The last word on the Linux Slapper worm

[ben () algroup co uk (Ben Laurie)]

Schmehl, Paul L wrote:
> Interesting.  I patched openssl the day the patch was announced (using
> up2date.)  When the Slapper worm came out, I knew my system wasn't
> vulnerable, because I had already applied the patch on June 29th when it
> was released.  I'm not sure why there would have been confusion about
> whether or not your system might be vulnerable, since both the the
> vulnerability and the patch were publicly announced, but I suspect it
> had to do with the fact that (at least in the case of Red Hat) the
> *version* of openssl you're running is patched rather than updating to
> the latest version.
>
> On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's
> patched against this vulnerability.  All the advisories suggest updating
> to at least version 0.9.6e if not g, but they do not address the fact
> that your vendor may have patched previous versions.  I sent a post to
> bugtraq pointing that out, but it was never published.  Guess I'll just
> use this list from now on.

As I've pointed out elsewhere, patching old versions without changing 
the version number is so stupid it leaves me boggling. But I guess in 
future I'll write into advisories: "warning - your vendor may be such a 
moron that you can't tell whether you are vulnerable or not by the 
version number, so I advise building from source or switching to a 
vendor with a clue".

Yeah, I know they bump some other number that if you know what you are 
doing will indicate whether you are vulnerable. Obviously its impossible 
for that information to get into the advisory.

In short, I don't see what you expect us to do about this, except to try 
to get vendors to behave sensibly.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff