Sven Hartge:
> Jochen Spieker <ml@well-adjusted.de> wrote:
>
>> I have the most recent version and it still reports my system to be
>> vulnerable.
>
> Are you sure you restarted the right system? (Just asking, had the same
> problem today, was looking at a totally different system than the one I
> thought I was looking at.)
Yes, I am sure. :)
> Maybe apache is using a different libssl than the one from the system.
> What does "ldd /usr/lib/apache2/modules/mod_ssl.so" say?
Ah, thanks. I tried ldd on the apache binary already but that is not
linked against libssl.
$ ldd /usr/lib/apache2/modules/mod_ssl.so
linux-vdso.so.1 => (0x00007ffffdd22000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fe3c8139000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fe3c7d42000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe3c7b25000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe3c779a000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe3c7596000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fe3c737e000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe3c85d3000)
Thinking about this … what I actually use is mod_spdy which is not
linked against libssl. It probably has the same bug …
Yes, here it is:
https://code.google.com/p/mod-spdy/issues/detail?id=85
| Note that just disabling the spdy module in Apache won't work, because
| the SSL library itself is replaced. Easiest fix on Debian is to remove
| the mod-spdy package from the system (for now).
Thanks for helping me to find this. After removing mod-spdy-beta
and stopping and starting Apache, the test tools deem my system safe.
J.
--
I no longer believe in father christmas but have no trouble
comprehending a nuclear apocalypse.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature