httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dick Davies <>
Subject Re: [users@httpd] What is best way to upgarde mod_ssl? Does one have to upgrad entire Apache install
Date Wed, 30 Mar 2005 19:53:08 GMT
* Charlie Smith <> [0359 18:59]:
> Joshua,
>   Our security folks are now indicating that the mod_ssl associated with Apache
> 1.3.28 is the one causing the problems.  This was part of a static Apache
> compile.  They are recommending upgrading mod_ssl to 2.8.22.  They are also
> recommending upgrading Apache to 1.3.33.
> On the Apache 2.0.48 install that we have running, they're recommending
> upgrading to 2.0.53.   And upgrading OpenSSL to  0.9.7f.  I'm a little confused
> about the alerts here.  OpenSSL was used to generate the security certificate,
> but as I recall, wasn't even part of the Apache 2.0 install.  Does that sound
> correct?
> Please verify if there really is a vulnerability with th ssl_log() function
> which 
> could warrant upgrading all these apps.

you need to upgrade both apaches, they have holes. ugrading openssl should'nt take
more than five minutes.

As an aside, if you're putting off security updates because it would be a lot of 
work, you need to take some time to look at your setup and find a way to make it
less work..... I've never had to do more than

backup server config (/etc/httpd)
backup server (/usr/local/apache)
install new binaries
verify syntax (httpd -t -DSSL -S)
apachectl restart
test it

a 30 minute outage window is usually plenty.

Server maintenance is more important than server performance.
'Everybody's a jerk. You, me, this jerk.'
		-- Bender
Rasputin :: Jack of All Trades - Master of Nuns

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message