[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSL and Potato a request for clarificiation

On Sun, Sep 15, 2002 at 12:42:04PM +0100, John Winters wrote:
> Can anyone clarify this please?  Have the relevant fixes from openssl
> 0.9.6e been back-ported into openssl-0.9.6c-0.potato.2?

The problem is that potato has more than one version of openssl.  The
security team had to package OpenSSL 0.9.6 for potato during the OpenSSH
security mess early this summer because OpenSSH 3.4 required it.  But
everything else in potato was linked against openssl 0.9.4.

0.9.4 has not been updated and may very well be vulnerable to this
problem.  It is not vulnerable to the worm that's going around right
now, though, since the worm hardcodes some variables for specific Linux
distributions, and these hard coded values are not likely to work
against Debian.  However, an attacker could probably use this
vulnerability to break in to a secure web server.

At this point, it is not safe to run a secure web server using the
Debian packages for potato.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpMeIiZtoTX_.pgp
Description: PGP signature

Reply to: