On Mon, 11 Jul 2011, Dennis Kibbe wrote:
> On Sun, 2011-07-10 at 12:00 -0400, R P Herrold wrote:
>> There are are no publicly known SSL issues in the openssl
>> maintained by CentOS
>>
>> Please state the CVE, or if a private zero day, Lisa, please
> One thing that people might not realize is that Red Hat back ports
> security fixes so you can't just look at the version number and assume
> that if it's not the latest it's flawed.
That is not unique to Red Hat derived matter. It is true with
anything relying on external banners, whether from an external
package name, or from a greeting banner advertised, only
publishes what its author wants to say ...
We formerly offered shell accounts at an ISP I adminned, and
we consciously editted /etc/issue to advertise that the host
was a plain old i386 architecture, when in point of fact it
was on an Alpha
People regularly carried in exploits for that particular
version of Red Hat Linux, or RPMs for the i386 architecture,
and sought to install or unpack and run them ... it did not
work of course, and it permitted us to identify people who
needed closer attention by looking for the core files left
behind
In a similar fashion, for colocated hosting, a client will
occasionally send along the results from a naiive
vulnerability scanner service, that is merely reading such
banners. In speaking with the people selling such snake oil,
they are at least honest enough to admit that they don't have
working exploits, but are rather just a banner scanning
service, building a list from reading various mailing lists
First we check if the report is accurate; as they almost never
are [when they are, they imply that some updates were needed],
we therefore change the banners displayed, and silence the
report --- one received a few weeks ago asserted a
vulnerability in our "Linux IIS webserver" ... how else to fix
it? ;)
In the case of Lisa's asserted exploit against the current
CentOS openssl, one might trivially see what CVE are
addressed, and which are not thus:
rpm -q --changelog openssl | grep CVE
which yields for this CentOS 5 box:
[herrold@bronson ~]$ rpm -q --changelog openssl | grep CVE
- fix CVE-2010-4180 - completely disable code for
- fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)
- fix CVE-2009-3555 - support the safe renegotiation extension and
- fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
- mention the RFC5746 in the CVE-2009-3555 doc
- fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#510197)
- fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data()
- fix CVE-2009-1386 CVE-2009-1387 (DTLS DoS problems)
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
- fix CVE-2009-0590 - reject incorrectly encoded ASN.1 strings (#492304)
- fix CVE-2008-5077 - incorrect checks for malformed signatures (#476671)
- fix CVE-2007-3108 - side channel attack on private keys (#250581)
- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309881)
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321221)
- CVE-2006-2940 fix was incorrect (#208744)
- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
- fix CVE-2006-2940 - parasitic public keys DoS (#207274)
- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
- fix CVE-2006-4343 - sslv2 client DoS (#206940)
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
[herrold@bronson ~]$
=================
Lisa? Still waiting on a reply to:
> Please state the CVE, or if a private zero day, Lisa, please
> state the vector so I may set up a unit running the allegedly
> vulnerable service or services [ie over http, smtp. pop,
> whatever] for you to demonstrate this assertion
-- Russ herrold
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss