Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Linux/Slapper.worm
  • From: Olaf Kirch <okir@xxxxxxx>
  • Date: Thu, 19 Sep 2002 12:58:11 +0200
  • Message-id: <20020919125811.A15101@xxxxxxx>
On Thu, Sep 19, 2002 at 10:56:58AM +0200, Ulrich Roth wrote:
> > I was compiled a new OpenSSL after restart apache works again
> > the old vulnerable version of openssl.
> On one hand openssl is a standalone application, on the other hand
> there is the openssl module for apache.
> What you need is the new version of the apache module. If you have it,
> copy it into the libexec directory.

Sorry, this is not quite right.

To re-iterate.

- Apache uses mod_ssl
- mod_ssl uses libssl and libcrypto from OpenSSL
(yes, there's a libssl in mod_ssl too, but that's
quite a different beast)
- the vulnerability is in OpenSSL's libssl
- OpenSSL is a collection of libraries _and_ utility programs
(we have both kinds of music - country _and_ western)

> How do you get it?

Please read http://www.suse.com/de/security/2002_027_openssl.html

> Either as an rpm package, or a tarred version, or maybe it's possible
> to compile only the apache module from the openssl sources, I don't
> know.
> As I use a self compiled apache, I also recompiled apache, and apache
> built the new ssl module by itself from the openssl source directory.

You are still vulnerable if you just recompiled mod_ssl without
updating openssl.

Olaf
--
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@xxxxxxx | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann

< Previous Next >
This Thread
References