[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Bug-Travel
- Subject: RE: [cobalt-security] Bug-Travel
- From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
- Date: Mon, 27 Jan 2003 11:59:47 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> This doesn't work for all our RaQ4s, Greg <frown>.
>
> For example, we've got a system that won't take openssl-0.9.7; it tells
> us it conflicts with openssl-perl-0.9.6. I can't find any RPMS for
> openssl-perl-0.9.7; in fact the last rpm I find for openssl-perl for
> RHL6.2, is for 0.9.5.
>
> I'm most emphatically NOT a perl guru <frown>. openssl-perl is NOT part
> of a standard RaQ install, and I've asked the customer if he really
> needs it. I'm awaiting his reply. In case he does, do you or does
> anyone else have an openssl-per-0.9.7 rpm for RHL6.2, i386?
Jeff - I had similar problems so I asked Greg directly what he did possibly
with the view of doing a quick pkg for others - I have done the mod but I'm
not convinced that I am protected but I am suspicious that we were partly
hacked - in that we lost some stuff for no apparent reason the
/var/spool/mail directory disappeared as did everything in
/usr/admserv/html/SiteManage.
Anyway this is the reply from Greg as to what he did - I have also done this
and not seen any problems yet. Good luck.
Gavin
<snip>
On Tue, 21 Jan 2003, Gavin Nelmes-Crocker wrote:
> > Reaction
> > --------
> > I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH
3.4p1PM4
> > from http://pkgmaster.com. We have also restricted SSH access to our
raqs
> > through /etc/hosts.allow|deny.
> >
> > I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
> > ftp://ftp.nacs.net/pub/software/cobalt_raq4
> > openssl-0.9.7-1.i386.rpm
> > openssl-0.9.7-1.src.rpm
> > openssl-devel-0.9.7-1.i386.rpm
> > openssl-doc-0.9.7-1.i386.rpm
> >
> > OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if
> > Cobalt's
> > security patches address this, as I just applied them in the order
> > required and didn't read much about what was being patched. After
> > installing the new OpenSSL RPMS, my previous versions of OpenSSH
> > would not
> > work properly, so I updated to the 3.4pl1 from pkgmaster and all is
fine.
>
> Hi
>
> Can you tell me in what way you did the openssl upgrade - if I do rpm -Uvh
i
> get
>
> error: failed dependencies:
> openssl = 0.9.6b-8 is needed by openssl-perl-0.9.6b-8
openssl-perl seems to be deprecated, as the scripts it contains are
provided in the openssl-0.9.7 rpm. I uninstalled it.
> libcrypto.so.2 is needed by curl-7.9.4-1
> libcrypto.so.2 is needed by php-4.1.2-PM3
> libssl.so.2 is needed by curl-7.9.4-1
> libssl.so.2 is needed by php-4.1.2-PM3
I haven't seen any adverse negative reaction from my installation. Does
anyone have any idea why php and curl would need ssl?
> did you force it or nodeps ?
Here is exactly what I did.
rpm -e openssl-perl
rpm -Uvh openssl-devel-0.9.7-1.i386.rpm
rpm -Uvh openssl-0.9.7-1.i386.rpm --nodeps
Nothing appears to be broken yet.
<end snip>