[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Bug-Travel
- Subject: RE: [cobalt-security] Bug-Travel
- From: Greg Boehnlein <damin@xxxxxxxx>
- Date: Mon, 27 Jan 2003 09:26:50 -0500 (EST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, 27 Jan 2003, Gavin Nelmes-Crocker wrote:
> > This doesn't work for all our RaQ4s, Greg <frown>.
> >
> > For example, we've got a system that won't take openssl-0.9.7; it tells
> > us it conflicts with openssl-perl-0.9.6. I can't find any RPMS for
> > openssl-perl-0.9.7; in fact the last rpm I find for openssl-perl for
> > RHL6.2, is for 0.9.5.
> >
> > I'm most emphatically NOT a perl guru <frown>. openssl-perl is NOT part
> > of a standard RaQ install, and I've asked the customer if he really
> > needs it. I'm awaiting his reply. In case he does, do you or does
> > anyone else have an openssl-per-0.9.7 rpm for RHL6.2, i386?
>
> Jeff - I had similar problems so I asked Greg directly what he did possibly
> with the view of doing a quick pkg for others - I have done the mod but I'm
> not convinced that I am protected but I am suspicious that we were partly
> hacked - in that we lost some stuff for no apparent reason the
> /var/spool/mail directory disappeared as did everything in
> /usr/admserv/html/SiteManage.
>
> Anyway this is the reply from Greg as to what he did - I have also done this
> and not seen any problems yet. Good luck.
>
> Gavin
Keep in mind that the OpenSSL RPM that I published does NOT help secure
your Apache installation. Cobalt's latest RPM uses a STATICALLY LINKED
openssl 0.9.6 revision. So does the OpenSSH PKG from pkgmaster.
Unless you are using dynamically linked mod_ssl or ssh binaries, you don't
need to install my RPM.
> <snip>
> On Tue, 21 Jan 2003, Gavin Nelmes-Crocker wrote:
>
> > > Reaction
> > > --------
> > > I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH
> 3.4p1PM4
> > > from http://pkgmaster.com. We have also restricted SSH access to our
> raqs
> > > through /etc/hosts.allow|deny.
> > >
> > > I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
> > > ftp://ftp.nacs.net/pub/software/cobalt_raq4
> > > openssl-0.9.7-1.i386.rpm
> > > openssl-0.9.7-1.src.rpm
> > > openssl-devel-0.9.7-1.i386.rpm
> > > openssl-doc-0.9.7-1.i386.rpm
> > >
> > > OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if
> > > Cobalt's
> > > security patches address this, as I just applied them in the order
> > > required and didn't read much about what was being patched. After
> > > installing the new OpenSSL RPMS, my previous versions of OpenSSH
> > > would not
> > > work properly, so I updated to the 3.4pl1 from pkgmaster and all is
> fine.
> >
> > Hi
> >
> > Can you tell me in what way you did the openssl upgrade - if I do rpm -Uvh
> i
> > get
> >
> > error: failed dependencies:
> > openssl = 0.9.6b-8 is needed by openssl-perl-0.9.6b-8
>
> openssl-perl seems to be deprecated, as the scripts it contains are
> provided in the openssl-0.9.7 rpm. I uninstalled it.
>
> > libcrypto.so.2 is needed by curl-7.9.4-1
> > libcrypto.so.2 is needed by php-4.1.2-PM3
> > libssl.so.2 is needed by curl-7.9.4-1
> > libssl.so.2 is needed by php-4.1.2-PM3
>
> I haven't seen any adverse negative reaction from my installation. Does
> anyone have any idea why php and curl would need ssl?
>
> > did you force it or nodeps ?
>
> Here is exactly what I did.
>
> rpm -e openssl-perl
> rpm -Uvh openssl-devel-0.9.7-1.i386.rpm
> rpm -Uvh openssl-0.9.7-1.i386.rpm --nodeps
>
> Nothing appears to be broken yet.
>
> <end snip>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
--
Vice President of N2Net, a New Age Consulting Service, Inc. Company
http://www.n2net.net Where everything clicks into place!
KP-216-121-ST