FreeBSD Security Advisory FreeBSD-SA-03:18.openssl
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Sat Oct 4 08:23:08 PDT 2003
On Fri, 3 Oct 2003, FreeBSD Security Advisories wrote:
Hi,
thanks for previous help/clarification that only the libs need
rebuilding.
> III. Impact
>
> A remote attacker may create a malicious ASN.1 encoded message that
> will cause an OpenSSL-using application to crash, or even perhaps
> execute arbitrary code with the privileges of the application.
>
> Only applications that use OpenSSL's ASN.1 or X.509 handling code
> are affected. Applications that use other portions of OpenSSL
> are unaffected (e.g. Apache+mod_ssl is affected, while OpenSSH is
> unaffected).
Another question: can someone please confirm that mod_ssl.so from
apache 2.0.47 port is _not_ affected ?
I have rebuilt libssl, libcrypto and installed them (they all differ
from the old libs after make install) and done a rebuild of
mod_ssl. But the new mod_ssl.so doesn't differ from the one
built late August:
[ports]apache2/work/httpd-2.0.47/modules/ssl/.libs> md5 mod_ssl.so
MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457
/usr/local/libexec/apache2> md5 mod_ssl.so
MD5 (mod_ssl.so) = a4e31cf6e4aff5ca91f164d57eb68457
Also diff does not say that the binary files would differ.
Thanks in advance.
--
Greetings
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
56 69 73 69 74 http://www.zabbadoz.net/
More information about the freebsd-security
mailing list