Mailing List Archive

On Wed, Jul 31, 2002 at 08:50:31AM +0200, Peter Bieringer wrote:
> does anyone know whether mod_ssl (used with Apache 1.3) is also
> vulnerable. Currently, last version seen on their webpage is 2.8.10
> (24 June 2002).

Yes, the OpenSSL vulnerability can be triggered through mod_ssl.

But you don't need a new mod_ssl version to be safe against it. Only bring
OpenSSL up to date, and your mod_ssl module will be safe.

--
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/

On 31 Jul 2002 at 09:13 +0200, Jedi/Sector One wrote:
> But you don't need a new mod_ssl version to be safe against it.
> Only bring OpenSSL up to date, and your mod_ssl module will be
> safe.

...if it is linked dynamically. Make sure.

--
MfG/best regards, helmut springer delta@citecs.de

Am Mittwoch, 31. Juli 2002 09:13 schrieb Jedi/Sector One:
> On Wed, Jul 31, 2002 at 08:50:31AM +0200, Peter Bieringer wrote:
> > does anyone know whether mod_ssl (used with Apache 1.3) is also
> > vulnerable. Currently, last version seen on their webpage is 2.8.10
> > (24 June 2002).
>
> Yes, the OpenSSL vulnerability can be triggered through mod_ssl.
>
> But you don't need a new mod_ssl version to be safe against it. Only
> bring OpenSSL up to date, and your mod_ssl module will be safe.

And what about apache-2.0.39 with SSL enabled?
Nothing on apache.org so far.
apache-2.0.x includes code from the mod_ssl project I guess, right?

Greetings, t.o.
--
Thomas Oppel
thomas.oppel@arenfels.de

On Wed, 31 Jul 2002, Thomas Oppel wrote:

> Am Mittwoch, 31. Juli 2002 09:13 schrieb Jedi/Sector One:
> > On Wed, Jul 31, 2002 at 08:50:31AM +0200, Peter Bieringer wrote:
> > > does anyone know whether mod_ssl (used with Apache 1.3) is also
> > > vulnerable. Currently, last version seen on their webpage is 2.8.10
> > > (24 June 2002).
> >
> > Yes, the OpenSSL vulnerability can be triggered through mod_ssl.
> >
> > But you don't need a new mod_ssl version to be safe against it. Only
> > bring OpenSSL up to date, and your mod_ssl module will be safe.
>
> And what about apache-2.0.39 with SSL enabled?
> Nothing on apache.org so far.
> apache-2.0.x includes code from the mod_ssl project I guess, right?


The key to the openssl issue is the same here, get fixed openssl sources,
and recompile with them as the reference bases just as with mod-ssl
appache 1.3.x.

Now for those with less then trust worthy local users <smile>, and relying
upon apache 1.3.x/mod-ssl/libmm compiles, there is the additional question
of whther there is a new mm package available.

Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

And since I made this request for info on another list, relating to libmm
sources, here is the answer:


yes, there is a new version of mm available on
http://www.ossp.org/pkg/lib/mm/
( Status: Stable Version: 1.2.1 (28-Jul-2002) )

The advisory is here:
http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html


Thanks,

Ron DuFresne


On Wed, 31 Jul 2002, Thomas Oppel wrote:

> Am Mittwoch, 31. Juli 2002 09:13 schrieb Jedi/Sector One:
> > On Wed, Jul 31, 2002 at 08:50:31AM +0200, Peter Bieringer wrote:
> > > does anyone know whether mod_ssl (used with Apache 1.3) is also
> > > vulnerable. Currently, last version seen on their webpage is 2.8.10
> > > (24 June 2002).
> >
> > Yes, the OpenSSL vulnerability can be triggered through mod_ssl.
> >
> > But you don't need a new mod_ssl version to be safe against it. Only
> > bring OpenSSL up to date, and your mod_ssl module will be safe.
>
> And what about apache-2.0.39 with SSL enabled?
> Nothing on apache.org so far.
> apache-2.0.x includes code from the mod_ssl project I guess, right?
>
> Greetings, t.o.
> --
> Thomas Oppel
> thomas.oppel@arenfels.de
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

>
> The key to the openssl issue is the same here, get fixed openssl sources,
> and recompile with them as the reference bases just as with mod-ssl
> appache 1.3.x.
>
> Now for those with less then trust worthy local users <smile>, and relying
> upon apache 1.3.x/mod-ssl/libmm compiles, there is the additional question
> of whther there is a new mm package available.
>

There is: Ralf Engelschall has published a new version. See

Homepage: http://www.ossp.org/pkg/lib/mm/
Release: ftp://www.ossp.org/pkg/lib/mm/mm-1.2.0.tar.gz
Patch: ftp://www.ossp.org/pkg/lib/mm/mm-1.1.3-sec.patch

Again, same procedure as with mod_ssl/openssl: As long as your apache
module (/usr/lib/apache/libssl.so) is linked dynamically against the
openssl libraries and as long as your apache daemon (/usr/sbin/httpd) is
linked dynamically against libmm, you can simply update the respective
package that contains the library and restart the webserver, it should run
fine.

If you upgrade the version of one or more of the packages, you will have
to recompile.

> Thanks,
> Ron DuFresne

Thanks,
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

Hi,

--On Mittwoch, 31. Juli 2002 08:50 +0200 Peter Bieringer <pb@bieringer.de>
wrote:

> sorry, no announcement, but a (perhaps important) question:
>
> does anyone know whether mod_ssl (used with Apache 1.3) is also
> vulnerable. Currently, last version seen on their webpage is 2.8.10
> (24 June 2002).

Next question: what about the apache2 binaries (especially for Windows)?

Apache2 has built-in SSL capability, I think (but not tested) also in the
Windows binary. If yes, which SSL code is used here?

Latest available is 2.0.39 from 18-Jun-2002
http://www.apache.org/dist/httpd/binaries/win32/

Thank you very much for more information,

Peter

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

- --On Freitag, 2. August 2002 13:58 -0500 Ron DuFresne
<dufresne@winternet.com> wrote:

>> Apache2 has built-in SSL capability, I think (but not tested) also in the
>> Windows binary. If yes, which SSL code is used here?
>>
>> Latest available is 2.0.39 from 18-Jun-2002
>> http://www.apache.org/dist/httpd/binaries/win32/
>
>
> The issue is not with the mod-ssl code in either 1.3 nor 2.0 versions of
> apache, it's with the openssl code, so upgrade onessl, then recompile you
> apache which is most likely liked off the openssl stuff.

That's ok for *nix systems, but for the Windows platform it's not so easy
(I have no Windows compiler here). Also I think that the SSL code in 2.0
has to be linked statically or a OpenSSL lib is included in Apache2
installer. Both results in a recompile/repackage I think.

Comment?

Peter

- --
Dr. Peter Bieringer Phone: +49-8102-895190
AERAsec Network Services and Security GmbH Fax: +49-8102-895199
Wagenberger Straße 1 Mobile: +49-174-9015046
D-85662 Hohenbrunn mailto:pbieringer@aerasec.de
Germany Internet: http://www.aerasec.de
PGP/GPG: http://www.aerasec.de/wir/publickeys/PeterBieringer.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32)

iD8DBQE9TjYWznfbvpHmKq4RAqKOAKClC03QkxpiyNQ79Z0zUuxbhcBBOQCdF5Ep
nkZ/menSQ6AFlObWTyGTRfc=
=Aqfp
-----END PGP SIGNATURE-----