httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: [users@httpd] Regarding mgmt. of mod_ssl and Apache versions (vulnerabilities)
Date Thu, 21 Feb 2008 14:40:51 GMT
On Thu, Feb 21, 2008 at 8:58 AM, nitin dubey <> wrote:
> Hi,
>  I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well.
 My concern is about the two vulnerabilities (htp://,
htp://  I do not have any information whether or not
these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache
sources 2.2.8.
>  After googling I could find out that these are solved in mod_ssl 2.8.19.
>  Now to fix this I am thinking/trying the following:
>  - Check the version of mod_ssl bundled with apache 228.  If this ver is greater than
2.8.19 then these vulnerabilities must have been fixed.  I do not know how to determine the
version of mod_ssl here.
>  - Download the mod_ssl latest version from and force (since does
not provide sources for apache 2.x ver; it provides only for apache 1.3.x series) its installation
with latest apache 228 ver.  Since, mod_ssl version here is not built for apache 2.x series,
I may end up creating more problems for myself.

Although the mod_ssl that is included in apache 2.x was originally
based on the mod_ssl being referred to here, they are now two very
different products. So the fact that they list mod_ssl (as distributed
by Ralf) as being vulnerable for certain versions does not in any way
mean that the mod_ssl included with apache 2 is vulnerable. If
securityfocus thought that apache 2 was vulnerable, they would have
specifically listed it.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message