[EMAIL PROTECTED] wrote:

I am tasked with identifying which systems in our network required this
patch.  I have a tool that can search files for particular data.  Is there
a value in a file on vulnerable systems that can positively identify which
systems need the patch?

If you're referring to CVE-2007-5502 (http://www.openssl.org/news/secadv_20071129.txt) then the answer is "not really". The OpenSSL FIPS Object Module is just that, an object module embedded in application binary runtime code. For any given instantiation (embedding in an application) of that object module there will be distinctive patterns (such as the internal HMAC-SHA-1 digest used for the integrity test), but there is no single such value common to all instantiations of the OpenSSL FIPS Object Module.

And even more to the point, there is currently no patch to apply, nor will there be until the CMVP approves the revised version that was submitted last Thursday. That will take perhaps another week, then the software vendors will need to rework their applications accordingly. Only then will you have patches to apply.

-Steve M.

--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to