[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack

>> I have seen two Debian machines exploited with the -d version of
>> openssl, denoted by the the files:
>> /tmp/.bugtraq.c  /tmp/.uubugtraq
>
>That's not surprising.  OpenSSL 0.9.6d is vulnerable.  However, in woody
>we have 0.9.6c-2.woody.0, whose most recent changelog entry is:
>
>openssl (0.9.6c-2.woody.0) stable-security; urgency=low
>
>  * SECURITY: patch for various overflows (upstream security patch
>    0.9.6d->0.9.6e)
>
> -- Michael Stone <mstone@debian.org>  Mon, 29 Jul 2002 21:34:41 -0400
>
>So if you were running the 0.9.6d on your Debian box, it's probably
>because you are running testing (since 'd' was never part of woody),
>which we all know is a bad idea if you want to keep it secure.

Yes, I know. I was only informing about that seems that is only partially
vulnerable, as the worm was not able to compile the bugtraq.c...

I don't know if in the c-2 the worm works partially or fully. Anybody knows?
It seems that the worm does not fully works on debian.

-- 
        .,,,   Guillermo Pérez    -=] 14/09/2002 [=-
      _' .,,,,  - bisho@ ( onirica.com | eurielec.etsit.upm.es )
     (v)/ ,''
      ( \/    ::  "I don't like the idea that I'm not in control of   ::
bisho! ``\\  ::                       my life."                       ::
   .........::                     -- Neo, "The Matrix"               ::
Reply to: