The last word on the Linux Slapper worm

[John.Airey () rnib org uk (John.Airey () rnib org uk)]

Your assumption below assumes that Red Hat can issue a patch the same day as
a vulnerability is announced.

Red Hat have stated publicly that they take around 10 days to patch
vulnerabilities once found. In this case they had been working on it at the
same time. I was expecting another update as the published update didn't
list all the problems. So were many other people if the posts to Bugtraq are
anything to go by.

However, I wouldn't bother trying to post anything positive to bugtraq about
Linux Slapper. It seems that they don't want that kind of information on
their list.

John

-----Original Message-----
From: Schmehl, Paul L
To: John.Airey () rnib org uk; full-disclosure () lists netsys com
Sent: 25/09/02 23:10
Subject: RE: [Full-disclosure] The last word on the Linux Slapper worm

Interesting.  I patched openssl the day the patch was announced (using
up2date.)  When the Slapper worm came out, I knew my system wasn't
vulnerable, because I had already applied the patch on June 29th when it
was released.  I'm not sure why there would have been confusion about
whether or not your system might be vulnerable, since both the the
vulnerability and the patch were publicly announced, but I suspect it
had to do with the fact that (at least in the case of Red Hat) the
*version* of openssl you're running is patched rather than updating to
the latest version.

On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's
patched against this vulnerability.  All the advisories suggest updating
to at least version 0.9.6e if not g, but they do not address the fact
that your vendor may have patched previous versions.  I sent a post to
bugtraq pointing that out, but it was never published.  Guess I'll just
use this list from now on.

Paul Schmehl (pauls () utdallas edu)
Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


> -----Original Message-----
> From: John.Airey () rnib org uk [mailto:John.Airey () rnib org uk] 
> Sent: Monday, September 23, 2002 9:48 AM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] The last word on the Linux Slapper worm
> Importance: High
>
>
> There has been a lack of information about the potential for 
> damage around the Linux Slapper worm, and posts to the 
> bugtraq list ranging from the sublime to the ridiculous. I am 
> hoping that this post will clear up any doubts people may 
> have about the vulnerabilities of their systems. It appears 
> that the Linux vendors and openssl had been working together 
> to produce an update to the vulnerability that was exploited 
> by this worm. However, none of the openssl maintainers other 
> than Mark Cox of Red Hat knows anything about this from what 
> I can gather.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk