Re: Fwd: bugtraq.c httpd apache ssl attack
>> I have seen two Debian machines exploited with the -d version of
>> openssl, denoted by the the files:
>> /tmp/.bugtraq.c /tmp/.uubugtraq
>That's not surprising. OpenSSL 0.9.6d is vulnerable. However, in woody
>we have 0.9.6c-2.woody.0, whose most recent changelog entry is:
>openssl (0.9.6c-2.woody.0) stable-security; urgency=low
> * SECURITY: patch for various overflows (upstream security patch
> -- Michael Stone <email@example.com> Mon, 29 Jul 2002 21:34:41 -0400
>So if you were running the 0.9.6d on your Debian box, it's probably
>because you are running testing (since 'd' was never part of woody),
>which we all know is a bad idea if you want to keep it secure.
Yes, I know. I was only informing about that seems that is only partially
vulnerable, as the worm was not able to compile the bugtraq.c...
I don't know if in the c-2 the worm works partially or fully. Anybody knows?
It seems that the worm does not fully works on debian.
.,,, Guillermo Pérez -=] 14/09/2002 [=-
_' .,,,, - bisho@ ( onirica.com | eurielec.etsit.upm.es )
( \/ :: "I don't like the idea that I'm not in control of ::
bisho! ``\\ :: my life." ::
.........:: -- Neo, "The Matrix" ::