Peter Wiersig sagte:
Joachim Hummel wrote:
I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl !
Who says this? The flaw is in the package openssl. What mod_ssl vulnerability are you talking about?
Copy from SecurityFocus.com: The OpenSSL server vulnerability exploit exists on a wide variety of platforms, but Slapper appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures. Mod_SSL or OpenSSL ? I don´t unterstand this ?? OpenSSL is standalone application ! SSL with Apache works only with file /usr/lib/apache/libssl.so SSL with Apache works only with file /usr/lib/apache/libcrypto.so Apache doesn´t work with /usr/sbin/openssl libssl.so is included in mod_ssl.rpm package ! I can´t find any ssl version of 0.9.6.e or 0.9.6.g this is recommended of securityfocus.com I was compiled a new OpenSSL after restart apache works again the old vulnerable version of openssl.
Doesn?t interessting this vulnerable of OpenSSL the SuSE Support ?
They care and they have already packaged updates.
NO.. !! This is older version as recommended version of 0.9.6.e
I can?t find some information about this vulnerable on SuSE Support Side.
This say nothing !
I have SuSE 7.3 and 8.0 (native with Apache and SSL... what must i do now SuSE ( Step by Step ) ?????
Yast2 -> Software -> Online Update Automatic Update -> Next
i make this ....Installed vulnerably version 0.9.6.c This helps very good !!! Copy of SecurityFocus.com ! The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade to the latest version as of this writing the latest version of OpenSSL is 0.9.6g. -- Mit freundlichen Grüßen Joachim Hummel