On Wednesday 18 September 2002 08:15, Olaf Kirch wrote:
> On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
> > Copy from SecurityFocus.com:
> > The OpenSSL server vulnerability exploit exists on a wide variety of
> > platforms, but Slapper appears to work only on Linux systems running
> > Apache with the OpenSSL module (mod_ssl) on Intel architectures.
>
> It's easy, if you look at how things work:
>
> - apache uses mod_ssl
> - mod_ssl uses OpenSSL
> - OpenSSL has a buffer overflow
>
> So yes, everyone is talking about the "Apache/mod_ssl" worm because
> that's how it propagates. But the vulnerability is at a layer below
> that; any other service using OpenSSL's SSL implementation could probably
> used to propagate the worm as well (anybody out there running webmin?)
>
> So: You upgrade OpenSSL, the buffer overflow is gone, everyone is happy.

Or disable mod_ssl if you don't need it ;)

>
> Olaf

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]