[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Apache & SSL Update 2.0.1...
- Subject: Re: [cobalt-users] Apache & SSL Update 2.0.1...
- From: Travis Ogdon <togdon@xxxxxxxxxxxxxx>
- Date: Thu Oct 3 09:28:00 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Steven Young wrote:
> I get the impression from what I have read so far that the update
> replaces Apache with the same version as before, but compiled against a
> new version of OpenSSL. So Apache is fixed (although still old), but
> OpenSSL and all other things that use it remain vulnerable. Have I got
> this right?
They didn't even go that far. The version of libssl in /usr/lib/apache is
still linked against openssl 0.9.6b (there's no way that it could be linked
against anything else since that's the only version that's installed).
Instead they simply recompiled the httpd binary with the Stackguard compiler
in an attempt to prevent Apache from being crashed using buffer overflows.
For more information on StackGuard please see:
http://immunix.org/stackguard.html
This in no way addresses the problems in Openssl:
http://www.openssl.org/news/secadv_20020730.txt
http://www.cert.org/advisories/CA-2002-23.html
At the very least they should be re-releasing any binaries on the system
that link against Openssl. It's Apache today, is it going to be APOP
tomorrow?
They could also address the issues with the following:
http://online.securityfocus.com/bid/5529
http://online.securityfocus.com/bid/4208
http://online.securityfocus.com/bid/4209
http://online.securityfocus.com/bid/4211
Etc. Etc. Etc. Etc.
I'll stop preaching to the choir.
-- Travis