Re: OpenSSL Heartbleed bug, Apache still vulnerable?

To: debian-user@lists.debian.org
Subject: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
From: Jochen Spieker <ml@well-adjusted.de>
Date: Tue, 8 Apr 2014 18:15:08 +0200
Message-id: <[🔎] 20140408161507.GB21675@well-adjusted.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20140408145629.GB22048@x101h>
References: <[🔎] 20140408144912.GA21675@well-adjusted.de> <[🔎] 20140408145629.GB22048@x101h>

Reco:
> Hi.
> 
> On Tue, Apr 08, 2014 at 04:49:13PM +0200, Jochen Spieker wrote:
> 
>> Am I doing anything wrong? Is the testing tool broken? I also tried the
>> one at https://gist.github.com/takeshixx/10107280 which confirms there
>> is still a problem on port 443 (HTTPS served by Apache).
> 
> No, chances are, you're using the tool correctly.
> I'm using this [1] to test servers for this vulnerability (as I can't
> force myself to install Go), and your server shows as vulnerable.
> 
> [1] http://pastebin.com/WmxzjkXJ

Thanks for confirming this. But I don't get how this is possible. I
upgraded the library that Apache (supposedly) uses and rebooted the
machine afterwards. I even re-installed all Apache packages just to make
that they are ok.

J.
-- 
Fashion is more important to me than war, famine, disease or art.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- OpenSSL Heartbleed bug, Apache still vulnerable?
  - From: Jochen Spieker <ml@well-adjusted.de>
- Re: OpenSSL Heartbleed bug, Apache still vulnerable?
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: vesa mode code?
Next by Date: Re: vesa mode code?
Previous by thread: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Next by thread: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Index(es):
- Date
- Thread