74312 – Update to counter Linux Slapper worm needed NOW!

Bug 74312 - Update to counter Linux Slapper worm needed NOW!

Summary: Update to counter Linux Slapper worm needed NOW!

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	openssl
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:	http://www.cert.org/advisories/CA-200...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-09-20 09:52 UTC by John Airey
Modified:	2007-04-18 16:46 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-09-20 10:09:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description John Airey 2002-09-20 09:52:12 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Description of problem:
The current version of openssl 0.9.6b-28 does not protect against the Linux 
Slapper worm.

The build date is 1st August 2002. 0.9.6e (which does not have this 
vulnerability) was released on 30th July 2002.

Version-Release number of selected component (if applicable):
0.9.6b-28

How reproducible:
Always

Steps to Reproduce:
N/A

Actual Results:  N/A

Expected Results:  N/A

Additional info:

  The above CERT advisory was released on June 30th.

The combined patches for 0.9.6d and below are at 
     http://www.openssl.org/news/patch_20020730_0_9_6d.txt

I'm amazed that you haven't yet released an update. What are you up to there?

Comment 1 John Airey 2002-09-20 10:09:49 UTC

I have sent this email to the bugtraq, mod_ssl and openssl mailing lists:

"You can disregard the following email if you don't use Red Hat Linux 7.0 and 
above.

Having waited for an update to openssl from RedHat, I decided to call them. 
They've not had anyone ask them for an update, which came as a bit of a shock. 
I have therefore registered a request to release an update to openssl via their 
bugzilla site. For information, the vulnerability that Linux Slapper takes 
advantage of was fixed in openssl on 30th July. See  
http://www.cert.org/advisories/CA-2002-23.html for details.

The previous openssl errata at http://rhn.redhat.com/errata/RHSA-2002-160.html 
has no mention of the buffer overflows fixed on July 30th. This package was 
built on August 1st, so it is unlikely to include the 0.9.6d patches due to the 
time lag of testing patches by Red Hat.

You can add your comments to the bug report at 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312. If I haven't heard 
from them soon, I will probably release an update myself."

I am quite serious about this. We've been seeing attempts at compromise since 
September 10th.

Comment 2 Mark J. Cox 2002-09-20 10:16:16 UTC

Hi there

http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th of July
and fixed the vulnerability that the Linux Slapper worm takes advantage of.  We
released a new version of OpenSSL a little later that fixed one of the other
vulnerabilities, http://rhn.redhat.com/errata/RHSA-2002-160.html

If you upgraded to either of the OpenSSL errata and followed the instructions
about restarting your services you are protected against the Linux slapper worm.

Comment 3 Mark J. Cox 2002-09-20 10:18:22 UTC

Just to explain how we can have a fix so quickly - The OpenSSL group gave
vendors advance notice of the vulnerabilities giving us time to prepare updated
packages in advance of their advisory.

Note You need to log in before you can comment on or make changes to this bug.