On Thu, Feb 21, 2008 at 8:58 AM, nitin dubey <[EMAIL PROTECTED]> wrote: > Hi, > > I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl > as well. My concern is about the two vulnerabilities > (htp://www.securityfocus.com/bid/10736/info, > htp://www.securityfocus.com/bid/4189/info). I do not have any information > whether or not these two vulnerabilities still exist or have been fixed in > the mod_ssl provided with apache sources 2.2.8. > > After googling I could find out that these are solved in mod_ssl 2.8.19. > > Now to fix this I am thinking/trying the following: > - Check the version of mod_ssl bundled with apache 228. If this ver is > greater than 2.8.19 then these vulnerabilities must have been fixed. I do > not know how to determine the version of mod_ssl here. > > - Download the mod_ssl latest version from modssl.org and force (since > modssl.org does not provide sources for apache 2.x ver; it provides only for > apache 1.3.x series) its installation with latest apache 228 ver. Since, > mod_ssl version here is not built for apache 2.x series, I may end up > creating more problems for myself. >
Although the mod_ssl that is included in apache 2.x was originally based on the mod_ssl being referred to here, they are now two very different products. So the fact that they list mod_ssl (as distributed by Ralf) as being vulnerable for certain versions does not in any way mean that the mod_ssl included with apache 2 is vulnerable. If securityfocus thought that apache 2 was vulnerable, they would have specifically listed it. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
