[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack



On Sat, Sep 14, 2002 at 07:46:03PM +0200, Guille -bisho- wrote:
> I have seen two Debian machines exploited with the -d version of
> openssl, denoted by the the files:
> /tmp/.bugtraq.c  /tmp/.uubugtraq

That's not surprising.  OpenSSL 0.9.6d is vulnerable.  However, in woody
we have 0.9.6c-2.woody.0, whose most recent changelog entry is:

openssl (0.9.6c-2.woody.0) stable-security; urgency=low

  * SECURITY: patch for various overflows (upstream security patch
    0.9.6d->0.9.6e)

 -- Michael Stone <mstone@debian.org>  Mon, 29 Jul 2002 21:34:41 -0400

So if you were running the 0.9.6d on your Debian box, it's probably
because you are running testing (since 'd' was never part of woody),
which we all know is a bad idea if you want to keep it secure.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpVOMtoNfbAb.pgp
Description: PGP signature


Reply to: