Subject: OpenSSL incident tracking...
To: None <tech-security@netbsd.org>
From: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
List: tech-security
Date: 08/02/2002 16:18:46
Same old story with "security? who cares?!" that I had criticized
some time ago here...


Just read the timestamps.



### Announcements:

Date: Tue, 30 Jul 2002 13:53:04 +0200
To: ..., cryptography@wasabisystems.com, ...
Subject: Announcement: OpenSSL 0.9.6e (Security related upgrade)


Date: Tue, 30 Jul 2002 13:45:39 -0400
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSS



### Debian GNU/Linux patch package available
### within less than one hour

Date: Tue, 30 Jul 2002 14:47:05 +0200
From: Wichert Akkerman <wichert@wiggy.net>
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
...
Obtaining updates:
With apt:
      deb http://security.debian.org/ stable/updates main
          added to /etc/apt/sources.list will provide security updates

### OpenBSD

013: SECURITY FIX: July 30, 2002
Several remote buffer overflows can occur in the SSL2 server and SSL3 
client of the ssl(8) library, as in the ASN.1 parser code in the 
crypto(3) library, all of them being potentially remotely exploitable.
A source code patch exists which remedies the problem. 
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/013_ssl.patch>

### FreeBSD

FreeBSD-SA-02:33.openssl
Announced:      2002-07-31
Corrected:      2002-07-30 22:04:59 UTC (RELENG_4)
                 2002-07-31 02:54:36 UTC (RELENG_4_6)
                 2002-07-31 14:04:45 UTC (RELENG_4_5)
                 2002-07-31 16:40:30 UTC (RELENG_4_4)


### ...but NetBSD?

Date: Fri, 2 Aug 2002 09:59:10 -0400
From: NetBSD Security Officer <security-officer@netbsd.org>
To: netbsd-announce@netbsd.org
Subject: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in 
OpenSSL code





In other words: the essential library that takes control over vital 
applications as OpenSSH or Apache-SSL/Apache+mod_ssl can be broken for 
circa 4 days, because who cares of the business. NetBSD is just a 
playground of geeks somewhere in CPU laboratories.