Date: Sat, 4 Oct 2003 15:22:42 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl Message-ID: <Pine.BSF.4.53.0310041506140.60080@e0-0.zab2.int.zabbadoz.net> In-Reply-To: <200310032249.h93MnXS8047857@freefall.freebsd.org> References: <200310032249.h93MnXS8047857@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote: Hi, thanks for previous help/clarification that only the libs need rebuilding. > III. Impact > > A remote attacker may create a malicious ASN.1 encoded message that > will cause an OpenSSL-using application to crash, or even perhaps > execute arbitrary code with the privileges of the application. > > Only applications that use OpenSSL's ASN.1 or X.509 handling code > are affected. Applications that use other portions of OpenSSL > are unaffected (e.g. Apache+mod_ssl is affected, while OpenSSH is > unaffected). Another question: can someone please confirm that mod_ssl.so from apache 2.0.47 port is _not_ affected ? I have rebuilt libssl, libcrypto and installed them (they all differ from the old libs after make install) and done a rebuild of mod_ssl. But the new mod_ssl.so doesn't differ from the one built late August: [ports]apache2/work/httpd-2.0.47/modules/ssl/.libs> md5 mod_ssl.so MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 /usr/local/libexec/apache2> md5 mod_ssl.so MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 Also diff does not say that the binary files would differ. Thanks in advance. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0310041506140.60080>