On Fri, Nov 12, 2010 at 4:45 PM, Justin Pasher <justinp@xxxxxxxxxxxxxx> wrote: > ----- Original Message ----- >> >> From: Eric Kingston <ericnk@xxxxxxxxxx> >> Date: Fri, 12 Nov 2010 08:55:07 -0700 >> Subject: Apache failing to start after upgrade. >> To: users@xxxxxxxxxxxxxxxx >> >> >> Hi, >> >> I'm hoping someone here can help. ÂOur web server was recently scanned by >> a >> security company to make sure we are PCI compliant. ÂThey found two >> vulnerabilities, both related to the version of apache and openssl >> installed >> on our server. ÂIn order to bring the server up to PCI compliance we had >> to > > This is not an answer to your problem (I don't have any experience yet with > OpenSSL 1.0), but something to note. Many "security" companies that scan web > servers just blindly run some default scan that tries to check software > versions from a list of versions with known vulnerabilities. If you are > running the software from a package (such as a .deb or .rpm), most vendors > will release back patches to older versions that fix security flaws in the > software. For example, the Debian Stable branch (Lenny) will not supply the > latest version of apache or openssl, because it came with a specific version > when it was frozen as stable (in this case Apache 2.2.9 and OpenSSL 0.9.8g). > Does this mean you are vulnerable to every security bug that was fixed in > subsequent releases? Absolutely not. Debian will release updates via their > security update mirrors that back patch many of those bug fixes (if not all > of them). This holds true for any Linux system that uses this modal, such as > RedHat EL. Many "security" companies don't understand this and only go by > "My security scanning software says you're vulnerable, so you need to > upgrade". > > The better thing to find out from them is more specifically which CVE their > scan is complaining about so you can determine whether that had already been > patched in your version. Now, since you are running FreeBSD, I'm not sure if > they always just offer the latest source code through ports and you are > responsible for making sure you are running the latest version or they have > "locked down" versions with security updates available. From that > standpoint, I can't offer any first hand experience (it seems like you've > already done the basic checks like verifying apache is linked to the correct > OpenSSL module). > > Good luck. > > -- > Justin Pasher > Just FYI on OpenSSL/FreeBSD: OpenSSL is part of the base FreeBSD installation, there are no packages, and all appropriate security fixes are backported to maintained security branches. In FreeBSD 8.1/8-STABLE, the base OpenSSL is 0.9.8n. If you want to run a later version than that offered by your FreeBSD version, then you can install from ports/pkg newer versions. IIRC there is a flag you can set in /etc/make.conf to override the base openssl, so that everything (from ports) links with the ports version - WITH_OPENSSL_PORTS=YES Sorry I can't help with the OP's problem - perhaps ask on freebsd-apache@xxxxxxxxxxx (+ perhaps questions@, that gets a lot of eyeballs). Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|