[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] new openssl vulnerabilities

Subject: Re: [cobalt-security] new openssl vulnerabilities
From: Christopher Ringe <grbear@xxxxxxx>
Date: Fri, 02 Aug 2002 17:10:46 -0600
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Actually, I believe that both (openssl-0.9.6b-8) and(openssl-perl-0.9.6b-8) are included with the Raq4 because there weretwo openssl dynamic (*.so) libs on my Raq4 on a fresh install, beforeI installed OpenSSH. And I know I didn't install anything dealingwith perl unless it was a official cobalt update.

The fact that you have /usr/local/openssl-0.9.6b directory suggests that
you compiled the thing from source.  Grab 0.9.6e, build and install it.
Since it was not installed from rpm, there is no way to find which
programs may use it other than recall which ones you compiled yourself.
Check if any of them are statically linked against openssl, and rebuild.

Just for case, check if you installed openssl from rpm, run this
command:

rpm -qa|grep openssl

If the only thing you see is "apache-openssl-1.3.20-RaQ4_1C3" then you
did not.  If you see something like this:

openssl-perl-0.9.6b-XX
openssl-0.9.6b-XX
openssl-devel-0.9.6b-XX

then you did.  It is my undestanding that the vulnerability was fixed in
the version with 'XX' = '24'.  Grab and install appropriate rpms.

Eugene

Follow-Ups:
- [cobalt-security] Chkrootkit
  - From: Keith Medhurst

Prev by Date: Re: [cobalt-security] new openssl vulnerabilities
Next by Date: [cobalt-security] Chkrootkit
Previous by thread: Re: [cobalt-security] new openssl vulnerabilities
Next by thread: [cobalt-security] Chkrootkit

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index