On Tue, Oct 15, 2002 at 10:02:20AM -0400, Charles Daminato wrote:
>
> Note that all our services, even if "older/outdated", are not vulnerable and
> appropriate measures have been taken to ensure they are secure. rr-n1-tor
> is NOT running SSLv2, which is where the OpenSSL buffer overflow is
> exploitable - so there's no concern there.
It appears to be running Apache 1.3.20 which is mentioned all over the
place: http://httpd.apache.org/info/security_bulletin_20020617.txt and
http://www.cert.org/advisories/CA-2002-17.html and a specific
vulnerability is also mentioned at http://www.kb.cert.org/vuls/id/944335
How has rr-n1-tor been secured if not by upgrading Apache?
It also seems to be running OpenSSL 0.9.6b which has vulnerabilities in
more than just SSLv2, according to security advisories. Check out
http://www.openssl.org/news/secadv_20020730.txt as well as
http://www.cert.org/advisories/CA-2002-23.html with multiple
vulnerabilities linked to from there.
Again, how has rr-n1-tor been secured if not by upgrading OpenSSL?
Or are you guys being insanely clever and compiling new versions of
software with old version numbers in an attempt to entrap would-be
attackers?
-- Paul Chvostek <paul@it.ca> Operations / Abuse / Whatever +1 416 598-0000 it.canada - hosting and development http://www.it.ca/
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:37:28 EDT