* Charlie Smith <smithcw@xxxxxxxxxxxxx> [0359 18:59]: > Joshua, > Our security folks are now indicating that the mod_ssl associated with Apache > 1.3.28 is the one causing the problems. This was part of a static Apache > compile. They are recommending upgrading mod_ssl to 2.8.22. They are also > recommending upgrading Apache to 1.3.33. > > On the Apache 2.0.48 install that we have running, they're recommending > upgrading to 2.0.53. And upgrading OpenSSL to 0.9.7f. I'm a little confused > about the alerts here. OpenSSL was used to generate the security certificate, > but as I recall, wasn't even part of the Apache 2.0 install. Does that sound > correct? > > Please verify if there really is a vulnerability with th ssl_log() function > which > could warrant upgrading all these apps. you need to upgrade both apaches, they have holes. ugrading openssl should'nt take more than five minutes. As an aside, if you're putting off security updates because it would be a lot of work, you need to take some time to look at your setup and find a way to make it less work..... I've never had to do more than backup server config (/etc/httpd) backup server (/usr/local/apache) install new binaries verify syntax (httpd -t -DSSL -S) apachectl restart test it a 30 minute outage window is usually plenty. Server maintenance is more important than server performance. -- 'Everybody's a jerk. You, me, this jerk.' -- Bender Rasputin :: Jack of All Trades - Master of Nuns --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|