From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Description of problem: The current version of openssl 0.9.6b-28 does not protect against the Linux Slapper worm. The build date is 1st August 2002. 0.9.6e (which does not have this vulnerability) was released on 30th July 2002. Version-Release number of selected component (if applicable): 0.9.6b-28 How reproducible: Always Steps to Reproduce: N/A Actual Results: N/A Expected Results: N/A Additional info: The above CERT advisory was released on June 30th. The combined patches for 0.9.6d and below are at http://www.openssl.org/news/patch_20020730_0_9_6d.txt I'm amazed that you haven't yet released an update. What are you up to there?
I have sent this email to the bugtraq, mod_ssl and openssl mailing lists: "You can disregard the following email if you don't use Red Hat Linux 7.0 and above. Having waited for an update to openssl from RedHat, I decided to call them. They've not had anyone ask them for an update, which came as a bit of a shock. I have therefore registered a request to release an update to openssl via their bugzilla site. For information, the vulnerability that Linux Slapper takes advantage of was fixed in openssl on 30th July. See http://www.cert.org/advisories/CA-2002-23.html for details. The previous openssl errata at http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the buffer overflows fixed on July 30th. This package was built on August 1st, so it is unlikely to include the 0.9.6d patches due to the time lag of testing patches by Red Hat. You can add your comments to the bug report at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312. If I haven't heard from them soon, I will probably release an update myself." I am quite serious about this. We've been seeing attempts at compromise since September 10th.
Hi there http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th of July and fixed the vulnerability that the Linux Slapper worm takes advantage of. We released a new version of OpenSSL a little later that fixed one of the other vulnerabilities, http://rhn.redhat.com/errata/RHSA-2002-160.html If you upgraded to either of the OpenSSL errata and followed the instructions about restarting your services you are protected against the Linux slapper worm.
Just to explain how we can have a fix so quickly - The OpenSSL group gave vendors advance notice of the vulnerabilities giving us time to prepare updated packages in advance of their advisory.