Full Disclosure mailing list archives
The last word on the Linux Slapper worm
From: ben () algroup co uk (Ben Laurie)
Date: Thu, 26 Sep 2002 08:52:34 +0100
Schmehl, Paul L wrote:
Interesting. I patched openssl the day the patch was announced (using up2date.) When the Slapper worm came out, I knew my system wasn't vulnerable, because I had already applied the patch on June 29th when it was released. I'm not sure why there would have been confusion about whether or not your system might be vulnerable, since both the the vulnerability and the patch were publicly announced, but I suspect it had to do with the fact that (at least in the case of Red Hat) the *version* of openssl you're running is patched rather than updating to the latest version. On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's patched against this vulnerability. All the advisories suggest updating to at least version 0.9.6e if not g, but they do not address the fact that your vendor may have patched previous versions. I sent a post to bugtraq pointing that out, but it was never published. Guess I'll just use this list from now on.
As I've pointed out elsewhere, patching old versions without changing the version number is so stupid it leaves me boggling. But I guess in future I'll write into advisories: "warning - your vendor may be such a moron that you can't tell whether you are vulnerable or not by the version number, so I advise building from source or switching to a vendor with a clue". Yeah, I know they bump some other number that if you know what you are doing will indicate whether you are vulnerable. Obviously its impossible for that information to get into the advisory. In short, I don't see what you expect us to do about this, except to try to get vendors to behave sensibly. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Current thread:
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 23)
- <Possible follow-ups>
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 23)
- The last word on the Linux Slapper worm Ron DuFresne (Sep 23)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 25)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 25)
- The last word on the Linux Slapper worm Ben Laurie (Sep 26)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 25)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 26)
- The last word on the Linux Slapper worm Mikhail Iakovlev (Sep 26)
- The last word on the Linux Slapper worm vdongen (Sep 26)
- The last word on the Linux Slapper worm Ben Laurie (Sep 26)
- The last word on the Linux Slapper worm Schmehl, Paul L (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm John.Airey () rnib org uk (Sep 26)
- The last word on the Linux Slapper worm Mike Tone (Sep 26)