[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] openssl exploitable still?

Subject: Re: [cobalt-security] openssl exploitable still?
From: Dmitry Alexeyev <dmi_a@xxxxxxxxxx>
Date: Tue, 17 Feb 2004 23:51:53 +0300
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> I dont understand it..
>
> [root src]# openssl
> OpenSSL> version
> OpenSSL 0.9.7c 30 Sep 2003
> OpenSSL>
>
> But Apache still announces Server Version: Apache/1.3.20 Sun Cobalt
> (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6

Apache source RPM from Cobalt has openssl already in it, and it is 
patched version 0.9.6.

I tried to rebuild it with recent apache/mod_perl/mod_ssl etc, but 
failed, I guess this spec has to be rewritten completely from the 
scratch, which I am planning to do tomorrow. 

If your server keeps being defaced, then you have a bug somewhere in 
CGI/PHP or even rootkit installed.
If you want me to check your server and fix this issue, please contact 
me off-list - there's much to do with default Cobalt installation, I 
have explored some really bad bugs there :| 

(I am not sure it's apache fault actually. Bad handshake doesn't mean a 
critical error in software - it's just someone with broken client)

Best Regards,
Dmitry

References:
- [cobalt-security] openssl exploitable still?
  - From: lists
- Re: [cobalt-security] openssl exploitable still?
  - From: lists
- Re: [cobalt-security] openssl exploitable still?
  - From: lists

Prev by Date: Re: [cobalt-security] openssl exploitable still?
Next by Date: Re: [cobalt-security] openssl exploitable still?
Previous by thread: Re: [cobalt-security] openssl exploitable still?
Next by thread: Re: [cobalt-security] openssl exploitable still?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index