Re: SSL update.. still giving me a Vulnerable status
On Wednesday, 2002-09-18 at 16:26:27 +1000, Jeroen de Leeuw den Bouter wrote:
> > On my Woody machine, after I restarted httpd, I get
> > 1.2.3.4 443 PATCHED: detects small overflow, but crashes (0.9.6e)
> 1.2.3.4 443 VULNERABLE: does not detect small overflow
> I don't get that number behind it btw...
The OpenSSL version is what the program thinks it found - the behaviour
is typical for 0.9.6e. This being a woody machine, the version is wrong.
I just remembered that I compiled Apache myself on that particular
machine, so I can't really speak for the Apache Debian package.
Can you please do a "ldd /usr/sbin/apache-ssl"? You should see something
like this (from a sarge machine):
libm.so.6 => /lib/libm.so.6 (0x4001d000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4003e000)
libdb.so.2 => /lib/libdb.so.2 (0x4006b000)
libdb2.so.2 => /lib/libdb2.so.2 (0x40078000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x400b9000)
libdl.so.2 => /lib/libdl.so.2 (0x400da000)
libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400dd000)
libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4010a000)
libc.so.6 => /lib/libc.so.6 (0x401c4000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Then, identify the packages the SSL libraries come from:
dpkg -S /usr/lib/libssl.so.0.9.6 /usr/lib/libcrypto.so.0.9.6
libssl0.9.6: /usr/lib/libssl.so.0.9.6
libssl0.9.6: /usr/lib/libcrypto.so.0.9.6
And check the version of that package:
dpkg -l libssl0.9.6
Sarge:
ii libssl0.9.6 0.9.6e-1 SSL shared libraries
Woody:
ii libssl0.9.6 0.9.6c-2.woody.1 SSL shared libraries
HTH,
Lupe Christoph
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be |
| unsinkable. The designer had a speech impediment. He said: "I have |
| thith great unthinkable conthept ..." |
Reply to: