Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

OpenSSL Vulnerabilities

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


raju at linux-delhi

Aug 1, 2002, 9:09 PM

Post #1 of 5 (321 views)
Permalink
OpenSSL Vulnerabilities
>>>>> "Tina" == Tina Bird <tbird [at] precision-guesswork> writes:

Tina> The vendors listed in the CERT advisory on the OpenSSL
Tina> vulnerabilities are all producing server-side software:

Tina> http://www.cert.org/advisories/CA-2002-23.html

Tina> Does anyone know if Netscape, Opera, Internet Explorer or
Tina> any of the other browsers are vulnerable to these issues?

Tina> Thanks in advance -- Tina Bird

Here's how I do it [line may wrap]:

for i in /bin/* /usr/bin/* /sbin/* /usr/sbin/* /usr/X11R6/bin/* /usr/local/bin/* ; do if ldd $i | egrep 'libssl' > /dev/null ; then echo $i ; fi ; done

You could change the list of directories you want to search, or use
the output of a find in the for command. I don't think libcrypto has
issues; if it does, make the argument to egrep
'libcrypto|libssl'.

Regards,

-- Raju
--
Raju Mathur raju [at] kandalaya http://kandalaya.org/
It is the mind that moves


pb at bieringer

Aug 1, 2002, 11:33 PM

Post #2 of 5 (301 views)
Permalink
Re: OpenSSL Vulnerabilities [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, August 02, 2002 09:39:12 AM +0530 Raju Mathur
<raju [at] linux-delhi> wrote:

> Tina> Does anyone know if Netscape, Opera, Internet Explorer or
> Tina> any of the other browsers are vulnerable to these issues?
>
> Tina> Thanks in advance -- Tina Bird
>
> Here's how I do it [line may wrap]:
>
> for i in /bin/* /usr/bin/* /sbin/* /usr/sbin/* /usr/X11R6/bin/*
> /usr/local/bin/* ; do if ldd $i | egrep 'libssl' > /dev/null ; then
> echo $i ; fi ; done
>
> You could change the list of directories you want to search, or use
> the output of a find in the for command. I don't think libcrypto
> has issues; if it does, make the argument to egrep
> 'libcrypto|libssl'.

And

# lsof | egrep 'libcrypto|libssl'

or shorter

# lsof | egrep 'libcrypto|libssl' | awk '{ print$1 }' | sort | uniq

gives an overview, which current running processes must be restarted
afer updating the libraries (and calling ldconfig).

Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE9Sieke1eqe5WPQi0RAoN+AKC/ubi3GGYla4a2M8dM0YSuEodTNQCg1UOp
SiVRHrDerHZOdGgRHXWlK4o=
=QhAY
-----END PGP SIGNATURE-----


dimitry at al

Aug 5, 2002, 12:31 AM

Post #3 of 5 (306 views)
Permalink
Re: OpenSSL Vulnerabilities [In reply to]
On Friday 02 August 2002 09:33, Peter Bieringer wrote:
> > Here's how I do it [line may wrap]:
> >
> > for i in /bin/* /usr/bin/* /sbin/* /usr/sbin/* /usr/X11R6/bin/*
> > /usr/local/bin/* ; do if ldd $i | egrep 'libssl' > /dev/null ; then
> > echo $i ; fi ; done
> >
> > You could change the list of directories you want to search, or use
> > the output of a find in the for command. I don't think libcrypto
> > has issues; if it does, make the argument to egrep
> > 'libcrypto|libssl'.
>
> And
>
> # lsof | egrep 'libcrypto|libssl'
>
> or shorter
>
> # lsof | egrep 'libcrypto|libssl' | awk '{ print$1 }' | sort | uniq
>
> gives an overview, which current running processes must be restarted
> afer updating the libraries (and calling ldconfig).

IMHO the general problem is recompiling progs which use OpenSSL statically

--
Dimitry


raju at linux-delhi

Aug 5, 2002, 1:12 AM

Post #4 of 5 (306 views)
Permalink
Re: OpenSSL Vulnerabilities [In reply to]
>>>>> "Dmitry" == Dmitry Alyabyev <dimitry [at] al> writes:

Dmitry> [.stuff about identifying dynamically linked and running
Dmitry> processes using the openssl libraries snipped]

Dmitry> IMHO the general problem is recompiling progs which use
Dmitry> OpenSSL statically

Are you aware of any such programs?

-- Raju
--
Raju Mathur raju [at] kandalaya http://kandalaya.org/
It is the mind that moves


dimitry at al

Aug 5, 2002, 2:42 AM

Post #5 of 5 (306 views)
Permalink
Re: OpenSSL Vulnerabilities [In reply to]
On Monday 05 August 2002 11:12, Raju Mathur wrote:
> >>>>> "Dmitry" == Dmitry Alyabyev <dimitry [at] al> writes:
>
> Dmitry> [.stuff about identifying dynamically linked and running
> Dmitry> processes using the openssl libraries snipped]
>
> Dmitry> IMHO the general problem is recompiling progs which use
> Dmitry> OpenSSL statically
>
> Are you aware of any such programs?

at the moment I'm not but in fact they can be

--
Dimitry

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.