[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] New SSL Patch -- did anything happen ?

Subject: Re: [cobalt-security] New SSL Patch -- did anything happen ?
From: "David Seaton" <david@xxxxxxxxxxx>
Date: Tue, 8 Oct 2002 01:38:47 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Ok, I'm a little scared now.
> This is before & after installing the latest security 
> http/ssl patch 15787. Please tell me it doesn't use this on my RaQ3
> 
> # strings /usr/lib/libssl.so | grep -i openssl                
>              
> SSLv2 part of OpenSSL 0.9.3a 29 May 1999
> SSLv3 part of OpenSSL 0.9.3a 29 May 1999
> SSLv2/3 compatibility part of OpenSSL 0.9.3a 29 May 1999
> TLSv1 part of OpenSSL 0.9.3a 29 May 1999
> OpenSSL 0.9.3a 29 May 1999

Yes, I'm afraid what you see is correct.

So does this mean that I am vulnerable to Slapper still?

> Also: 
> Config file httpd:
> ServerTokens ProductOnly
> 
> HTTP HEADER:
> Server: Apache/1.3.6 (Unix) PHP/4.2.3 mod_perl/1.21 
> mod_ssl/2.2.8 OpenSSL/0.9.2b
> 
> BTW I did restarted the server. How do I get ride if this 
> header message?

Try setting ServerTokens Min in /etc/httpd/conf/httpd.conf and
/etc/admserv/conf/httpd.conf instead of ProductOnly.

Now i get:
Server: Apache/1.3.6
Which is better, but I'd like to get ride of that version. Slapper can still use it.

Follow-Ups:
- Re: [cobalt-security] New SSL Patch -- did anything happen ?
  - From: K-IM

References:
- RE: [cobalt-security] New SSL Patch -- did anything happen ?
  - From: Steven Young

Prev by Date: Re: [cobalt-security] PHP and MySQL?
Next by Date: Re: [cobalt-security] PHP and MySQL?
Previous by thread: RE: [cobalt-security] New SSL Patch -- did anything happen ?
Next by thread: Re: [cobalt-security] New SSL Patch -- did anything happen ?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index