First Last Prev Next    This bug is not in your last search results.
Bug 2916 - [SM-Discuss] openssl vulnerabilities
: [SM-Discuss] openssl vulnerabilities
Status: CLOSED FIXED
Product: Security
Classification: Unclassified
Component: General / Other Security Issue
: unspecified
: All All
: P2 normal
Assigned To: SM Security List
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-03-25 13:09 UTC by M.L.
Modified: 2003-06-02 04:27 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description M.L. 2003-03-25 13:09:11 UTC 
[SM-Discuss] openssl vulnerabilities
De : Ladislav Hagara <hgr@vabo.cz>
À : SM-Discuss@lists.ibiblio.org

Howdy,

according to http://www.openssl.org there are two vulnerabilities in our
openssl.
I modified openssl spell in devel grimoire, added two patches and
applied them from BUILD file.
I do not update UPDATED field, vulnerabilities look like only
"theoretical" vulnerabilities.
From http://www.openssl.org/news/secadv_20030319.txt:
"Their attack requires the attacker to open MILIONS of ssl/tls
connections to the server under attack ...".

If you want to aply these patches and use devel grimoire just "cast -c
openssl".
If  "Security Team" think it is real vulnerability please update UPDATE
field.

- lace -
Comment 1 Ladislav Hagara (lace) 2003-03-25 13:17:02 UTC 
Is sm-security@lists.ibiblio.org "open" list ?
Comment 2 M.L. 2003-03-25 14:27:14 UTC 
Don't know this list... maybe for security team only ?
Comment 3 Seth Woolley 2003-03-26 16:57:24 UTC 
the security list is open membership and has an archive.

archive:
http://lists.ibiblio.org/pipermail/sm-security/

sign-up:
http://lists.ibiblio.org/mailman/listinfo/sm-security

The idea is that anybody can tack security issues with full disclosure. also,
bugs get default-assigned to it so that everybody gets instant notice of bugs
that the public submit, if they are signed-up or check the archives regularly.

I'm trying to be as hands-off as possible.  Security Team Membership is fairly
open -- not many people seem to be wanting to do it, perhaps I need to make a
big mailing list appeal.

I was away for a small vacation trip, but now I'm back.  I really need somebody
other than me to volunteer to help merge patches up to test and stable when need
be.  I've been doing it so far, but I'd like two or three to be able to do so,
preferably people with some history with smgl.  I'd suggest lace to do it, as
you're very up-to-date on these things.  You too, ML?  If you don't want to have
that responsibiltiy, then at least becoming security team member would be good?

I need to catch up on these patches now...
Comment 4 M.L. 2003-03-27 02:08:05 UTC 
Hi Seth,

I may help you with the test grimoire (I'm running test).
I'll have a look at it today if I have some time.

bye,
Mat.
Comment 5 Ladislav Hagara (lace) 2003-03-27 12:18:27 UTC 
I think sm-security list should be described in 
http://www.sourcemage.org/resources/lists/

Of course if I have time I like to help you with security.
Security team member is O.K.

BTW, on tuesday (?) I wrote a security alerts to http://news.sourcemage.org/
and I got message that my news should be authorized. Who can authorize security 
news?
Comment 6 erics 2003-06-02 03:23:42 UTC 
This is so old that the patches have been removed and version bump has 
occured... closing. 
 
Eric
First Last Prev Next    This bug is not in your last search results.