On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote:
> I have seen two Debian machines exploited with the -d version of
> openssl, denoted by the the files:
> /tmp/.bugtraq.c /tmp/.uubugtraq
That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
we have 0.9.6c-2.woody.0, whose most recent changelog entry is:
openssl (0.9.6c-2.woody.0) stable-security; urgency=low
* SECURITY: patch for various overflows (upstream security patch
0.9.6d->0.9.6e)
-- Michael Stone <mstone@debian.org> Mon, 29 Jul 2002 21:34:41 -0400
So if you were running the 0.9.6d on your Debian box, it's probably
because you are running testing (since 'd' was never part of woody),
which we all know is a bad idea if you want to keep it secure.
noah
--
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpONztMEAtgG.pgp
Description: PGP signature