----- Original Message -----
From: Eric Kingston <ericnk@xxxxxxxxxx> Date: Fri, 12 Nov 2010 08:55:07 -0700 Subject: Apache failing to start after upgrade. To: users@xxxxxxxxxxxxxxxx Hi, I'm hoping someone here can help. Our web server was recently scanned by a security company to make sure we are PCI compliant. They found two vulnerabilities, both related to the version of apache and openssl installed on our server. In order to bring the server up to PCI compliance we had to
This is not an answer to your problem (I don't have any experience yet with OpenSSL 1.0), but something to note. Many "security" companies that scan web servers just blindly run some default scan that tries to check software versions from a list of versions with known vulnerabilities. If you are running the software from a package (such as a .deb or .rpm), most vendors will release back patches to older versions that fix security flaws in the software. For example, the Debian Stable branch (Lenny) will not supply the latest version of apache or openssl, because it came with a specific version when it was frozen as stable (in this case Apache 2.2.9 and OpenSSL 0.9.8g). Does this mean you are vulnerable to every security bug that was fixed in subsequent releases? Absolutely not. Debian will release updates via their security update mirrors that back patch many of those bug fixes (if not all of them). This holds true for any Linux system that uses this modal, such as RedHat EL. Many "security" companies don't understand this and only go by "My security scanning software says you're vulnerable, so you need to upgrade".
The better thing to find out from them is more specifically which CVE their scan is complaining about so you can determine whether that had already been patched in your version. Now, since you are running FreeBSD, I'm not sure if they always just offer the latest source code through ports and you are responsible for making sure you are running the latest version or they have "locked down" versions with security updates available. From that standpoint, I can't offer any first hand experience (it seems like you've already done the basic checks like verifying apache is linked to the correct OpenSSL module).
Good luck. -- Justin Pasher --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|