[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities

Matt Zimmerman wrote:

- --------------------------------------------------------------------------
Debian Security Advisory DSA 532-1                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
July 22nd, 2004                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libapache-mod-ssl
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2004-0488 CAN-2004-0700

This is an absolute first for me: this update broke my webserver! I've been using Debian stable for some 5 years now, and never had any trouble with security updates.

The main reason is that it adds the line

	LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

to the apache config file /etc/apache/httpd.conf.

Here's why this breaks my setup: I run two instances of apache, a light-weight frontend server that handles static content and proxies dynamic requests to a big backend mod_perl instance that runs on
the internal interface only. This is a common mod_perl configuration.

In my case, the frontend handles SSL connections. Its config file is /etc/apache/ht-light.conf.
The backend instance uses the original filename /etc/apache/httpd.conf.
The frontend is already bound to port 443. The backend tried to restart, but now has a load mod_ssl line, and can't start. And now our application won't run...

Luckily I knew where to look to fix it, but this was after a night of downtime, because I didn't bother to check: after installation I figured everything was okay, because 1) I trust the updates and 2) everything kept running fine. I wish I had done a restart.

Mind you, the downtime ws limmited to some 5 hours, while it was night in the USA, so there's hardly any damage done wrt our customers. There's just a small dent in my confidence regarding Debian now.

My advice would be to _not_ add the LoadModule line to the apache config: if this security update needs installing, it is very likely that SSL is already configured correctly. At the very least, make it a question that I can answer yes or no to.

Again, this is the first time in 5 years I had a problem with a security update. I'm still very satisfied with Debian, and still very impressed with the stability and promptness of security fixes.

Kind regards,

Rhesa Rozendaal

Reply to: