I goofed and replied to Jeffrey directly rather than to the list.

The OpenSSL version in the 2.0.1 release of GSX Server on Linux and
Win32 is in fact 0.9.6e.

I notified VMware (through my account rep) today that the problem still
exists but in a new incarnation with this release and asked for an ETA
on when we might see a definitive fix. I made sure they were aware that
0.9.6f is currently only available via CVS and not in pre-packaged form.

I'll send an update to the list when I receive some additional
information; if I don't hear anything, I'll raise a support incident
with them over this.

Jim

Jeffrey Altman wrote:
>
> I sure hope they did not simply replace a previous version of OpenSSL
> with 0.9.6e. 0.9.6e changes the attack from
>
> I can execute code if I do it right
>
> to
>
> I can bring down your server if I do anything at all
>
> This is because the fix for 0.9.6e simply adds an assertion and a call
> to abort() at each place that was vulnerable. Correctly implemented
> patches have been written and submitted into the current snapshots. A
> release date for 0.9.6f has not been announced yet.
>
> >
> > What is new in VMware GSX Server 2.0.1?
> > ---------------------------------------
> >
> > VMware GSX Server 2.0.1 includes:
> >
> > - An updated version of OpenSSL with fixes for the buffer
> > overflow vulnerabilities reported in CERT Advisory CA-2002-23
> > (http://www.cert.org/advisories/CA-2002-23.html). This
> > vulnerability exists in the Windows and Linux versions of GSX
> > Server 2.0.0 build 2050.
>
> Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!!
> The Kermit Project Columbia University SSH, Secure Telnet, Secure FTP, HTTP
> http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and
> kermit-supportcolumbia.edu OpenSSL.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]