> I dont understand it.. > > [root src]# openssl > OpenSSL> version > OpenSSL 0.9.7c 30 Sep 2003 > OpenSSL> > > But Apache still announces Server Version: Apache/1.3.20 Sun Cobalt > (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6
Apache source RPM from Cobalt has openssl already in it, and it is patched version 0.9.6. I tried to rebuild it with recent apache/mod_perl/mod_ssl etc, but failed, I guess this spec has to be rewritten completely from the scratch, which I am planning to do tomorrow. If your server keeps being defaced, then you have a bug somewhere in CGI/PHP or even rootkit installed. If you want me to check your server and fix this issue, please contact me off-list - there's much to do with default Cobalt installation, I have explored some really bad bugs there :| (I am not sure it's apache fault actually. Bad handshake doesn't mean a critical error in software - it's just someone with broken client) Best Regards, Dmitry _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
