httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charlie Smith" <smit...@ldschurch.org>
Subject Re: [users@httpd] What is best way to upgarde mod_ssl? Does one have to upgrad entire Apache install
Date Wed, 30 Mar 2005 17:59:02 GMT
Joshua,
  Our security folks are now indicating that the mod_ssl associated with Apache
1.3.28 is the one causing the problems.  This was part of a static Apache
compile.  They are recommending upgrading mod_ssl to 2.8.22.  They are also
recommending upgrading Apache to 1.3.33.

On the Apache 2.0.48 install that we have running, they're recommending
upgrading to 2.0.53.   And upgrading OpenSSL to  0.9.7f.  I'm a little confused
about the alerts here.  OpenSSL was used to generate the security certificate,
but as I recall, wasn't even part of the Apache 2.0 install.  Does that sound
correct?

Please verify if there really is a vulnerability with th ssl_log() function
which 
could warrant upgrading all these apps.

Charlie ;)
3/30/05

>>> SmithCW@ldschurch.org 03/25/05 8:04 AM >>>
I didn't.  Just wondering.   Well, actually we've got some security people here
that indicate a problem with the versionof mod_ssl we're running.  They
recommended upgrading mod_ssl, evidently,  because of security problems with the
mod_ssl that comes with our version of Apache - something about a mod_ssl
containing a format string vulnerability in the ssl_log() function which 'may
allow an attacker to potentially execute arbitrary code'.  So...

>>> jslive@gmail.com 3/24/2005 7:48:33 PM >>>
On Thu, 24 Mar 2005 12:42:57 -0700, Charlie Smith <SmithCW@ldschurch.org>
wrote:
> Thanks Joshua.  The instance I wanted to upgrade is actually httpd-2.0.48

Then you are better off just upgrading all of apache.  Why do you
think you need to upgrade mod_ssl independently?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 



------------------------------------------------------------------------------
This message may contain confidential information, and is
intended only for the use of the individual(s) to whom it
is addressed.
------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




------------------------------------------------------------------------------
This message may contain confidential information, and is
intended only for the use of the individual(s) to whom it
is addressed.
------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message