Re: Did RedHat's OpenSSL patch miss Apache?

From: Jacob Robert Wilkins (jrw_at_nplus1.net)
Date: 05/10/04

  • Next message: focus-linux_at_nym.hush.com: "RE: decent loadbalancing with 2 different ISP's with minimum risks"
    Date: Mon, 10 May 2004 13:19:00 -0400
    To: gf gf <unknownsoldier93@yahoo.com>
    
    

    On Sun, May 09, 2004 at 08:13:21PM -0700, gf gf wrote:
    > A while ago, RedHat issued
    > https://rhn.redhat.com/errata/RHSA-2004-119.html
    > concerning security issues with OpenSSL.
    >
    > It seems to me that Apache uses its own copy of
    > libssl, which is not part of the openssl RPM and hence
    > not updated by the RedHat RPM update. (And is still
    > vulnerable).
    >
    > $ rpm -q -f /usr/lib/apache/libssl.so
    > mod_ssl-2.8.12-3

    No problem here, /usr/lib/apache/libssl.so is actually just the apache
    module for mod_ssl. It would seem to be poorly named, but it should not
    be confused with the OpenSSL library.

    Note that /usr/lib/apache/libssl.so is linked against OpenSSL's libssl.

    [jrw@thorin jrw]$ ldd /usr/lib/apache/libssl.so
            libssl.so.2 => /lib/libssl.so.2 (0x2aae4000)
            libcrypto.so.2 => /lib/libcrypto.so.2 (0x2ab12000)
            libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
            libdl.so.2 => /lib/libdl.so.2 (0x2abd6000)
            /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x55555000)

    jrw


  • Next message: focus-linux_at_nym.hush.com: "RE: decent loadbalancing with 2 different ISP's with minimum risks"

    Relevant Pages

    • Re: Did RedHats OpenSSL patch miss Apache?
      ... Are you sure that's libssl the OpenSSL library and not libssl the Apache ... the /usr/lib/apache/libssl.so is just the Apache module glue and is properly ...
      (Focus-Linux)
    • Re: Python does not play well with others
      ... unwise for libraries. ... In the specific examples of OpenSSL, MySQL, and Apache, the modules ...
      (comp.lang.python)
    • Re: GCC 3.3
      ... > apache, sendmail, ip-filter, openssl and others all OK so far. ...
      (comp.unix.solaris)
    • Re: mod_ssl or openssl?
      ... SSL certificate through them, they asked whether it should be for ... Apache mod_ssl or for Apache + openssl. ... Maybe the 3 first link can help you to make the diff between both. ...
      (Fedora)
    • Re: mod_ssl or openssl?
      ... SSL certificate through them, they asked whether it should be for ... Apache mod_ssl or for Apache + openssl. ... Creating a certificate request, or a pair of public/private keys are ...
      (Fedora)