Contributed by jose on from the security-fixes dept.
What happens? Those bugs are not important enough to have an advisory? I know I can get the sources from the CVS and update my 3.3 systems (I do binary updates so I can update systems without resources to compile many things), but I think an offical adv is important so you have something to show: 'yeah, I've updated the system due this'.
I hope it's not related to the system has other problems those days (well, the system as a software bundle)."
They've both been fixed in the 3.2 and 3.3 stable branches (and of course 3.4 and current), so if you have that code you're up to date. No advisories have been issued yet, however. The OpenSSL bug affects mod_ssl in Apache and possibly other SSL tools (including SMTP with TLS and ssldump, available in ports), so you should upgrade that if you're using SSL anywhere. However, the SSL bug does not affect OpenSSH, as it doesn't use any of the affected routines.
Update : The OpenBSD advisory is out now, read on for the contents.
Date: Fri, 03 Oct 2003 16:45:24 -0600 From: Todd C. Miller
To: email@example.com Subject: DoS bugs in OpenSSL The use of certain ASN.1 encodings or malformed public keys may allow an attacker to mount a denial of service attack against applications linked with ssl(3). This does not affect OpenSSH. For full details, please see the OpenSSL advisory: http://www.openssl.org/news/secadv_20030930.txt A fix has been committed to the OpenBSD 3.2 and 3.3 -stable branches. Patches are also available for OpenBSD 3.2 and 3.3. Patch for OpenBSD 3.2: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/020_asn1.patch Patch for OpenBSD 3.3: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/007_asn1.patch
(Comments are closed)