I dont understand it.. [root src]# openssl OpenSSL> version OpenSSL 0.9.7c 30 Sep 2003 OpenSSL>
But Apache still announces Server Version: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6 I am in such a pinch here. Dave ----- Original Message ----- From: "lists" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 17, 2004 3:29 PM Subject: Re: [cobalt-security] openssl exploitable still? > Well someone knows then, I am getting pages defaced (hidden IFRAMES for > popups) and around the same time i get SSL handshake errors.. > > How can I compile mod_ssl outside of apache? > > ./configure:Usage: ./configure [mod_ssl options] [APACI options] > mod_ssl feedback options: > --help ...this message [OPTIONAL] > --quiet ...configure totally quiet [OPTIONAL] > --verbose ...configure with verbosity [OPTIONAL] > --force ...configure with disabled checks [OPTIONAL] > --expert ...configure without user hints [OPTIONAL] > mod_ssl configure options: > --with-apache=DIR ...path to Apache 1.3.x source tree [REQUIRED] > --with-apxs[=FILE] ...path to APXS program [OPTIONAL] > --with-ssl=DIR ...path to OpenSSL source tree [OPTIONAL] > --with-mm=DIR ...path to MM source tree [OPTIONAL] > --with-crt=FILE ...path to SSL X.509 certificate file [OPTIONAL] > --with-key=FILE ...path to SSL RSA private key file [OPTIONAL] > --with-patch=FILE ...path to your vendor 'patch' program [OPTIONAL] > --with-eapi-only ...apply EAPI to Apache source only [OPTIONAL] > APACI configure options: [OPTIONAL] > --prefix=DIR ...installation prefix for Apache > --... ...see INSTALL file of Apache for more options! > > > Seems confusing. > > Dave > ----- Original Message ----- > From: "Dmitry Alexeyev" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 17, 2004 3:11 PM > Subject: Re: [cobalt-security] openssl exploitable still? > > > > > > > > Doesnt that mean my openssl/modssl is external library which can be > > > upgraded without redoing apache/php4.3.3 and whatnot all over? > > > > > > > Yes. Just compile mod_ssl outside of apache. > > But you really should not worry about some public exploits - a cracker > > needs to know the addrees of free() function in your binary. If they > > have your httpd, they can exploit it. > > > > Dmitry > > > > _______________________________________________ > > cobalt-security mailing list > > [EMAIL PROTECTED] > > http://list.cobalt.com/mailman/listinfo/cobalt-security > > > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
