Re: Red Hat Linux update for Linux Slapper worm

2002-09-20 Thread Mark J Cox 

> The previous openssl errata at
> http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the
> buffer overflows fixed on July 30th. This package was built on August
> 1st, so it is unlikely to include the 0.9.6d patches due to the time lag
> of testing patches by Red Hat.

On the www.redhat.com home page you will find a link about the slapper
worm, http://www.redhat.com/support/alerts/linux_slapper_worm.html

Versions of OpenSSL that are not vulnerable to this worm have been
available from Red Hat since 29th July 2002. Customers who have kept their
systems up to date are not impacted by this worm.

http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th
of July and fixed the vulnerability that the Linux Slapper worm takes
advantage of.  We released a new version of OpenSSL a little later that
fixed one of the other vulnerabilities,
http://rhn.redhat.com/errata/RHSA-2002-160.html

If you upgraded to either of the OpenSSL errata and followed the
instructions about restarting your services you are protected against the
Linux slapper worm.

Thanks, Mark
-- 
Mark J Cox / Security Response Team / Red Hat
Tel: +44 798 061 3110 // Fax: +44 870 1319174
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Red Hat Linux update for Linux Slapper worm

2002-09-20 Thread John . Airey 

So why do your telephone support people not know about this? They advised me
to log it on bugzilla in the first place. Why isn't this page linked to from
your errata site? That's where people look for updates. Why no information
to CERT or Bugtraq?

You're beginning to make Microsoft look professional, which is a scary
thought.

John

> -Original Message-
> From: Mark J Cox [mailto:[EMAIL PROTECTED]]
> Sent: 20 September 2002 12:25
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Red Hat Linux update for Linux Slapper worm
> 
> 
> > The previous openssl errata at
> > http://rhn.redhat.com/errata/RHSA-2002-160.html has no 
> mention of the
> > buffer overflows fixed on July 30th. This package was built 
> on August
> > 1st, so it is unlikely to include the 0.9.6d patches due to 
> the time lag
> > of testing patches by Red Hat.
> 
> On the www.redhat.com home page you will find a link about the slapper
> worm, http://www.redhat.com/support/alerts/linux_slapper_worm.html
> 
> Versions of OpenSSL that are not vulnerable to this worm have been
> available from Red Hat since 29th July 2002. Customers who 
> have kept their
> systems up to date are not impacted by this worm.
> 
> http://rhn.redhat.com/errata/RHSA-2002-155.html was released 
> on the 29th
> of July and fixed the vulnerability that the Linux Slapper worm takes
> advantage of.  We released a new version of OpenSSL a little 
> later that
> fixed one of the other vulnerabilities,
> http://rhn.redhat.com/errata/RHSA-2002-160.html
> 
> If you upgraded to either of the OpenSSL errata and followed the
> instructions about restarting your services you are protected 
> against the
> Linux slapper worm.
> 
> Thanks, Mark
> -- 
> Mark J Cox / Security Response Team / Red Hat
> Tel: +44 798 061 3110 // Fax: +44 870 1319174
> 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Red Hat Linux update for Linux Slapper worm

2002-09-20 Thread Lutz Jaenicke 

On Fri, Sep 20, 2002 at 11:07:18AM +0100, [EMAIL PROTECTED] wrote:
> The previous openssl errata at
> http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the buffer
> overflows fixed on July 30th. This package was built on August 1st, so it is
> unlikely to include the 0.9.6d patches due to the time lag of testing
> patches by Red Hat.

I cannot give you a definite statement about what I don't know, but I can
participate in speculating :-)
Redhat as well as other system builders have been informed well in advance
about the vulnerabilities including patches to fix them, such that tests
could be performed and updates be prepared. It was our intention that
updated binary packages could be made available more or less in parallel
to our announcement and source code release.

That does not mean, that the fix is actually in. I simply don't know.

Best regard,
Lutz
PS. OpenSSl team member Mark Cox is actually working for Redhat...
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]