On Thu, Feb 21, 2008 at 8:58 AM, nitin dubey <nitz_tech@xxxxxxxxx> wrote: > Hi, > > I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well. My concern is about the two vulnerabilities (htp://www.securityfocus.com/bid/10736/info, htp://www.securityfocus.com/bid/4189/info). I do not have any information whether or not these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache sources 2.2.8. > > After googling I could find out that these are solved in mod_ssl 2.8.19. > > Now to fix this I am thinking/trying the following: > - Check the version of mod_ssl bundled with apache 228. If this ver is greater than 2.8.19 then these vulnerabilities must have been fixed. I do not know how to determine the version of mod_ssl here. > > - Download the mod_ssl latest version from modssl.org and force (since modssl.org does not provide sources for apache 2.x ver; it provides only for apache 1.3.x series) its installation with latest apache 228 ver. Since, mod_ssl version here is not built for apache 2.x series, I may end up creating more problems for myself. > Although the mod_ssl that is included in apache 2.x was originally based on the mod_ssl being referred to here, they are now two very different products. So the fact that they list mod_ssl (as distributed by Ralf) as being vulnerable for certain versions does not in any way mean that the mod_ssl included with apache 2 is vulnerable. If securityfocus thought that apache 2 was vulnerable, they would have specifically listed it. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|