Hello Everyone, You may have seen the recent announcement regarding new OpenSSL vulnerabilities. <URL: http://www.openssl.org/news/secadv_20030930.txt > Just thought I'd drop a line to head off the usual questions. :-) Don't panic. The vulnerability is denial-of-service. OpenSSL 0.9.7c will be imported into -CURRENT and -STABLE over the next couple of days, and included in 4.9-RELEASE. Fixes for the security branches will be backported and incorporated over the next week. Don't expect to see a security advisory until most or all of the commits have been made. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
On September 30, 2003 01:31 pm, Jacques A. Vidrine wrote:> Don't panic. The vulnerability is denial-of-service.On September 30, 2003 07:52 am, Chris Wysopal wrote on Vulnwatch:> Three specific vulnerabilities have been discovered in the OpenSSL > libraries. Two of these could allow a Denial of Service attack, the third > may result in an attacker being able to execute malicious code under > certain conditions.Please clarify. Conflicting information. thanks, --dr -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp pgpkey http://dragos.com/ kyxpgp