Mailinglist Archive: opensuse-security (375 mails)
| < Previous | Next > |
Re: [suse-security] Linux/Slapper.worm
- From: Olaf Kirch <okir@xxxxxxx>
- Date: Thu, 19 Sep 2002 12:58:11 +0200
- Message-id: <20020919125811.A15101@xxxxxxx>
On Thu, Sep 19, 2002 at 10:56:58AM +0200, Ulrich Roth wrote:
> > I was compiled a new OpenSSL after restart apache works again
> > the old vulnerable version of openssl.
> On one hand openssl is a standalone application, on the other hand
> there is the openssl module for apache.
> What you need is the new version of the apache module. If you have it,
> copy it into the libexec directory.
Sorry, this is not quite right.
To re-iterate.
- Apache uses mod_ssl
- mod_ssl uses libssl and libcrypto from OpenSSL
(yes, there's a libssl in mod_ssl too, but that's
quite a different beast)
- the vulnerability is in OpenSSL's libssl
- OpenSSL is a collection of libraries _and_ utility programs
(we have both kinds of music - country _and_ western)
> How do you get it?
Please read http://www.suse.com/de/security/2002_027_openssl.html
> Either as an rpm package, or a tarred version, or maybe it's possible
> to compile only the apache module from the openssl sources, I don't
> know.
> As I use a self compiled apache, I also recompiled apache, and apache
> built the new ssl module by itself from the openssl source directory.
You are still vulnerable if you just recompiled mod_ssl without
updating openssl.
Olaf
--
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann
> > I was compiled a new OpenSSL after restart apache works again
> > the old vulnerable version of openssl.
> On one hand openssl is a standalone application, on the other hand
> there is the openssl module for apache.
> What you need is the new version of the apache module. If you have it,
> copy it into the libexec directory.
Sorry, this is not quite right.
To re-iterate.
- Apache uses mod_ssl
- mod_ssl uses libssl and libcrypto from OpenSSL
(yes, there's a libssl in mod_ssl too, but that's
quite a different beast)
- the vulnerability is in OpenSSL's libssl
- OpenSSL is a collection of libraries _and_ utility programs
(we have both kinds of music - country _and_ western)
> How do you get it?
Please read http://www.suse.com/de/security/2002_027_openssl.html
> Either as an rpm package, or a tarred version, or maybe it's possible
> to compile only the apache module from the openssl sources, I don't
> know.
> As I use a self compiled apache, I also recompiled apache, and apache
> built the new ssl module by itself from the openssl source directory.
You are still vulnerable if you just recompiled mod_ssl without
updating openssl.
Olaf
--
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann
| < Previous | Next > |