httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Regarding mgmt. of mod_ssl and Apache versions (vulnerabilities)
Date Thu, 21 Feb 2008 14:40:51 GMT
On Thu, Feb 21, 2008 at 8:58 AM, nitin dubey <nitz_tech@yahoo.com> wrote:
> Hi,
>
>  I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well.
 My concern is about the two vulnerabilities (htp://www.securityfocus.com/bid/10736/info,
htp://www.securityfocus.com/bid/4189/info).  I do not have any information whether or not
these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache
sources 2.2.8.
>
>  After googling I could find out that these are solved in mod_ssl 2.8.19.
>
>  Now to fix this I am thinking/trying the following:
>  - Check the version of mod_ssl bundled with apache 228.  If this ver is greater than
2.8.19 then these vulnerabilities must have been fixed.  I do not know how to determine the
version of mod_ssl here.
>
>  - Download the mod_ssl latest version from modssl.org and force (since modssl.org does
not provide sources for apache 2.x ver; it provides only for apache 1.3.x series) its installation
with latest apache 228 ver.  Since, mod_ssl version here is not built for apache 2.x series,
I may end up creating more problems for myself.
>

Although the mod_ssl that is included in apache 2.x was originally
based on the mod_ssl being referred to here, they are now two very
different products. So the fact that they list mod_ssl (as distributed
by Ralf) as being vulnerable for certain versions does not in any way
mean that the mod_ssl included with apache 2 is vulnerable. If
securityfocus thought that apache 2 was vulnerable, they would have
specifically listed it.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message