Joshua, Our security folks are now indicating that the mod_ssl associated with Apache 1.3.28 is the one causing the problems. This was part of a static Apache compile. They are recommending upgrading mod_ssl to 2.8.22. They are also recommending upgrading Apache to 1.3.33. On the Apache 2.0.48 install that we have running, they're recommending upgrading to 2.0.53. And upgrading OpenSSL to 0.9.7f. I'm a little confused about the alerts here. OpenSSL was used to generate the security certificate, but as I recall, wasn't even part of the Apache 2.0 install. Does that sound correct? Please verify if there really is a vulnerability with th ssl_log() function which could warrant upgrading all these apps. Charlie ;) 3/30/05 >>> SmithCW@xxxxxxxxxxxxx 03/25/05 8:04 AM >>> I didn't. Just wondering. Well, actually we've got some security people here that indicate a problem with the versionof mod_ssl we're running. They recommended upgrading mod_ssl, evidently, because of security problems with the mod_ssl that comes with our version of Apache - something about a mod_ssl containing a format string vulnerability in the ssl_log() function which 'may allow an attacker to potentially execute arbitrary code'. So... >>> jslive@xxxxxxxxx 3/24/2005 7:48:33 PM >>> On Thu, 24 Mar 2005 12:42:57 -0700, Charlie Smith <SmithCW@xxxxxxxxxxxxx> wrote: > Thanks Joshua. The instance I wanted to upgrade is actually httpd-2.0.48 Then you are better off just upgrading all of apache. Why do you think you need to upgrade mod_ssl independently? Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx ------------------------------------------------------------------------------ This message may contain confidential information, and is intended only for the use of the individual(s) to whom it is addressed. ------------------------------------------------------------------------------ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx ------------------------------------------------------------------------------ This message may contain confidential information, and is intended only for the use of the individual(s) to whom it is addressed. ------------------------------------------------------------------------------ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|