From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Description of problem:
The current version of openssl 0.9.6b-28 does not protect against the Linux
The build date is 1st August 2002. 0.9.6e (which does not have this
vulnerability) was released on 30th July 2002.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Actual Results: N/A
Expected Results: N/A
The above CERT advisory was released on June 30th.
The combined patches for 0.9.6d and below are at
I'm amazed that you haven't yet released an update. What are you up to there?
I have sent this email to the bugtraq, mod_ssl and openssl mailing lists:
"You can disregard the following email if you don't use Red Hat Linux 7.0 and
Having waited for an update to openssl from RedHat, I decided to call them.
They've not had anyone ask them for an update, which came as a bit of a shock.
I have therefore registered a request to release an update to openssl via their
bugzilla site. For information, the vulnerability that Linux Slapper takes
advantage of was fixed in openssl on 30th July. See
http://www.cert.org/advisories/CA-2002-23.html for details.
The previous openssl errata at http://rhn.redhat.com/errata/RHSA-2002-160.html
has no mention of the buffer overflows fixed on July 30th. This package was
built on August 1st, so it is unlikely to include the 0.9.6d patches due to the
time lag of testing patches by Red Hat.
You can add your comments to the bug report at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312. If I haven't heard
from them soon, I will probably release an update myself."
I am quite serious about this. We've been seeing attempts at compromise since
http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th of July
and fixed the vulnerability that the Linux Slapper worm takes advantage of. We
released a new version of OpenSSL a little later that fixed one of the other
If you upgraded to either of the OpenSSL errata and followed the instructions
about restarting your services you are protected against the Linux slapper worm.
Just to explain how we can have a fix so quickly - The OpenSSL group gave
vendors advance notice of the vulnerabilities giving us time to prepare updated
packages in advance of their advisory.