Re: OpenSSL bufffer overflow

看板FB_security作者時間18年前 (2007/10/06 00:14), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串5/7 (看更多)
At 12:05 PM 10/5/2007, Simon L. Nielsen wrote: >On 2007.10.03 19:49:31 -0400, Mike Tancsa wrote: > > At 05:43 PM 9/28/2007, Stefan Esser wrote: > >> I did not see any commits to the OpenSSL code, recently; is anybody > >> going to commit the fix? > >> > >> See http://www.securityfocus.com/archive/1/480855/30/0 for details ... > > > > How serious is this particular issue ? Is it easily exploitable, or > > difficult to do ? Are some apps more at risk of exploitation > than others ? > > e.g. ssh,apache ? > >(/me kicks mutt again for not showing new mails in mailboxes...) > >Anyway, I don't think it's very likely many people are affected by >this since not many programs call SSL_get_shared_ciphers(). No >application in the base system calls SSL_get_shared_ciphers acording >to grep, other than openssl(1)'s built in ssl client/server. > >I also did a quick grep in apache 2.2 (I think it was 2.2) and it >didn't reference the function either, but this was a quick check so if >it matters to anyone, check yourself. Thanks! I did the same grep, but wasnt sure whether or not that particular function (SSL_get_shared_ciphers) got called by another function in OpenSSL which was originally called by some of the big apps like sendmail,apache and sshd ---Mike _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 mike. 的文章
文章代碼(AID): #171cBW00 (FB_security)
更多 mike. 的文章
文章代碼(AID): #171cBW00 (FB_security)