On Tue, Mar 25, 2003 at 09:51:02AM +0100, Pavel Jurus wrote:
> Hello,
> I have seen two or three questions but no answer on this list. What
> is the status of vulnerabilities announced on http://www.openssl.org/
> from 17-Mar-2003 and 19-Mar-2003. Are the debian packages vulnerable?
>
> I'm not sure whether i should wait for updated packages, file a bug
> against libssl0.9.6, and/or just patch/compile everything by hand and
> remove corresponding debian packages.
I don't know either. I was/am rather happy with Debian, but... I
used to run sshd for login purposes as well as apache-ssl (test)
until I received a nice e-mail:
--------------------------------------------
Dear System Administrator,
OCIPEP has received a report from a reliable source that your web server, IP
address 206.45.95.222, may have been compromised in late March. OCIPEP
suspects the compromise may have been through an OpenSSL vulnerability. You
are encouraged to check your web server for signs of compromise, if you are
not already aware of the incident.
The Office of Critical Infrastructure Protection and Emergency Preparedness
(OCIPEP) is a federal government organisation within the Department of
National Defence. OCIPEP operates a computer incident response team with a
mandate to protect Canada's critical infrastructure.
OCIPEP would appreciate knowing if this information has been useful to you.
If you have any questions or concerns, please contact OCIPEP at our
Operations Centre (xxx-xxx-xxxx or No-spam-email-here). Ask for the
Cyber Duty Officer.
Thank You,
Wallace Peers
Senior Incident Response Officer
Office of Critical Infrastructure Protection and Emergency Preparedness
http://www.ocipep-bpiepc.gc.ca
---------------------------------------------
I haven't found any malicious activity (except for my syslog-ng dying...).
I'll have to check all the packages with Debian's archive for any
changes...
- Adam
Attachment:
pgpkKET7OMLtO.pgp
Description: PGP signature