From owner-freebsd-security@FreeBSD.ORG Sat Oct 4 08:23:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C7D16A4B3 for ; Sat, 4 Oct 2003 08:23:08 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B6A043FE1 for ; Sat, 4 Oct 2003 08:23:07 -0700 (PDT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id D1FC51FF922 for ; Sat, 4 Oct 2003 17:23:04 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id A9E7C1FF91E; Sat, 4 Oct 2003 17:23:03 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 5B78F155A7; Sat, 4 Oct 2003 15:22:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 514AC153E9 for ; Sat, 4 Oct 2003 15:22:42 +0000 (UTC) Date: Sat, 4 Oct 2003 15:22:42 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: freebsd-security@freebsd.org In-Reply-To: <200310032249.h93MnXS8047857@freefall.freebsd.org> Message-ID: References: <200310032249.h93MnXS8047857@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:18.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 15:23:08 -0000 On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote: Hi, thanks for previous help/clarification that only the libs need rebuilding. > III. Impact > > A remote attacker may create a malicious ASN.1 encoded message that > will cause an OpenSSL-using application to crash, or even perhaps > execute arbitrary code with the privileges of the application. > > Only applications that use OpenSSL's ASN.1 or X.509 handling code > are affected. Applications that use other portions of OpenSSL > are unaffected (e.g. Apache+mod_ssl is affected, while OpenSSH is > unaffected). Another question: can someone please confirm that mod_ssl.so from apache 2.0.47 port is _not_ affected ? I have rebuilt libssl, libcrypto and installed them (they all differ from the old libs after make install) and done a rebuild of mod_ssl. But the new mod_ssl.so doesn't differ from the one built late August: [ports]apache2/work/httpd-2.0.47/modules/ssl/.libs> md5 mod_ssl.so MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 /usr/local/libexec/apache2> md5 mod_ssl.so MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457 Also diff does not say that the binary files would differ. Thanks in advance. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/