please reply if you can:
this is a serious openssl vulnerability:
here is the log:
[Fri Nov 22 11:08:33 2002] [error] [client 164.77.208.74] client sent
HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Fri Nov 22 11:08:43 2002 : 64.86.0.229] domain silvercrest.ca rar 29
(24502)
[Fri Nov 22 11:08:46 2002] [error] server reached MaxClients setting,
consider raising the MaxClients setting
[Fri Nov 22 11:13:42 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:42 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:46 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:47 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:48 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:49 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake failed (server
venus.cira.ca:443, client 164.77.208.74) (OpenSSL library error foll\
ows)
[Fri Nov 22 11:13:50 2002] [error] OpenSSL: error:1406B458:SSL
routines:GET_CLIENT_MASTER_KEY:key arg too long
[Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)
[Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client
164.77.208.74, server venus.cira.ca:443)


server crash!!!!!

-----Original Message-----
From: ervin ruci [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 22, 2002 10:46 AM
To: Richard Levitte - VMS Whacker; [EMAIL PROTECTED]
Subject: RE: Beta 4 of OpenSSL 0.9.7


what is actually of greater urgence for me is an openssl vulnerability that
allows clients to just open the connection and leave it hanging hence
forcing my web server to reach its maxclients setting and crash. this
problem was addressed by openssl version g for the linux platform, but on
solaris the vulnerability still exists with this version. that's why i went
to try the beta version in the first place, hoping you would have taken care
of this.

-----Original Message-----
From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 21, 2002 4:32 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Beta 4 of OpenSSL 0.9.7


In message <[EMAIL PROTECTED]> on Thu, 21 Nov 2002
12:09:56 -0500, "ervin ruci" <[EMAIL PROTECTED]> said:

ruci> tried Beta 4 of OpenSSL 0.9.7  and apache/mod_ssl. i can't restart the
web
ruci> server.
ruci>
ruci> Syntax error on line 53 of /usr/local/apache+sharedmm/conf/httpd.conf:
ruci> Cannot load /usr/local/apache+sharedmm/libexec/libssl.so into server:
ruci> ld.so.1: /usr/local/apache+sharedmm/bin/httpd: fatal: relocation
error: file
ruci> /usr/local/apache+sharedmm/libexec/libssl.so: symbol sk_new_null:
referenced
ruci> symbol not found
ruci> ./apachectl start: httpd could not be started

Hmm, you probably need to set up LD_LIBRARY_PATH or similar to point
at /usr/local/apache+sharedmm/libexec, so libcrypto.so can be loaded
as well...

--
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to