[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] New SSL Patch -- did anything happen ?
- Subject: Re: [cobalt-security] New SSL Patch -- did anything happen ?
- From: "David Seaton" <david@xxxxxxxxxxx>
- Date: Sun, 6 Oct 2002 12:44:42 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Ok, I'm a little scared now.
This is before & after installing the latest security http/ssl patch 15787.
Please tell me it doesn't use this on my RaQ3
# strings /usr/lib/libssl.so | grep -i openssl
SSLv2 part of OpenSSL 0.9.3a 29 May 1999
SSLv3 part of OpenSSL 0.9.3a 29 May 1999
SSLv2/3 compatibility part of OpenSSL 0.9.3a 29 May 1999
TLSv1 part of OpenSSL 0.9.3a 29 May 1999
OpenSSL 0.9.3a 29 May 1999
Also:
Config file httpd:
ServerTokens ProductOnly
HTTP HEADER:
Server: Apache/1.3.6 (Unix) PHP/4.2.3 mod_perl/1.21 mod_ssl/2.2.8 OpenSSL/0.9.2b
BTW I did restarted the server. How do I get ride if this header message?
----- Original Message -----
From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Wednesday, October 02, 2002 3:08 PM
Subject: RE: [cobalt-security] New SSL Patch -- did anything happen ?
Fragga wrote:
> # on a "patched" Raq 4 ( i.e suns new 2.0.1-2-15787.pkg as of 2/10/02
11.00
> am GMT ) :-
> [root httpd]# openssl
> OpenSSL> version
> OpenSSL 0.9.6b 9 Jul 2001
> OpenSSL> quit
> [root httpd]# httpd -v
> Server version: Apache/1.3.20 Sun Cobalt (Unix)
> Server built: Aug 6 2002 14:14:37
OK, that's to be expected.
> Apache has a new build date but why is OpenSSL date the same and
Version
> still old Vuln one ?
> again sorry if this has already been corrected but could someone
supply some
> linkage or info ?
I've sat and watched the many discussions about this recent
vulnerability, the worm, and all the associated patches. Not one person
on this list has actually explained the problem clearly.
The vulnerability is inside the ASN.1 coding routines in the OpenSSL
underlying libraries. Under most circumstances, the ONLY remote service
using SSL you will have available (at least, the most common) is the
Apache webserver with mod_ssl enabled.
The problem is NOT necessarily directly related to the version of
OpenSSL you have installed, since mod_ssl is *statically* linked to a
set of openssl libraries at install time. The Cobalt update, amongst
other things, replaces the Apache mod_ssl module. It does not have to
reinstall the OpenSSL *package* since the Apache server does not
directly use it. They are two distinct, different packages.
See http://isc.incidents.org/analysis.html?id=167 for a good, clear
explanation.
Of course, if you built your own version of mod_ssl against a local
version of openssl you should update openssl and mod_ssl together with
Apache (clearly, not on a RaQ!). If you installed mod_ssl as a package,
grab a new copy and install that. Your locally installed OpenSSL package
doesn't really matter from a webserver point of view, unless you're
using it via CGI scripts. If that's true, stop it :)
Of course, good practice dictates that you should update openssl anyway,
to prevent you statically compiling things against ropey vulnerable
versions in future!
To summarise: look at the version of openssl that mod_ssl was compiled
against:
# strings /etc/httpd/modules/libssl.so | grep -i openssl
(your module name may be different)
HTH
Graeme
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security