So what are the next steps...is this being highlighted as a risk anywhere?
I am surprised that this doesn't get onto the main security page if it
is a risk...how else would anyone find out about it and take
preventative measures?
Regards,
Per
Phil Ehrens wrote:
Interesting. Must be an
One more thing. I can see this on 2.0.54 with OpenSSL at 0.9.7d on AIX
as well.
I think there is something masking this problem on other platforms, or I
have been building this in some weird and mysterious way you guys don't
do (highly unlikely I think).
Regards,
Per
Phil Ehrens wrote:
Phil,
Is it the way I am building Apache or is Linux or Solaris hiding this
symbol? I've checked this on a gentoo build, but on my machine the
module has no symbols.
Details as below:
Apache/2.2.3
OpenSSL 0.9.8c
AIX 5200-09
*
nm mod_ssl.so | grep SSL_get_shared_ciphers
.SSL_get_shared_ciphers
Interesting. Must be an Apache 2.2.X thing. The symbol
definitely does not appear in 2.0.55.
Per Olausson wrote:
Phil,
Is it the way I am building Apache or is Linux or Solaris hiding this
symbol? I've checked this on a gentoo build, but on my machine the
module has no symbols.
Details
Phil Ehrens:
I just checked a couple different versions and did not see that
function.
I posted a question about this to the apache security mailbox, but
nobody responded. I guess that is inline with the policy for that
mailbox even if I find it somewhat unhelpful, considering that SSL
Per Olausson wrote:
Phil Ehrens:
I just checked a couple different versions and did not see that
function.
I posted a question about this to the apache security mailbox, but
nobody responded. I guess that is inline with the policy for that
mailbox even if I find it somewhat unhelpful,
Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers()
function from OpenSSL?
As you may know a buffer overflow has been detected in that
function in OpenSSL versions prior to 0.9.8d.
I'm trying to find out if Mod_SSL uses the vulnerable function.
Thanks in advance.
Stanley E. Laufer
Stanley Laufer wrote:
Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers()
function from OpenSSL?
As you may know a buffer overflow has been detected in that
function in OpenSSL versions prior to 0.9.8d.
I'm trying to find out if Mod_SSL uses the vulnerable function.
I just