According to the Red Hat Security & Worm Alerts page on Slapper, found at:
http://www.redhat.com/support/alerts/linux_slapper_worm.html Linux.Slapper.Worm--What Red Hat customers can do about it We have become aware of a worm, labelled the Linux.Slapper.Worm, that exploits a vulnerability in older versions of the OpenSSL library. Versions of the worm found so far attempt to exploit Apache servers on Linux running a version of OpenSSL that contains the OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow bug (given CVE name CAN-2002-0656). The worm then spreads to find other vulnerable hosts, building up a peer to peer network of hosts which can then be further exploited or used in large scale distributed denial of service attacks. Versions of OpenSSL that are not vulnerable to this issue have been available from Red Hat since 29th July 2002. Customers who have kept their systems up to date are not impacted by this worm. If you have not updated your system, we recommend you update the vulnerable packages immediately, and reboot to ensure that all affected services are restarted. Now...openssl-0.9.6b-8 has been available since at least that time, because I up2dated it some time after my move, which occurred on July 26th, 2002. Now...if 0.9.6b-28 was the only version currently available from RH that was patched against Slapper, they'd have made it available, via up2date, for all the currently supported versions (6.2, and all 7.x versions), yes? Well, it ain't. That, and the above noted security note from Red Hat's web site still tells me that 0.9.6b-8 is patched. I suppose I'll let someone from the Red Hat team tell us, once again (as if they haven't answered this question enough), whether it is or not. On Tue, 1 Oct 2002, Anthony E. Greene wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 30-Sep-2002/23:57 -0500, Mike Burger <[EMAIL PROTECTED]> wrote: > >My understanding is that oepnssl-0.9.6b-8 is sufficiently patched. > > No the "-28" RPMs are patched. Earlier versions are vulnerable. > > Tony > - -- > Anthony E. Greene <mailto:[EMAIL PROTECTED]%3E> > OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D > AOL/Yahoo Messenger: TonyG05 HomePage: <http://www.pobox.com/~agreene/> > Linux. The choice of a GNU generation <http://www.linux.org/> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: Anthony E. Greene <mailto:[EMAIL PROTECTED]> 0x6C94239D > > iD8DBQE9mZtspCpg3WyUI50RApSZAJ452aT/x4LdvFHrPySHw+XP9dz5/gCfYpdS > BaiFr5DwRVSNfluXuFNlHrQ= > =Qy/K > -----END PGP SIGNATURE----- > > > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
