[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL update.. still giving me a Vulnerable status

On Wednesday, 2002-09-18 at 16:26:27 +1000, Jeroen de Leeuw den Bouter wrote:

> > On my Woody machine, after I restarted httpd, I get

> > 443 PATCHED: detects small overflow, but crashes (0.9.6e)
> 443 VULNERABLE: does not detect small overflow

> I don't get that number behind it btw...

The OpenSSL version is what the program thinks it found - the behaviour
is typical for 0.9.6e. This being a woody machine, the version is wrong.

I just remembered that I compiled Apache myself on that particular
machine, so I can't really speak for the Apache Debian package.

Can you please do a "ldd /usr/sbin/apache-ssl"? You should see something
like this (from a sarge machine):

	libm.so.6 => /lib/libm.so.6 (0x4001d000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x4003e000)
	libdb.so.2 => /lib/libdb.so.2 (0x4006b000)
	libdb2.so.2 => /lib/libdb2.so.2 (0x40078000)
	libexpat.so.1 => /usr/lib/libexpat.so.1 (0x400b9000)
	libdl.so.2 => /lib/libdl.so.2 (0x400da000)
	libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400dd000)
	libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4010a000)
	libc.so.6 => /lib/libc.so.6 (0x401c4000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

Then, identify the packages the SSL libraries come from:

dpkg -S /usr/lib/libssl.so.0.9.6 /usr/lib/libcrypto.so.0.9.6
libssl0.9.6: /usr/lib/libssl.so.0.9.6
libssl0.9.6: /usr/lib/libcrypto.so.0.9.6

And check the version of that package:
dpkg -l libssl0.9.6
ii  libssl0.9.6               0.9.6e-1                  SSL shared libraries
ii  libssl0.9.6               0.9.6c-2.woody.1          SSL shared libraries

Lupe Christoph
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |

Reply to: