Re: OpenSSL bufffer overflow
- From: "Simon L. Nielsen" <simon@xxxxxxxxxxx>
- Date: Fri, 5 Oct 2007 18:05:04 +0200
On 2007.10.03 19:49:31 -0400, Mike Tancsa wrote:
At 05:43 PM 9/28/2007, Stefan Esser wrote:
I did not see any commits to the OpenSSL code, recently; is anybody
going to commit the fix?
See http://www.securityfocus.com/archive/1/480855/30/0 for details ...
How serious is this particular issue ? Is it easily exploitable, or
difficult to do ? Are some apps more at risk of exploitation than others ?
e.g. ssh,apache ?
(/me kicks mutt again for not showing new mails in mailboxes...)
Anyway, I don't think it's very likely many people are affected by
this since not many programs call SSL_get_shared_ciphers(). No
application in the base system calls SSL_get_shared_ciphers acording
to grep, other than openssl(1)'s built in ssl client/server.
I also did a quick grep in apache 2.2 (I think it was 2.2) and it
didn't reference the function either, but this was a quick check so if
it matters to anyone, check yourself.
--
Simon L. Nielsen
FreeBSD Security Team
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: OpenSSL bufffer overflow
- From: Mike Tancsa
- Re: OpenSSL bufffer overflow
- References:
- Re: OpenSSL bufffer overflow
- From: Mike Tancsa
- Re: OpenSSL bufffer overflow
- Prev by Date: Re: OpenSSL bufffer overflow
- Next by Date: Re: missing Advisory at ftp.freebsd.org
- Previous by thread: Re: OpenSSL bufffer overflow
- Next by thread: Re: OpenSSL bufffer overflow
- Index(es):
Relevant Pages
|
|
