Red Hat Linux update for Linux Slapper worm

You can disregard the following email if you don't use Red Hat Linux 7.0 and
above.

Having waited for an update to openssl from RedHat, I decided to call them.
They've not had anyone ask them for an update, which came as a bit of a
shock. I have therefore registered a request to release an update to openssl
via their bugzilla site. For information, the vulnerability that Linux
Slapper takes advantage of was fixed in openssl on 30th July. See
http://www.cert.org/advisories/CA-2002-23.html for details.

The previous openssl errata at
http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the buffer
overflows fixed on July 30th. This package was built on August 1st, so it is
unlikely to include the 0.9.6d patches due to the time lag of testing
patches by Red Hat.

You can add your comments to the bug report at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312. If I haven't
heard from them soon, I will probably release an update myself.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Reality TV - the ultimate oxymoron


-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Red Hat Linux update for Linux Slapper worm

On Fri, Sep 20, 2002 at 11:07:18AM +0100, John.Airey@rnib.org.uk wrote:
> The previous openssl errata at
> http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the buffer
> overflows fixed on July 30th. This package was built on August 1st, so it is
> unlikely to include the 0.9.6d patches due to the time lag of testing
> patches by Red Hat.

I cannot give you a definite statement about what I don't know, but I can
participate in speculating :-)
Redhat as well as other system builders have been informed well in advance
about the vulnerabilities including patches to fix them, such that tests
could be performed and updates be prepared. It was our intention that
updated binary packages could be made available more or less in parallel
to our announcement and source code release.

That does not mean, that the fix is actually in. I simply don't know.

Best regard,
Lutz
PS. OpenSSl team member Mark Cox is actually working for Redhat...
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Red Hat Linux update for Linux Slapper worm

So why do your telephone support people not know about this? They advised me
to log it on bugzilla in the first place. Why isn't this page linked to from
your errata site? That's where people look for updates. Why no information
to CERT or Bugtraq?

You're beginning to make Microsoft look professional, which is a scary
thought.

John

> -----Original Message-----
> From: Mark J Cox [mailto:mjc@redhat.com]
> Sent: 20 September 2002 12:25
> To: John.Airey@rnib.org.uk
> Cc: modssl-users@modssl.org; openssl-users@openssl.org
> Subject: Re: Red Hat Linux update for Linux Slapper worm
>
>
> > The previous openssl errata at
> > http://rhn.redhat.com/errata/RHSA-2002-160.html has no
> mention of the
> > buffer overflows fixed on July 30th. This package was built
> on August
> > 1st, so it is unlikely to include the 0.9.6d patches due to
> the time lag
> > of testing patches by Red Hat.
>
> On the www.redhat.com home page you will find a link about the slapper
> worm, http://www.redhat.com/support/alerts/linux_slapper_worm.html
>
> Versions of OpenSSL that are not vulnerable to this worm have been
> available from Red Hat since 29th July 2002. Customers who
> have kept their
> systems up to date are not impacted by this worm.
>
> http://rhn.redhat.com/errata/RHSA-2002-155.html was released
> on the 29th
> of July and fixed the vulnerability that the Linux Slapper worm takes
> advantage of. We released a new version of OpenSSL a little
> later that
> fixed one of the other vulnerabilities,
> http://rhn.redhat.com/errata/RHSA-2002-160.html
>
> If you upgraded to either of the OpenSSL errata and followed the
> instructions about restarting your services you are protected
> against the
> Linux slapper worm.
>
> Thanks, Mark
> --
> Mark J Cox / Security Response Team / Red Hat
> Tel: +44 798 061 3110 // Fax: +44 870 1319174
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Red Hat Linux update for Linux Slapper worm

> The previous openssl errata at
> http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the
> buffer overflows fixed on July 30th. This package was built on August
> 1st, so it is unlikely to include the 0.9.6d patches due to the time lag
> of testing patches by Red Hat.

On the www.redhat.com home page you will find a link about the slapper
worm, http://www.redhat.com/support/alerts/linux_slapper_worm.html

Versions of OpenSSL that are not vulnerable to this worm have been
available from Red Hat since 29th July 2002. Customers who have kept their
systems up to date are not impacted by this worm.

http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th
of July and fixed the vulnerability that the Linux Slapper worm takes
advantage of. We released a new version of OpenSSL a little later that
fixed one of the other vulnerabilities,
http://rhn.redhat.com/errata/RHSA-2002-160.html

If you upgraded to either of the OpenSSL errata and followed the
instructions about restarting your services you are protected against the
Linux slapper worm.

Thanks, Mark
--
Mark J Cox / Security Response Team / Red Hat
Tel: +44 798 061 3110 // Fax: +44 870 1319174
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org