[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Apache & SSL Update 2.0.1...
- Subject: RE: [cobalt-users] Apache & SSL Update 2.0.1...
- From: "Steven Young" <steven.young@xxxxxxxxxxxxxxx>
- Date: Wed Oct 2 20:21:52 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> I have patched a few RAQ3 and RAQ4 servers. All are up and
> running without any problems as far as we can see.
>
> The only thing we noticed are odd/old versions of Apache on
> RAQ3's and OpenSSL on both RAQ versions. Are we missing
> something or should we hope they are
> *REALLY* patched older versions...
>
>
> RAQ3's report now:
>
> # /usr/sbin/httpd -v
> Server version: Apache/1.3.6 (Unix)
> Server built: Aug 12 2002 10:48:50
>
> # /usr/sbin/openssl
> OpenSSL> version
> OpenSSL 0.9.2b 22 Mar 1999
>
>
> RAQ4's show:
>
> # /usr/sbin/httpd -v
> Server version: Apache/1.3.20 Sun Cobalt (Unix)
> Server built: Aug 6 2002 14:14:37
>
> # /usr/sbin/openssl
> OpenSSL> version
> OpenSSL 0.9.6b 9 Jul 2001
>
>
> Best regards,
>
> Tomi Crnicki - Abacus, Croatia
My newly updated RaQ3 says the same.
I get the impression from what I have read so far that the update
replaces Apache with the same version as before, but compiled against a
new version of OpenSSL. So Apache is fixed (although still old), but
OpenSSL and all other things that use it remain vulnerable. Have I got
this right?
I really find it quite amazing that Sun can take so much time to release
a half-hearted attempt of a security fix when others on the list have
done a better job in half the time without the resources Sun have. I can
only think the Sun Cobalt security / patch development team has been hit
by cost cutting and now consists of a single part-time programmer who
does 3 hours a week... A little harsh maybe and I know they have to test
it, etc, but really how long should that take?
I only meant to say 'My newly updated RaQ3 says the same'. It's late....
Steven