[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] New SSL Vulnerability ?

Subject: [cobalt-users] New SSL Vulnerability ?
From: "Kevin" <owner@xxxxxxxxxxxxx>
Date: Tue Sep 17 16:34:00 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

I have OpenSSL/0.9.6g installed from the Solar Speed Net package that
seems to be unaffected by this vulnerability released today. I had no
problem installing it and nothing appears broken on my RaQ4.

The vulnerability note only appeasers to affect OpenSSL prior to 0.9.6e
or the pre-release version 0.9.7-beta2.

Here is what was posted today on http://www.kb.cert.org/vuls/id/102795

Vulnerability Note VU#102795
OpenSSL servers contain a buffer overflow during the SSL2 handshake
process
Overview
OpenSSL is an open-source implementation of the Secure Sockets Layer
(SSL) protocol. A remotely exploitable vulnerability exists in OpenSSL
servers that could lead to the execution of arbitrary code on the
server. 

************************************************************************
***
I. Description
Versions of OpenSSL servers prior to 0.9.6e and pre-release version
0.9.7-beta2 contain a remotely exploitable buffer overflow
vulnerability. This vulnerability can be exploited by a client using a
malformed key during the handshake process with an SSL server connection
using the SSLv2 communication process. 
************************************************************************
***

II. Impact
Exploitation of this vulnerability could lead to the execution of
arbitrary code on the server. The code will be executed with the
privileges of the application or service exploited via this
vulnerability. 
III. Solution
OpenSSL servers should apply the patches provided by your vendors, or
upgrade to OpenSSL 0.9.6e. Note that applications statically linking to
OpenSSL libraries may need to be recompiled with the corrected version
of OpenSSL. 
Servers can disable SSL2 or disable all applications using SSL or TLS
until the patches are applied.

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Dave Thurman
(Mailing List Email)
Sent: Tuesday, September 17, 2002 6:00 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] linux.slapper.worm

on 9/17/02 4:21 PM, Kim Schulz stated:

> the problem is that there  already is a new exploit out (made by Solar
> Eclipse) that exploits newest version of openssl :o( not good.

Say what?? Link??
-- 
Thanks!!
Dave Thurman
The Web Presence Group / www.webpresencegroup.net
Listonly <at> webpresencegroup.net / Spam Block 8^Q

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- Re: [cobalt-users] New SSL Vulnerability ?
  - From: Rick Ewart

References:
- Re: [cobalt-users] linux.slapper.worm
  - From: Dave Thurman (Mailing List Email)

Prev by Date: [cobalt-users] installing Spamassassin error
Next by Date: RE: [cobalt-users] installing Spamassassin error
Previous by thread: Re: [cobalt-users] linux.slapper.worm
Next by thread: Re: [cobalt-users] New SSL Vulnerability ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index