Re: VMware GSX Server 2.0.1 Release and Security Alert

• Previous message: Askgaard, Kim: "Re: SECURITY.NNOV: Windows 2000 system partition weak default permissions"
• In reply to: DONALD.MULLER@JPMCHASE.COM: "VMware GSX Server 2.0.1 Release and Security Alert"
• Next in thread: Jim Henderson: "Re: VMware GSX Server 2.0.1 Release and Security Alert"
• Reply: Jim Henderson: "Re: VMware GSX Server 2.0.1 Release and Security Alert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 6 Aug 2002 08:17:23 EDT
From: Jeffrey Altman <jaltman@COLUMBIA.EDU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I sure hope they did not simply replace a previous version of OpenSSL
with 0.9.6e. 0.9.6e changes the attack from

 I can execute code if I do it right

to

 I can bring down your server if I do anything at all

This is because the fix for 0.9.6e simply adds an assertion and a call
to abort() at each place that was vulnerable. Correctly implemented
patches have been written and submitted into the current snapshots. A
release date for 0.9.6f has not been announced yet.

>
> What is new in VMware GSX Server 2.0.1?
> ---------------------------------------
>
> VMware GSX Server 2.0.1 includes:
>
> - An updated version of OpenSSL with fixes for the buffer
> overflow vulnerabilities reported in CERT Advisory CA-2002-23
> (http://www.cert.org/advisories/CA-2002-23.html). This
> vulnerability exists in the Windows and Linux versions of GSX
> Server 2.0.0 build 2050.

 Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and
 kermit-support@columbia.edu OpenSSL.

• Previous message: Askgaard, Kim: "Re: SECURITY.NNOV: Windows 2000 system partition weak default permissions"
• In reply to: DONALD.MULLER@JPMCHASE.COM: "VMware GSX Server 2.0.1 Release and Security Alert"
• Next in thread: Jim Henderson: "Re: VMware GSX Server 2.0.1 Release and Security Alert"
• Reply: Jim Henderson: "Re: VMware GSX Server 2.0.1 Release and Security Alert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations (fwd) ... CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS ... OpenSSL also provides a general-purpose cryptographic ... that a client certificate message "...is only sent if the server ... (Full-Disclosure) CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations ... CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS ... OpenSSL also provides a general-purpose cryptographic ... that a client certificate message "...is only sent if the server ... (Cert) CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations ... CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS ... OpenSSL also provides a general-purpose cryptographic ... that a client certificate message "...is only sent if the server ... (Cert) [CLA-2003:751] Conectiva Security Announcement - openssl ... SUMMARY: Remote vulnerabilities ... in the OpenSSL implementation: ... It is recommended that all users upgrade their openssl packages. ... Detailed instructions reagarding the use of apt and upgrade examples ... (Bugtraq) [OpenSSL Advisory] Vulnerabilities in ASN.1 parsing ... OpenSSL Security Advisory ... identified and prepared fixes for a number of vulnerabilities in the ... A bug in OpenSSLs SSL/TLS protocol was also identified which causes ... OpenSSL to parse a client certificate from an SSL/TLS client when it ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint