (Their capitals) > It essentially is a worm which exploits an OpenSSL weakness on Apache > servers. But of course no one here is running the older version of OpenSSL > are they :-) Of course, just because there's one exploit for apache doesn't mean that people won't be trying similar sorts of exploits for other vulnerable services. In general, I think you can workaround the server problems by only allowing SSLv3 (and TLSv1, which is a modified SSLv3), but you shouldn't take my word on this. There was also an attack against a client buffer in an SSLv3 "session". So, my advice, read bugtraq, read the arguments, preferably read the code, make your own judgement on what to do... -- Lusercop.net - LARTing Lusers everywhere since 2002