Home page logo

fulldisclosure logo Full Disclosure mailing list archives

OpenSSL problem: is mod_ssl also vulnerable?
From: full-disclosure () lists netsys com (Ron DuFresne)
Date: Wed, 31 Jul 2002 07:22:35 -0500 (CDT)

On Wed, 31 Jul 2002, Thomas Oppel wrote:

Am Mittwoch, 31. Juli 2002 09:13 schrieb Jedi/Sector One:
On Wed, Jul 31, 2002 at 08:50:31AM +0200, Peter Bieringer wrote:
does anyone know whether mod_ssl (used with Apache 1.3) is also
vulnerable. Currently, last version seen on their webpage is 2.8.10
(24 June 2002).

  Yes, the OpenSSL vulnerability can be triggered through mod_ssl.

  But you don't need a new mod_ssl version to be safe against it. Only
bring OpenSSL up to date, and your mod_ssl module will be safe.

And what about apache-2.0.39 with SSL enabled?
Nothing on apache.org so far.
apache-2.0.x includes code from the mod_ssl project I guess, right?

The key to the openssl issue is the same here, get fixed openssl sources,
and recompile with them as the reference bases just as with mod-ssl
appache 1.3.x.

Now for those with less then trust worthy local users <smile>, and relying
upon apache 1.3.x/mod-ssl/libmm compiles, there is the additional question
of whther there is a new mm package available.


Ron DuFresne
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]