Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Openssl proof of concept code?
From: David Kennedy CISSP <david.kennedy () acm org>
Date: Thu, 08 Jan 2004 22:38:25 -0500


At 03:46 PM 1/8/04 -0500, Lachniet, Mark wrote:

Its been a while now, and responsible vendors should have already
issued patches.  

I'm not aware of any POC code, but inferring the community is safe
because the patches have been out for a while may not be correct. 
Yesterday, HP revised HPSBUX0310-284   SSRT3622 to include:

**REVISED 02**
IMPACT:   Potential Denial of Service, remote execution of
--->     arbitrary code and disclosure of sensitive information.

Previously it was DOS-only.  

It may just be that HP discovered their 10/1 patch needed more work. 
Or it could be someone has done some more testing and we're going to
see some patch announcements in the next few days.  Given that HP is
not known for excellence in issuing advisories and patches on the
first day a problem is discovered, it seems more reasonable they're
fixing their patch.  But that's just another inference.  

OTOH their action probably stimulated others to re-look their patches
too.  "What does HP know that we don't?"

<address list trimmed|I won't feed trolls on FullofDis>

Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.


David Kennedy CISSP                       \ / ASCII Ribbon Campaign
Protect what you connect;                  X  Against HTML Mail
Look both ways before crossing the Net.   / \


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]