Hi! On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl !
Aha? How do you know?
Mod_SSL or OpenSSL ? I don´t unterstand this ?? OpenSSL is standalone application !
It is also used, as library, by other applications.
SSL with Apache works only with file /usr/lib/apache/libssl.so
Right.
SSL with Apache works only with file /usr/lib/apache/libcrypto.so
There is no such file, you likely mean /usr/lib/libcrypto.so. It is one of the openssl libraries used by other applications by dynamically loading it.
Apache doesn´t work with /usr/sbin/openssl
/usr/sbin/openssl is in principal just another application using the openssl lib.
libssl.so is included in mod_ssl.rpm package !
Yes, it is the apache module (also a library, that is dynamically loaded at runtime as a shared object). However, this lib again loads another library at runtime -- the openssl lib. Run ldd /usr/lib/apache/libssl.so to verify! It will report something like this: libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40046000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40076000) libc.so.6 => /lib/libc.so.6 (0x4014d000) libdl.so.2 => /lib/libdl.so.2 (0x4026d000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000) showing that the openssl libs are linked dynamically. As a consequence, when your openssl package is not vulnerable, your mod_ssl isn't either.
I can´t find any ssl version of 0.9.6.e or 0.9.6.g this is recommended of securityfocus.com
Yes, there is no reason and no nedd to do risky updates from an (up to) two year old openssl version to the newest one which could break half of your system. Times change, compilers and other tools as well as their usage changes... Look at the openssl changelog alone, and see how much has changed there since then! Really, all you want is a fix for that given security vulnerability, i.e. an appropriate source code patch. Guess what, we add such patches to our packages :) yes, and that's why we send out those fancy announcements... Now how do you know that we REALLY fixed an issue (provided that you do not trust us at all)? I'll post a short "HowTo" to this list (in seperate mail so it is easier to find in the archives).
Copy of SecurityFocus.com ! The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade to the latest version as of this writing the latest version of OpenSSL is 0.9.6g.
One more word on annoncements like this. Of course most software vendors recommend to update to their latest version. Simply because most vendors/teams/developers can't or don't want to go through the effort of providing patches for older versions (because this can be a lot of work) and doing the necessary testing (more work). Thus, often it is us who make the missing patches and provide them to the community. Also, in close collaboration with software vendors/teams, we often have the opportunity to fix our packages _before_ a vulnerability becomes publicly known, which can mean _before_ a given fixed version of that software is released at all. For example, openssl 0.9.6g was not born when we fixed our packages! I hope we can clear the confusion. Peter -- Thought is limitation. Free your mind.