Confusion about versions
From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/28/03
- Previous message: Jeff Moss: "Black Hat Announcements"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Jan 2003 11:28:00 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Robert Chin wrote;
"I'm confused about the version of the ssnetlib.dll file. In Eric post,
it's indicated that the version of this dll file should be 2000.80.636.0
or later to be considered patched. And in Microsoft's re-released patch
for MS02-061, it indicates that one may need to install Q317748 after
the installation of MS02-061. The ssnetlib.dll file version under the
MS02-061 patch is: 2000.80.679.0. However, the same file under Q317748,
is: 2000.80.568.0. Any clarification on this is highly appreciated."
1. MS02-039 was the first Security Bulletin hotfix for SQL which
addressed the vulnerability Slammer exploits. The affected file was
ssnetlib.dll, and the first corrected version was 2000.080.0636.00. That
was released at the end of June 2002.
2. MS02-043 was released in August 2002, and it contained the same
ssnetlib.dll as MS02-039.
3. MS02-056 came along in October 2002, and it contained an ssnetlib.dll
versioned 2000.080.0679.00.
4. Q317748 was a SQL hotfix that was not a security bulletin. It
addressed a handle leak that was introduced with SQL SP2. It was
released in October 2002. I have had reports from people who have been
running many SQL servers without that patch and have never encountered a
problem. The specifics of the handle leak are such that it does not
affect many installations.
Unfortunately, Q317748 has a problem. Despite being released 3 months
after the first SQL patch that corrected the vulnerability Slammer
exploits, it contained the wrong version of ssnetlib.dll. Q317748
contained 2000.080.0568.00.
So if you had applied MS02-039, or MS02-043, or MS02-056 before Q317748
came along, and then applied Q317748, you may have downgraded your
ssnetlib.dll to a version that did not address Slammer. When you run
Q317748 on a system that had an updated ssnetlib.dll, you would have
been prompted that the file you were replacing was newer than the
replacement (if you weren't doing this in unattended mode). If you said
don't replace, you'd be fine, otherwise, you regressed.
5. MS02-061 came along later in October 2002. It *did* contain the
MS02-056 version of ssnetlib.dll, a version which addressed Slammer.
Unfortunately, it did not include the ssmslpcn.dll from Q317748.
6. SQL/MSDE SP3 came along January 2003. It contains updates for
ssnetlib.dll and ssmslpcn.dll, both version 2000.080.0760.00.
7. MS02-061 was re-released January 26th, 2003. The only change to it
was that the ssmslpcn.dll from Q317748 (v2000.080.0568.00) was added to
the previously released patch, and a script was wrapped around it to
make it easier to install. As a result, MS02-061 now contains both the
handle leak patch, and the Slammer patch, in one pre-SP3 package.
Hope that makes it as clear as it can be.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Russ: "Revised: Microsoft Security Bulletin - MS02-070"
- Previous message: Jeff Moss: "Black Hat Announcements"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
