Re: OpenSSL version 0.9.7e ?!

To: debian-user@lists.debian.org
Subject: Re: OpenSSL version 0.9.7e ?!
From: Stephan Seitz <nur-ab-sal@gmx.de>
Date: Thu, 16 Nov 2006 21:50:25 +0100
Message-id: <[🔎] 20061116T2147.GA.5c6e0.stse@fsing.rootsland.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20061116202500.GB7042@sungate.co.uk>
References: <[🔎] 9f76a5860611150836q33811e26y198e795b704f2ede@mail.gmail.com> <[🔎] 455CC546.405@princeton.edu> <[🔎] 20061116202500.GB7042@sungate.co.uk>

On Thu, Nov 16, 2006 at 08:25:00PM +0000, Dave Ewart wrote:

to which the machine is put.  Kernel bugs are normally only exploitable
by local users; SSL bugs are most likely to be exploitable remotely.  If

Only partly true, I think. If you have a server application like apache,which has a bug giving you a shell, you can then use the local exploit tobecome root. So you should think a little ahead, that’s safer. ;-)

IIRC the hacking of a Debian server happened in a similiar way. Someonegot a compromised SSH key, logged in as this user and used a localexploit.


Shade and sweet water!

	Stephan

--
| Stephan Seitz                    E-Mail: Nur-Ab-Sal@gmx.de |
| PGP Public Keys: http://fsing.rootsland.net/~stse/pgp.html |

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: OpenSSL version 0.9.7e ?!
  - From: Dave Ewart <davee@sungate.co.uk>

References:
- OpenSSL version 0.9.7e ?!
  - From: "Nicolas Pillot" <nicolas.pillot@gmail.com>
- Re: OpenSSL version 0.9.7e ?!
  - From: "Kevin B. McCarty" <kmccarty@Princeton.EDU>
- Re: OpenSSL version 0.9.7e ?!
  - From: Dave Ewart <davee@sungate.co.uk>

Prev by Date: Re: OpenSSL version 0.9.7e ?!
Next by Date: Re: mini-itx server
Previous by thread: Re: OpenSSL version 0.9.7e ?!
Next by thread: Re: OpenSSL version 0.9.7e ?!
Index(es):
- Date
- Thread