The last word on the Linux Slapper worm

[dufresne () winternet com (Ron DuFresne)]

although redhat's fixes only directly address the slapper worm issue, and
are based on openssl d or e, and there have been found other issues with
open ssl such that they are recommending that folks upgrade to the
current of openssl g.  <buffer overflow fixes once again I believe>

Thanks,

Ron DuFresne


On Mon, 23 Sep 2002 John.Airey () rnib org uk wrote:

> There has been a lack of information about the potential for damage around
> the Linux Slapper worm, and posts to the bugtraq list ranging from the
> sublime to the ridiculous. I am hoping that this post will clear up any
> doubts people may have about the vulnerabilities of their systems. It
> appears that the Linux vendors and openssl had been working together to
> produce an update to the vulnerability that was exploited by this worm.
> However, none of the openssl maintainers other than Mark Cox of Red Hat
> knows anything about this from what I can gather.
>
> Red Hat have a statement on their home page regarding the vulnerability of
> their systems.
>
> http://www.redhat.com/support/alerts/linux_slapper_worm.html
>
> Suse recently posted to the bugtraq list that their systems weren't
> affected. Of these two, only Red Hat have updated the recent CERT
> notification at http://www.cert.org/advisories/CA-2002-27.html. I haven't
> seen any other vendors post information to either this list or bugtraq, and
> apologise now if I've missed one.
>
> The bottom line is that the update for openssl that was released around the
> beginning of August protects systems against the Linux Slapper worm. I
> haven't checked other Linux vendors sites, but a search of this list's
> archives should hopefully show the exact dates of the update.
>
> On a personal note, I contacted Red Hat directly by telephone having not
> seen an update almost six weeks since the original vulnerability was
> released and was advised to log this as a bug. At this point it was my
> (mis)understanding that an update was still due to come out. I duly did this
> via their "bugzilla" site:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312
>
> I then informed the openssl support list of this bug report with the promise
> to let them know the result. At this point I found out what I've stated
> above. I never saw the link from Red Hat's home page because it was too far
> down the page and anyway I was looking for information on the errata pages
> (http://www.redhat.com/errata/). These pages do not contain enough
> information to reassure system administrators that their systems are
> protected against the vulnerability that this worm exploits. Neither does
> the "changelog" of the affected package (which I am assured will be better
> in future).
>
> I do not believe that I am the only Linux admin who has been waiting for an
> update from my vendor when in fact none was needed. Worse still, the media
> who have covered this have also got their facts wrong. For example, Computer
> Weekly stated falsely that you need to upgrade to openssl 0.9.6g
> http://www.cw360.com/bin/bladerunner?REQSESS=ri42U88C&REQAUTH=0&2149REQEVENT
> =&CARTI=115793&CARTT=1&CCAT=1&CCHAN=13&CFLAV=1
>
> In the end Linux Slapper is a non-event, as responsible admins would have
> had their systems up to date well before this worm was written, especially
> as the update doesn't require a reboot like in the "evil" Windows world. I
> believe that the whole disclosure of both the vulnerability and the
> existence of the worm has been badly handled by CERT, Bugtraq and all of the
> Linux Vendors. Were I writing a school report, I'd put "could do better"!
>
> It's probably worth me pointing out that I sent a version of the above to
> the bugtraq list which has yet to be approved, if at all.
>
> -
> John Airey, BSc (Jt Hons), CNA, RHCE
> Internet systems support officer, ITCSD, Royal National Institute of the
> Blind,
> Bakewell Road, Peterborough PE2 6XU,
> Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk
>
> Reality TV - the ultimate oxymoron
>
> -
>
> NOTICE: The information contained in this email and any attachments is
> confidential and may be legally privileged. If you are not the
> intended recipient you are hereby notified that you must not use,
> disclose, distribute, copy, print or rely on this email's content. If
> you are not the intended recipient, please notify the sender
> immediately and then delete the email and any attachments from your
> system.
>
> RNIB has made strenuous efforts to ensure that emails and any
> attachments generated by its staff are free from viruses. However, it
> cannot accept any responsibility for any viruses which are
> transmitted. We therefore recommend you scan all attachments.
>
> Please note that the statements and views expressed in this email
> and any attachments are those of the author and do not necessarily
> represent those of RNIB.
>
> RNIB Registered Charity Number: 226227
>
> Website: http://www.rnib.org.uk
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.