Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

October 1, 2003

OpenSSL Vulnerability or Opportunity?

On the sidebar of my blog, you can read the latest CERT Advisory. This time, it’s OpenSSL that’s vulnerable. You can download the source to the new version (either 0.9.6k or 0.9.7c) from there. If you use fink, you can update that way.

If you’re hoping for an official Apple patch, the Advisory helpfully states:

Apple: Vulnerable. This is fixed in MacOSX 10.2.8 which is available from

If you follow that link, you’ll find that 10.2.8 is currently unavailable. And if you happened to have previously downloaded the 10.2.8 update to fix vulnerabilities in Sendmail and OpenSSH, you might be deluded into thinking it covers this vulnerability as well. Of course, it does not, as the 10.2.8 update (the “old” one, not “new” one, which hasn’t appeared yet) was yanked from the Apple web site long before the release of the new OpenSSL.

And if you didn’t download that update while it was fleetingly available, you are out-of-luck fixing those other vulnerabilities, unless you’re willing to compile your own. Why can’t Apple do a better job of putting out security updates in a timely fashion? Probably because they desperately need to hire someone. Oh, wait. That’s what they’re trying to do (click on Search, and enter the Job ID: 2025671).

Posted by distler at October 1, 2003 11:14 PM

TrackBack URL for this Entry:

3 Comments & 0 Trackbacks

Re: OpenSSL Vulnerability or Opportunity?

I managed to get 10.2.8, even though I downloaded it after it was supposedly pulled. Don’t ask me how—it just happened;

Here’s what the old 10.2.8 reports:

% openssl version
OpenSSL 0.9.6i Feb 19 2003

According to the advisories, this is a vulnerable version of OpenSSL.

Posted by: Scott Johnson on October 2, 2003 1:04 AM | Permalink | Reply to this

Re: OpenSSL Vulnerability or Opportunity?

The link to Apple jobs doesn’t link to any specific job, just their jobs home.

Posted by: Matt on October 2, 2003 8:46 AM | Permalink | Reply to this

broken link

F%$# WebObjects!

Click on Search, and enter the Job ID: 2025671.

Posted by: Jacques Distler on October 2, 2003 8:53 AM | Permalink | Reply to this

Post a New Comment