On Sun, Sep 15, 2002 at 12:42:04PM +0100, John Winters wrote: > Can anyone clarify this please? Have the relevant fixes from openssl > 0.9.6e been back-ported into openssl-0.9.6c-0.potato.2? The problem is that potato has more than one version of openssl. The security team had to package OpenSSL 0.9.6 for potato during the OpenSSH security mess early this summer because OpenSSH 3.4 required it. But everything else in potato was linked against openssl 0.9.4. 0.9.4 has not been updated and may very well be vulnerable to this problem. It is not vulnerable to the worm that's going around right now, though, since the worm hardcodes some variables for specific Linux distributions, and these hard coded values are not likely to work against Debian. However, an attacker could probably use this vulnerability to break in to a secure web server. At this point, it is not safe to run a secure web server using the Debian packages for potato. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpKXuc8wVMfx.pgp
Description: PGP signature