MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
September
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
2006
Months
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec


Tue, Sep 05, 2006 12:01 pm

OpenSSL Vulnerabilities up to Version 0.9.7c

OpenSSL is an Open Source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols and provides a full-strength general purpose cryptography library. Versions of OpenSSL prior to 0.9.6k and 0.9.7c are vulnerable to Denial of Service (DoS) attacks or could theoretically allow remote execution of arbitrary code.

OpenSSL
version		 Applicable
advisories 		Effect
0.9.6d and
earlier		 30-Jul-2002 Practical to run arbitrary code remotely
0.9.6e-h and
0.9.7		 19-Feb-2003 Practical (LAN) attack to recover frequently repeated plaintext such as passwords
0.9.6i and
0.9.7a		 17-Mar-2003
19-Mar-2003		 Practical (LAN) attacks to obtain or use secret key
0.9.6j and
0.9.7b		 30-Sep-2003 Denial of Service, and theoretically possible run arbitrary code remotely
0.9.6k and
0.9.7c		   Clean at present

Some attacks may not be feasible except from systems on the same LAN as the attacked system, since a very fast connection between the attacker and target may be needed to make the attack practicable. If a webserver is in a datacenter with perhaps dozens or even hundreds of other systems, a compromised system within the datacenter could be used by an attacker to exploit these vulnerabilities on other servers within the same datacenter, however.

If you need to determine which version of OpenSSL you are running, you can use the command openssl version. You may need to specify the full path to the command if it isn't in your default path. For a Solaris 10 system, you can use the following path:

# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004

For Solaris 7, use /usr/local/ssl/bin/openssl version.

References:

  1. Vulnerable versions of OpenSSL apparently still widely deployed on commerce sites
    Netcraft
    November 3, 2003
  2. ESB-2003.0871 -- Sun Alert Notification -- OpenSSL Vulnerabilitiyes in Sun Grid Engine 5.3
    Australian Computer Emergency Response Team (AusCERT)
    December 24, 2003

[/security/vulnerabilities/multios] permanent link

Tue, Sep 05, 2006 7:44 am

Showrev Command

The showrev command displays revision information for the current hardware and software of a system running the Solaris operating system. With no arguments, showrev shows the system revision information including hostname, hostid, release, kernel architecture, application architecture, hardware provider, domain, and kernel version.

Example for a Sun Sparc system running Solaris 7: 


bash-2.03$ showrev
Hostname: pluto
Hostid: 80b11bbd
Release: 5.7
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain:
Kernel version: SunOS 5.7 Generic 106541-39 Jan 2005

Example for an Intel-based PC running Solaris 10: 


-bash-3.00$ showrev
Hostname: saturn
Hostid: 15db9095
Release: 5.10
Kernel architecture: i86pc
Application architecture: i386
Hardware provider:
Domain:
Kernel version: SunOS 5.10 Generic

If you use the -c option, showrev shows the PATH and LD_LIBRARY_PATH and finds out all the directories within the PATH that contain it. For each file found, its file type, revision, permissions, library information, and checksum are printed as well. 


-bash-3.00$ showrev -c /usr/local/bin/mboxgrep

PATH is:
/usr/bin:/usr/ucb:/etc:.

PWD is:
/home/jsmith

LD_LIBRARY_PATH is not set in the current environment
________________________________________________________________________

File: /usr/local/bin/mboxgrep
=============================
File type: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
Command version: GNU C crt1.s

GNU C crti.s

    SunOS 5.10 Generic January 2005

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GCC: (GNU) 3.4.2

GNU C crtn.o
ld: Software Generation Utilities - Solaris Link Editors: 5.10-1.477
File mode: rwxr-xr-x
User owning file: root
Group owning file: root
Library information:
        libbz2.so.1 =>   /usr/lib/libbz2.so.1
        libz.so.1 =>     /usr/lib/libz.so.1
        libpcre.so.0 =>  (file not found)
        libc.so.1 =>     /lib/libc.so.1
        libm.so.2 =>     /lib/libm.so.2
Sum: 28300
________________________________________________________________________

The -p option will show patch information. 


-bash-3.00$ showrev -p
Patch: 116299-08 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxsrt, SUNWjaxp, SUNWxrgrt, SUNWxrpcrt
Patch: 116303-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxrpcrt

The -a option prints all available revision information, including Window system and patch information. 


-bash-3.00$ showrev -a
Hostname: saturn
Hostid: 15db9095
Release: 5.10
Kernel architecture: i86pc
Application architecture: i386
Hardware provider:
Domain:
Kernel version: SunOS 5.10 Generic

OpenWindows version:
Solaris X11 Version 6.6.2 15 December 2004

Patch: 116299-08 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxsrt, SUNWjaxp, SUNWxrgrt, SUNWxrpcrt
Patch: 116303-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWxrpcrt

[/os/unix/solaris] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo