On Tue, Oct 15, 2002 at 10:02:20AM -0400, Charles Daminato wrote: > > Note that all our services, even if "older/outdated", are not vulnerable and > appropriate measures have been taken to ensure they are secure. rr-n1-tor > is NOT running SSLv2, which is where the OpenSSL buffer overflow is > exploitable - so there's no concern there.
It appears to be running Apache 1.3.20 which is mentioned all over the place: http://httpd.apache.org/info/security_bulletin_20020617.txt and http://www.cert.org/advisories/CA-2002-17.html and a specific vulnerability is also mentioned at http://www.kb.cert.org/vuls/id/944335 How has rr-n1-tor been secured if not by upgrading Apache? It also seems to be running OpenSSL 0.9.6b which has vulnerabilities in more than just SSLv2, according to security advisories. Check out http://www.openssl.org/news/secadv_20020730.txt as well as http://www.cert.org/advisories/CA-2002-23.html with multiple vulnerabilities linked to from there. Again, how has rr-n1-tor been secured if not by upgrading OpenSSL? Or are you guys being insanely clever and compiling new versions of software with old version numbers in an attempt to entrap would-be attackers? -- Paul Chvostek <[EMAIL PROTECTED]> Operations / Abuse / Whatever +1 416 598-0000 it.canada - hosting and development http://www.it.ca/
