[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] openssl exploitable still?

Subject: Re: [cobalt-security] openssl exploitable still?
From: "lists" <lists@xxxxxxxxxxxxxxxx>
Date: Tue, 17 Feb 2004 15:39:45 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I dont understand it..

[root src]# openssl
OpenSSL> version
OpenSSL 0.9.7c 30 Sep 2003
OpenSSL>

But Apache still announces Server Version: Apache/1.3.20 Sun Cobalt (Unix)
mod_ssl/2.8.4 OpenSSL/0.9.6

I am in such a pinch here.

Dave
----- Original Message ----- 
From: "lists" <lists@xxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 17, 2004 3:29 PM
Subject: Re: [cobalt-security] openssl exploitable still?


> Well someone knows then, I am getting pages defaced (hidden IFRAMES for
> popups) and around the same time i get SSL handshake errors..
>
> How can I compile mod_ssl outside of apache?
>
> ./configure:Usage: ./configure [mod_ssl options] [APACI options]
> mod_ssl feedback options:
>   --help                  ...this message
[OPTIONAL]
>   --quiet                 ...configure totally quiet
[OPTIONAL]
>   --verbose               ...configure with verbosity
[OPTIONAL]
>   --force                 ...configure with disabled checks
[OPTIONAL]
>   --expert                ...configure without user hints
[OPTIONAL]
> mod_ssl configure options:
>   --with-apache=DIR       ...path to Apache 1.3.x source tree
[REQUIRED]
>   --with-apxs[=FILE]      ...path to APXS program
[OPTIONAL]
>   --with-ssl=DIR          ...path to OpenSSL source tree
[OPTIONAL]
>   --with-mm=DIR           ...path to MM source tree
[OPTIONAL]
>   --with-crt=FILE         ...path to SSL X.509 certificate file
[OPTIONAL]
>   --with-key=FILE         ...path to SSL RSA private key file
[OPTIONAL]
>   --with-patch=FILE       ...path to your vendor 'patch' program
[OPTIONAL]
>   --with-eapi-only        ...apply EAPI to Apache source only
[OPTIONAL]
> APACI configure options: [OPTIONAL]
>   --prefix=DIR            ...installation prefix for Apache
>   --...                   ...see INSTALL file of Apache for more options!
>
>
> Seems confusing.
>
> Dave
> ----- Original Message ----- 
> From: "Dmitry Alexeyev" <dmi_a@xxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Tuesday, February 17, 2004 3:11 PM
> Subject: Re: [cobalt-security] openssl exploitable still?
>
>
> > >
> > > Doesnt that mean my openssl/modssl is external library which can be
> > > upgraded without redoing apache/php4.3.3 and whatnot all over?
> > >
> >
> > Yes. Just compile mod_ssl outside of apache.
> > But you really should not worry about some public exploits - a cracker
> > needs to know the addrees of free() function in your binary. If they
> > have your httpd, they can exploit it.
> >
> > Dmitry
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

Follow-Ups:
- Re: [cobalt-security] openssl exploitable still?
  - From: Dmitry Alexeyev

References:
- [cobalt-security] openssl exploitable still?
  - From: lists
- Re: [cobalt-security] openssl exploitable still?
  - From: Dmitry Alexeyev
- Re: [cobalt-security] openssl exploitable still?
  - From: lists
- Re: [cobalt-security] openssl exploitable still?
  - From: Dmitry Alexeyev
- Re: [cobalt-security] openssl exploitable still?
  - From: lists

Prev by Date: Re: [cobalt-security] openssl exploitable still?
Next by Date: Re: [cobalt-security] openssl exploitable still?
Previous by thread: Re: [cobalt-security] openssl exploitable still?
Next by thread: Re: [cobalt-security] openssl exploitable still?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index