Re: OpenSSL and Potato a request for clarificiation
On Sun, 2002-09-15 at 22:14, Noah L. Meyerhans wrote:
> On Sun, Sep 15, 2002 at 12:42:04PM +0100, John Winters wrote:
> > Can anyone clarify this please? Have the relevant fixes from openssl
> > 0.9.6e been back-ported into openssl-0.9.6c-0.potato.2?
> The problem is that potato has more than one version of openssl. The
> security team had to package OpenSSL 0.9.6 for potato during the OpenSSH
> security mess early this summer because OpenSSH 3.4 required it. But
> everything else in potato was linked against openssl 0.9.4.
> 0.9.4 has not been updated and may very well be vulnerable to this
> problem. It is not vulnerable to the worm that's going around right
> now, though, since the worm hardcodes some variables for specific Linux
> distributions, and these hard coded values are not likely to work
> against Debian. However, an attacker could probably use this
> vulnerability to break in to a secure web server.
> At this point, it is not safe to run a secure web server using the
> Debian packages for potato.
Thanks for that clarification.
There now seem to be patched packages for Potato but that's brought
another potential risk to my attention. The openssl0.9.4 stuff is still
in non-US and not in main. (openssl0.9.6 is in main)
security.debian.org doesn't carry non-US and non-US.debian.org doesn't
carry security fixes. The result is that you can have an apparently
fully-patched system (apt-get update, apt-get upgrade report nothing
needed) and yet you won't have the current security fixes. I presume
this applies to Woody as well as to Potato.
Is there a magic incantation which can be added to sources.list to fix
this? Without that it means that anyone running anything from non-US
can't rely on the Debian updates system for security fixes.
The Linux Emporium - the source for Linux CDs in the UK
Evolution is now exciting.