Topic: New openssl vulnerabilities

[jahlewis]

Is this applicable to us?

http://www.us-cert.gov/cas/techalerts/TA04-078A.html

Is this our first contribs.org update test?  Do we hope that someone will step up to the plate and inform us what we need to update (I have no clue what the dependencies are etc.)

I don't see any updated RPM's on fedoralegacy.org, any idea on where else we can find updated RH7.3 rpms?

[smeghead]

Hmm, looks like it might be relevant.

SME 6.0 uses openssl-0.9.6b-35.7 so would be vulnerable based on the stated info.

I would suggest you report it as a bug and get one of the bugteam to look into it a little further.

[guest22]

Please mail all potential security issues to security@lists.contribs.org.

The above issue has already been received that way.

Thanks,
RequestedDeletion

[Anonymous]

Please mail all potential security issues to security@lists.contribs.org.

The above issue has already been received that way.

Thanks,
RequestedDeletion

What is this(?), sorry RequestedDeletion but your reply reads like you don't want any discussion of security issues. Is there no public forum for security issues?

Is there someplace here that deals with what is required to keep the current release secure and up to date with or without talking about security issues?

If there is an unsolved security issue there could at least be some where to read about it, and to point people to when they miss it.

I could be  wrong here but I thought security was a public issue.

[Anonymous]

The above post says to report it as a bug.  It thing RequestedDeletion is just letting the poster know not to post it as a bug, but to send it the the security email address to it could be dealt this appropriately.  Also, I don't think there is nothing wrong with a discussion, but that post didn't seem like they wanted to start a discussion on what the issue and/or vulnerabilities were.

[Michiel]

SME 6.0 uses openssl-0.9.6b-35.7 so would be vulnerable based on the stated info.

One of the stated vulnerabilities applies indeed to the openssl package shipped with SME 6.0. The other vulnerabilities apply to later versions

The impact of the vulnerability is a DOS attack. Whether a DOS attack is really a threat or merely an annoyance depends on your particular situation, but I don't think we should immediately start upgrading. Before implementing a new package like openssl it must be thorougly tested for its impact on other applications. I'm planning to test 0.9.7d early next week and would welcome comments from other users.

Michiel

[guest22]

Thanks for the feedback and thoughts guys.

The following was intended by my post:
- Post all possible security concerns to security@lists.contribs.org first before any public announcement. This is common practice, thus giving the 'authors' a chance to prepare and react on any issue.

- All public discussions are welcomed, just not the ones that _could_ possiblibily endanger other users or could give 'evil' people a 'great potential market', before the authors can react on it.

So we _kindly_ ask you to report _any_ possible security issue to security@lists.contribs.org and give contribs.org a reasonable amount of time to react before 'flames' start or unnessecary discussions start.

Once again, the above issue is under investigation. It's the polcy of contribs.org to react ASAP on ANY issue and provide the community with feedback and/or solutions. (And we DO need help with that!)

Thanks,
RequestedDeletion

[patrickthickey]

Thanks for clarifying this issue.

I sense there is a core of developers who have hashed this out and are working within a framework.

What is missing is sharing this framework outside your group. Many of us are not developers, but neither are we Luddites.

Simply explaining how you wish this process to operate goes a long way to assuage us all and imparts perspective.

Thanks for your efforts.

regards,

patrick

[Anonymous]

So? Is this something to worry about? Do we need to shut off ssh for a while?

I have been looking for the documentation on what is vulnerable in each version and how to fix it, anyone seen it.

Is the current release up to date, what about 6.3?

I seem to remember on the old e-smith.com site there was a table with links to the versions and what needed updating or turning off. Anyone remember this?

[Anonymous]

This link is from the e-smith.org site. It is broken now but is this what you wanted?

http://www.e-smith.org/faq.php3#8q1

[Guest]

No new kernel, no new OpenSSL patch (hardly childs play) and no secured Apache build.

Really very unimpressive stuff isnt it ?

Thought you guys had a handle on this stuff - wanting to poll us for $99 per server patch subs when you can't even get a basic rpm out isn't that impressive

[Anonymous]

No new kernel, no new OpenSSL patch (hardly childs play) and no secured Apache build.

Really very unimpressive stuff isnt it ?

Thought you guys had a handle on this stuff - wanting to poll us for $99 per server patch subs when you can't even get a basic rpm out isn't that impressive

Considering this is now a community distro - Feel free to roll out the basic rpm.

[Anonymous]

So? Is this something to worry about? Do we need to shut off ssh for a while?

If you can live without ssh, you don't need to worry about a *possible* Denial of Service, do you?