[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: new openssl vulnerabilities
- Subject: [cobalt-security] Re: new openssl vulnerabilities
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Tue, 30 Jul 2002 12:52:41 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Once upon a time, Matt Barton <matt@xxxxxxxxxx> said:
> On Tue, 30 Jul 2002, Menno M Jansz wrote:
> > Just saw the following:
> >
> > http://pkgmaster.com/packages/raq/4/#openssh
>
> Eh .... OpenSSL and OpenSSH are totally different things.
Yes, but OpenSSH uses the OpenSSL libraries for the encryption routines.
I'm not sure at this point if OpenSSH uses any of the vulnerable
routines from the OpenSSL libraries (I'm pretty sure that it doesn't use
some of them, but I don't know about the rest).
However, starting with the RaQ3, Cobalt included the OpenSSL libraries
as part of the RaQ and used OpenSSL to build Apache with SSL support.
There were also both Cobalt and third-party SSL servers available for
previous RaQs. All of those definately are vulnerable to the newly
found holes, as well as some previous ones (the Apache SSL module also
had some security holes found recently that have not been addressed on
Cobalt products).
Sun/Cobalt needs to release an update for every RaQ server that supports
SSL with updated versions of the SSL module and the OpenSSL libraries.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.