On 14 Apr 2014, at 00:34, John Iliffe wrote: > Here I am assuming that you are not using the O/S supplied OpenSSL version > and that you are either updating Apache or don't have OpenSSL linked > dynamically. Aren't those assumptions alone sufficiently unusual (even idiosyncratic) to take you beyond the scope of what Apache docs might reasonably be expected to cover? For the regular user, you would just replace your vulnerable openssl version in-situ. If it was O/S-supplied then use the relevant package manager; if it's your own build then upgrade that. Either way, apache is unaffected unless you did rather more than just replace a bleeding heart OpenSSL version with a newly-patched one. Probably the most useful advice in your post, for those who might have vulnerable OpenSSL versions floating around, is how to check: > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > head /path to logfiles/error_log > > and check that the start message shows that the correct version of OpenSSL > started. It is shown on the first line of the new log, just ahead of the > command line for the starting httpd. I guess a note to that effect in our docs could indeed benefit the worried. Where do you think would be a good place for such a note? -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|