OpenSSL 0.9.7a seems to be vulnerable (was: Re: LKM Trojan)
Paul Howarth
paul at city-fan.org
Wed Dec 1 15:19:54 UTC 2004
James Mckenzie wrote:
> Scootgirl said:
>
>>Hi Rahul,
>
>>I used that tool and it said everything on my system was OK except the
>>following:
>
>>[16:55:09] Scanning OpenSSL...
>>[16:55:09] /usr/bin/openssl found
>>[16:55:09] Version 0.9.7a seems to be vulnerable (if unpatched)!
>
> This is a very old version of OpenSSL 0.9.7 and has a known vulnerability, which was confirmed at the OpenSSL (www.openssl.org) web page. OpenSSL 0.9.7 is now up to version 0.9.7e, released two weeks before FC3 was released. I think that FC3 should have at least OpenSSL 0.9.7d. Depending on how you installed FC/RH you can just download the source code and build OpenSSL.
>
>>I wonder if this is a false positive since I use the up2date tool
>>frequently. If not, where can I get this patch?
>
> Depending on which release you have, you might not get the latest and greatest release/updates. That is why I tend to visit most of the sites that directly support additional software for my system on a semi-regular basis. I will check my system to see which version of OpenSSL is installed, and if necessary, update it. If I get the time, I may build an .rpm for OpenSSL and send it to the Extras site when it comes up.
FC3 is using the following RPM:
$ rpm -q openssl
openssl-0.9.7a-40
An examination of the changelog for this RPM shows that patches for various
security vulnerabilities affecting openssl 0.9.7a have been included in this
version:
$ rpm -q --changelog openssl
... (snip)
* Thu Mar 25 2004 Joe Orton <jorton at redhat.com> 0.9.7a-35
- add security fixes for CAN-2004-0079, CAN-2004-0112
... (snip)
Moral of story: don't trust version numbers of packages.
Paul.
More information about the fedora-list
mailing list