On Tuesday October 1 2002 09:10 am, Mike Burger wrote: > According to the Red Hat Security & Worm Alerts page on Slapper, found at: > <snip> > Versions of OpenSSL that are not vulnerable to this issue have been > available from Red Hat since 29th July 2002. Customers who have kept their > systems up to date are not impacted by this worm. > > Now...openssl-0.9.6b-8 has been available since at least that time, > because I up2dated it some time after my move, which occurred on July > 26th, 2002. > > Now...if 0.9.6b-28 was the only version currently available from RH that > was patched against Slapper, they'd have made it available, via up2date, > for all the currently supported versions (6.2, and all 7.x versions), > yes? > > Well, it ain't. That, and the above noted security note from Red Hat's > web site still tells me that 0.9.6b-8 is patched.
Uh..sorry, but I think you commited a logic flaw here. The website says that "version that are not vulnerable... have been available since.. " _not_ "all versions since ... are not vulnerable". So, since 29th July, there are version(s) that is/are vulnerable and there is version that is not vulnerable. Furthermore, in the errata, (http://rhn.redhat.com/errata/RHSA-2002-160.html) it is explicitly said which versions are not vulnerable. And openssl-0.9.6b-8 is not listed, so I assume that version is vulnerable to the worm. Reuben D. Budiardja > I suppose I'll let > someone from the Red Hat team tell us, once again (as if they haven't > answered this question enough), whether it is or not. > > On Tue, 1 Oct 2002, Anthony E. Greene wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 30-Sep-2002/23:57 -0500, Mike Burger <[EMAIL PROTECTED]> wrote: > > >My understanding is that oepnssl-0.9.6b-8 is sufficiently patched. > > > > No the "-28" RPMs are patched. Earlier versions are vulnerable. > > > > Tony > > - -- > > Anthony E. Greene > > <mailto:[EMAIL PROTECTED]%3E> OpenPGP Key: > > 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo > > Messenger: TonyG05 HomePage: <http://www.pobox.com/~agreene/> Linux. > > The choice of a GNU generation <http://www.linux.org/> > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (GNU/Linux) > > Comment: Anthony E. Greene <mailto:[EMAIL PROTECTED]> 0x6C94239D > > > > iD8DBQE9mZtspCpg3WyUI50RApSZAJ452aT/x4LdvFHrPySHw+XP9dz5/gCfYpdS > > BaiFr5DwRVSNfluXuFNlHrQ= > > =Qy/K > > -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
