[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] New SSL Patch -- did anything happen ?
- Subject: RE: [cobalt-security] New SSL Patch -- did anything happen ?
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Wed, 2 Oct 2002 20:08:58 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Fragga wrote:
> # on a "patched" Raq 4 ( i.e suns new 2.0.1-2-15787.pkg as of 2/10/02
11.00
> am GMT ) :-
> [root httpd]# openssl
> OpenSSL> version
> OpenSSL 0.9.6b 9 Jul 2001
> OpenSSL> quit
> [root httpd]# httpd -v
> Server version: Apache/1.3.20 Sun Cobalt (Unix)
> Server built: Aug 6 2002 14:14:37
OK, that's to be expected.
> Apache has a new build date but why is OpenSSL date the same and
Version
> still old Vuln one ?
> again sorry if this has already been corrected but could someone
supply some
> linkage or info ?
I've sat and watched the many discussions about this recent
vulnerability, the worm, and all the associated patches. Not one person
on this list has actually explained the problem clearly.
The vulnerability is inside the ASN.1 coding routines in the OpenSSL
underlying libraries. Under most circumstances, the ONLY remote service
using SSL you will have available (at least, the most common) is the
Apache webserver with mod_ssl enabled.
The problem is NOT necessarily directly related to the version of
OpenSSL you have installed, since mod_ssl is *statically* linked to a
set of openssl libraries at install time. The Cobalt update, amongst
other things, replaces the Apache mod_ssl module. It does not have to
reinstall the OpenSSL *package* since the Apache server does not
directly use it. They are two distinct, different packages.
See http://isc.incidents.org/analysis.html?id=167 for a good, clear
explanation.
Of course, if you built your own version of mod_ssl against a local
version of openssl you should update openssl and mod_ssl together with
Apache (clearly, not on a RaQ!). If you installed mod_ssl as a package,
grab a new copy and install that. Your locally installed OpenSSL package
doesn't really matter from a webserver point of view, unless you're
using it via CGI scripts. If that's true, stop it :)
Of course, good practice dictates that you should update openssl anyway,
to prevent you statically compiling things against ropey vulnerable
versions in future!
To summarise: look at the version of openssl that mod_ssl was compiled
against:
# strings /etc/httpd/modules/libssl.so | grep -i openssl
(your module name may be different)
HTH
Graeme