If you look in
http://download.fedora.redhat.com for the "update" directory for FC3, you will see not a version HIGHER than 0.9.7a but what you will see is the version that doesn't have the problem and that version is 0.9.6b.
http://www.securityspace.com/smysecu....html?id=51126
http://www.remoteassessment.com/?op=...e&vulnid=12704
http://www.linuxsecurity.com/content/view/105849/110/
What's really strange about this issue is the fact that the alert came from RedHat over one year ago today and the problem are RedHat O/S releases. Those versions of RH were and still are:
Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
The OpenSSL version from RH is also the same revision that RedHat put in their Fedora Project, Core 3 release. The alert goes on to state that RH users should run up2date immediately as this is a critical flaw and will allow servers and clients to be hacked with sensitive data stolen as a possible end result scenario. This effects all applications that use OpenSSL.
There should be a notice on the FC3 ISO download web page IMHO.....
Quote:
Test ID: 51126
Category: Red Hat Local Security Checks
Title: RedHat Security Advisory RHSA-2004:120
Summary: Redhat Security Advisory RHSA-2004:120
Description: The remote host is missing updates announced in advisory RHSA-2004:120.
The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library.
Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function in OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue.......
|
For the rest of the article click this link >
http://rhn.redhat.com/errata/RHSA-2004-120.html
One less now with this post for the 0 reply list >
http://www.linuxquestions.org/questi...n=norepliesall