[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] New SSL Patch -- did anything happen ?
- Subject: Re: [cobalt-security] New SSL Patch -- did anything happen ?
- From: "David Seaton" <david@xxxxxxxxxxx>
- Date: Tue, 8 Oct 2002 01:38:47 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Ok, I'm a little scared now.
> This is before & after installing the latest security
> http/ssl patch 15787. Please tell me it doesn't use this on my RaQ3
>
> # strings /usr/lib/libssl.so | grep -i openssl
>
> SSLv2 part of OpenSSL 0.9.3a 29 May 1999
> SSLv3 part of OpenSSL 0.9.3a 29 May 1999
> SSLv2/3 compatibility part of OpenSSL 0.9.3a 29 May 1999
> TLSv1 part of OpenSSL 0.9.3a 29 May 1999
> OpenSSL 0.9.3a 29 May 1999
Yes, I'm afraid what you see is correct.
So does this mean that I am vulnerable to Slapper still?
> Also:
> Config file httpd:
> ServerTokens ProductOnly
>
> HTTP HEADER:
> Server: Apache/1.3.6 (Unix) PHP/4.2.3 mod_perl/1.21
> mod_ssl/2.2.8 OpenSSL/0.9.2b
>
> BTW I did restarted the server. How do I get ride if this
> header message?
Try setting ServerTokens Min in /etc/httpd/conf/httpd.conf and
/etc/admserv/conf/httpd.conf instead of ProductOnly.
Now i get:
Server: Apache/1.3.6
Which is better, but I'd like to get ride of that version. Slapper can still use it.