I just ran a nessus scan and it showed OpenSSL vulnerable even though I updated my server when the security fix cam out. Here is the results for OpenSSL. I checked my version and it is OpenSSL 0.9.7b 10 Apr 2003. Either I didn't get my correct version or the update didn't apply. Here is what Nesus said: results|10.0.0|10.0.0.4|https (443/tcp)|11875|Security Hole|The remote host seem to be running a version of OpenSSL which is older than 0.9.6k or 0.9.7c. \n\nThere is a heap corruption bug in this version which might be exploited by an\nattacker to gain a shell on this host.\n\nSolution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c or newer\nRisk factor : High\nCVE : CVE-2003-0543, CVE-2003-0544, CVE-2003-0545\nBID : 8732\nOther references : IAVA:2003-A-0027, RHSA:RHSA-2003:291-01, SuSE:SUSE-SA:2003:043\n results|10.0.0|10.0.0.4|www (80/tcp)|11853|Security Warning|\nThe remote host appears to be running a version of Apache 2.x which is older \nthan 2.0.48.\n\nThis version is vulnerable to a bug which may allow a rogue CGI to disable\nthe httpd service by issuing over 4K of data to stderr.\n\nTo exploit this flaw, an attacker would need the ability to upload a rogue\nCGI script to this server and to have it executed by the Apache daemon (httpd).\n\nSolution : Upgrade to version 2.0.48 when it is available\nSee also : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 \nRisk factor : Low\nCVE : CVE-2002-0061, CAN-2003-0789, CAN-2003-0542\nBID : 8926\n Thank you, Eric -- ______________________________________________________________________ Eric Kahklen Seattle, WA