On Tue, Mar 25, 2003 at 09:51:02AM +0100, Pavel Jurus wrote: > Hello, > I have seen two or three questions but no answer on this list. What > is the status of vulnerabilities announced on http://www.openssl.org/ > from 17-Mar-2003 and 19-Mar-2003. Are the debian packages vulnerable? > > I'm not sure whether i should wait for updated packages, file a bug > against libssl0.9.6, and/or just patch/compile everything by hand and > remove corresponding debian packages. I don't know either. I was/am rather happy with Debian, but... I used to run sshd for login purposes as well as apache-ssl (test) until I received a nice e-mail: -------------------------------------------- Dear System Administrator, OCIPEP has received a report from a reliable source that your web server, IP address 206.45.95.222, may have been compromised in late March. OCIPEP suspects the compromise may have been through an OpenSSL vulnerability. You are encouraged to check your web server for signs of compromise, if you are not already aware of the incident. The Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) is a federal government organisation within the Department of National Defence. OCIPEP operates a computer incident response team with a mandate to protect Canada's critical infrastructure. OCIPEP would appreciate knowing if this information has been useful to you. If you have any questions or concerns, please contact OCIPEP at our Operations Centre (xxx-xxx-xxxx or No-spam-email-here). Ask for the Cyber Duty Officer. Thank You, Wallace Peers Senior Incident Response Officer Office of Critical Infrastructure Protection and Emergency Preparedness http://www.ocipep-bpiepc.gc.ca --------------------------------------------- I haven't found any malicious activity (except for my syslog-ng dying...). I'll have to check all the packages with Debian's archive for any changes... - Adam
Attachment:
pgpkKET7OMLtO.pgp
Description: PGP signature