Did RedHat's OpenSSL patch miss Apache?
From: gf gf (unknownsoldier93_at_yahoo.com)
Date: 05/10/04
- Previous message: Geoffrey: "Re: Secure Form Script?"
- Next in thread: Jacob Robert Wilkins: "Re: Did RedHat's OpenSSL patch miss Apache?"
- Reply: Jacob Robert Wilkins: "Re: Did RedHat's OpenSSL patch miss Apache?"
- Reply: Todd Vierling: "Re: Did RedHat's OpenSSL patch miss Apache?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 9 May 2004 20:13:21 -0700 (PDT) To: focus-linux@securityfocus.com
A while ago, RedHat issued
https://rhn.redhat.com/errata/RHSA-2004-119.html
concerning security issues with OpenSSL.
It seems to me that Apache uses its own copy of
libssl, which is not part of the openssl RPM and hence
not updated by the RedHat RPM update. (And is still
vulnerable).
$ rpm -q -f /usr/lib/apache/libssl.so
mod_ssl-2.8.12-3
mod_ssl is not addressed in RHSA-2004-119.
(Although there is a previoud adivosory
https://rhn.redhat.com/errata/RHSA-2003-244.html about
mod_ssl, it does not seem to address these issues.)
It seems to me that, if I'm correct, this is a
critical issue - the RedHat patches are simply
uncomplete and the servers still vulnerable
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover
- Previous message: Geoffrey: "Re: Secure Form Script?"
- Next in thread: Jacob Robert Wilkins: "Re: Did RedHat's OpenSSL patch miss Apache?"
- Reply: Jacob Robert Wilkins: "Re: Did RedHat's OpenSSL patch miss Apache?"
- Reply: Todd Vierling: "Re: Did RedHat's OpenSSL patch miss Apache?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
