Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities

To: debian-security@lists.debian.org
Cc: security@debian.org, "Matt Zimmerman mdz"@debian.org
Subject: Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
From: Rhesa Rozendaal <rhesa@rhesa.com>
Date: Tue, 27 Jul 2004 13:01:10 +0200
Message-id: <[🔎] 410635F6.8080108@rhesa.com>
In-reply-to: <20040723032933.GZ4126@alcor.net>
References: <20040723032933.GZ4126@alcor.net>

Matt Zimmerman wrote:

- --------------------------------------------------------------------------
Debian Security Advisory DSA 532-1                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
July 22nd, 2004                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libapache-mod-ssl
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2004-0488 CAN-2004-0700

This is an absolute first for me: this update broke my webserver! I'vebeen using Debian stable for some 5 years now, and never had any troublewith security updates.


The main reason is that it adds the line

	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

to the apache config file /etc/apache/httpd.conf.

Here's why this breaks my setup: I run two instances of apache, alight-weight frontend server that handles static content and proxiesdynamic requests to a big backend mod_perl instance that runs on

the internal interface only. This is a common mod_perl configuration.

In my case, the frontend handles SSL connections. Its config file is/etc/apache/ht-light.conf.

The backend instance uses the original filename /etc/apache/httpd.conf.

The frontend is already bound to port 443. The backend tried to restart,but now has a load mod_ssl line, and can't start. And now ourapplication won't run...

Luckily I knew where to look to fix it, but this was after a night ofdowntime, because I didn't bother to check: after installation I figuredeverything was okay, because 1) I trust the updates and 2) everythingkept running fine. I wish I had done a restart.

Mind you, the downtime ws limmited to some 5 hours, while it was nightin the USA, so there's hardly any damage done wrt our customers. There'sjust a small dent in my confidence regarding Debian now.

My advice would be to _not_ add the LoadModule line to the apacheconfig: if this security update needs installing, it is very likely thatSSL is already configured correctly. At the very least, make it aquestion that I can answer yes or no to.

Again, this is the first time in 5 years I had a problem with a securityupdate. I'm still very satisfied with Debian, and still very impressedwith the stability and promptness of security fixes.


Kind regards,

Rhesa Rozendaal

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
  - From: Radu Spineanu <radus@smartpost.ro>
- Re: [d-security] Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
  - From: Christian Hammers <ch@lathspell.de>
- Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Invitation
Next by Date: Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
Previous by thread: Invitation
Next by thread: Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
Index(es):
- Date
- Thread