[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSL Heartbleed bug, Apache still vulnerable?

Sven Hartge:
> Jochen Spieker <ml@well-adjusted.de> wrote:
>> I have the most recent version and it still reports my system to be
>> vulnerable.
> Are you sure you restarted the right system? (Just asking, had the same
> problem today, was looking at a totally different system than the one I
> thought I was looking at.)

Yes, I am sure. :)

> Maybe apache is using a different libssl than the one from the system.
> What does "ldd /usr/lib/apache2/modules/mod_ssl.so" say?

Ah, thanks. I tried ldd on the apache binary already but that is not
linked against libssl.

$ ldd /usr/lib/apache2/modules/mod_ssl.so
        linux-vdso.so.1 =>  (0x00007ffffdd22000)
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fe3c8139000)
        libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fe3c7d42000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe3c7b25000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe3c779a000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe3c7596000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fe3c737e000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe3c85d3000)

Thinking about this … what I actually use is mod_spdy which is not
linked against libssl. It probably has the same bug …

Yes, here it is:

| Note that just disabling the spdy module in Apache won't work, because
| the SSL library itself is replaced. Easiest fix on Debian is to remove
| the mod-spdy package from the system (for now).

Thanks for helping me to find this. After removing mod-spdy-beta
and stopping and starting Apache, the test tools deem my system safe.

I no longer believe in father christmas but have no trouble
comprehending a nuclear apocalypse.
[Agree]   [Disagree]

Attachment: signature.asc
Description: Digital signature

Reply to: