Subject: what is the threat of the openssl advisory?
To: None <firstname.lastname@example.org>
From: George Georgalis <email@example.com>
Date: 09/28/2006 19:19:47
There was an openssl advisory today
my primary concern is
A buffer overflow was discovered in the SSL_get_shared_ciphers()
utility function. An attacker could send a list of ciphers to an
application that uses this function and overrun a buffer
there is no comment on if an exploit is known to exist or how
difficult (or easy) it would be to create one based on the patch.
In fact the netbsd openssl looks pretty different than freebsd
in the context of applying the patch. Can we determine a level
of risk? Are all ssl, openvpn, ssh, https, etc servers needing
access restricted to friendly IPs or is the threat just one bit
inside "astronomically possible?" -- I cannot tell.
George Georgalis, systems architect, administrator <IXOYE><