Re: [cobalt-security] Recompiling SSH / Apache [was Significant OpenSSH Vulnerability ??]

["Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>]

From: "Michael Stauber"

Hi Michael,

> > After this and some option-setting Privege separation seems to work
fine.
>
> Correct. That's what I did in my PKGs for the RaQ3, RaQ4, Qube3 and XTR as
> well: compile OpenSSH *with* PrivSep and then disable it specifically in
> sshd_config

I read in another mail you allready found out that setting Compression to
"no" (and not as I typo-d "No", thanks to John) and activating PrivSep would
do the trick. I by the way did install OpenSSL 0.9.6d, assuming backward
compatibility of the libs. Nothing broke just now.

> > My next project will be compiling Apache 2.X, together with mod_perl, a
new
> > perl (needed too), and php.
>
> I'm not sure if that's a wise idea. So far I still doubt the stability of
> Apache 2.X a little, but by all means I'd be interested in your progress
on
> that if you decide to give it a go.
>
> FWIW: Compiling and running Apache-1.3.26 isn't that big of an issue if
you
> can afford to do without Chilisoft and Frontpage support. Aside from that
> it's still possible to run the AdmServ.

Yeah, I could not see all the consequences for those versions. It seemed I
needed to recompile at least php, mod_ssl, mod_auth_pam and mod_perl as
well. And mod_perl complained about the old perl version, so that would add
a new perl dist to the list. Loosing Chilisoft would be a bit of a downer,
but I guess I still own a license so I could get a new one? As for
frontpage, I did not know it needed some software support. I thought it was
just adding the right dirs and use some <limit PUT> stuff?

So then I thought: if I have to do all this, I'd better switch to Apace 2.x
now and save me time. mod_ssl is a normal module there, not a patch. And it
gives you some nice tricks like cgi's outputting shtml etc.