Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 904F617B19 for ; Mon, 29 Sep 2014 18:07:52 +0000 (UTC) Received: (qmail 46222 invoked by uid 500); 29 Sep 2014 18:07:49 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 46190 invoked by uid 500); 29 Sep 2014 18:07:49 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 46180 invoked by uid 99); 29 Sep 2014 18:07:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Sep 2014 18:07:49 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of SZastre@dryden.ca designates 64.202.144.227 as permitted sender) Received: from [64.202.144.227] (HELO mail.dryden.ca) (64.202.144.227) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Sep 2014 18:07:44 +0000 X-ASG-Debug-ID: 1412014041-06f30c5e47275460001-XEkec8 Received: from exchange.citydryden.local (corporate.dryden.ca [10.0.0.30]) by mail.dryden.ca with ESMTP id BB1UWJbQ4qkJUFLn for ; Mon, 29 Sep 2014 13:07:21 -0500 (CDT) X-Barracuda-Envelope-From: SZastre@dryden.ca Received: from exchange.citydryden.local ([10.0.0.30]) by exchange.citydryden.local ([10.0.0.30]) with mapi; Mon, 29 Sep 2014 13:09:20 -0500 From: Sharon Zastre To: "users@httpd.apache.org" Date: Mon, 29 Sep 2014 13:09:19 -0500 Thread-Topic: [users@httpd] Proposed simple shell-shock protection X-ASG-Orig-Subj: RE: [users@httpd] Proposed simple shell-shock protection Thread-Index: Ac/cD2EZq69JQhG9T7yFUKxlp43fiQAALjSQ Message-ID: References: <20140926154143.64f5f81f@baldur> <767AC8C9-DEAF-4F26-8F28-9E8DA35EF546@webthing.com> In-Reply-To: <767AC8C9-DEAF-4F26-8F28-9E8DA35EF546@webthing.com> Accept-Language: en-US, en-CA Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-CA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Barracuda-Connect: corporate.dryden.ca[10.0.0.30] X-Barracuda-Start-Time: 1412014041 X-Barracuda-URL: http://192.168.2.6:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at dryden.ca X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.20 X-Barracuda-Spam-Status: No, SCORE=0.20 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=PR0N_SUBJECT X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.10032 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.20 PR0N_SUBJECT Subject has letters around special characters (pr0n) X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Proposed simple shell-shock protection I will admit that I am far from an advanced user of Apache. So for now I t= hink I will hold off on trying to create the module. Is it safe to assume = that a fix/patch/upgrade will become available to address the shellshock vu= lnerability? Thanks, Sharon -----Original Message----- From: Nick Kew [mailto:nick@webthing.com]=20 Sent: Monday, September 29, 2014 12:59 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Proposed simple shell-shock protection On 29 Sep 2014, at 17:35, Sharon Zastre wrote: > Thank you Nick for quickly looking into a solution/work around for the sh= ellshock vulnerability. But I'm confused as to how to implement it. I am = currently at Apache 2.4.9 with OpenSSL 1.0.1g. Do I need to upgrade to 2.4= .10 or 2.5(?) first? Will it simply be in the install and I include mod_ta= int in the config file? Or is this a separate download that I need to run? No, you don't need to upgrade anything. Just build the module. with your existing 2.2.x or 2.4.x. Maybe even 2.0.x: I haven't tried! If you don't know how, the tool you need is apxs, and the server docs expla= in how to use it. You should also be aware that if you're not accustomed to getting your hands dirty, you might find it too 'bleeding edge'. I just had a bug report a few hours ago and have yet to find time to investigate. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org