----- Original Message -----
From: Eric Kingston <eri...@esreco.net>
Date: Fri, 12 Nov 2010 08:55:07 -0700
Subject: [us...@httpd] Apache failing to start after upgrade.
To: users@httpd.apache.org
Hi,
I'm hoping someone here can help. Our web server was recently scanned by a
security company to make sure we are PCI compliant. They found two
vulnerabilities, both related to the version of apache and openssl installed
on our server. In order to bring the server up to PCI compliance we had to
This is not an answer to your problem (I don't have any experience yet
with OpenSSL 1.0), but something to note. Many "security" companies that
scan web servers just blindly run some default scan that tries to check
software versions from a list of versions with known vulnerabilities. If
you are running the software from a package (such as a .deb or .rpm),
most vendors will release back patches to older versions that fix
security flaws in the software. For example, the Debian Stable branch
(Lenny) will not supply the latest version of apache or openssl, because
it came with a specific version when it was frozen as stable (in this
case Apache 2.2.9 and OpenSSL 0.9.8g). Does this mean you are vulnerable
to every security bug that was fixed in subsequent releases? Absolutely
not. Debian will release updates via their security update mirrors that
back patch many of those bug fixes (if not all of them). This holds true
for any Linux system that uses this modal, such as RedHat EL. Many
"security" companies don't understand this and only go by "My security
scanning software says you're vulnerable, so you need to upgrade".
The better thing to find out from them is more specifically which CVE
their scan is complaining about so you can determine whether that had
already been patched in your version. Now, since you are running
FreeBSD, I'm not sure if they always just offer the latest source code
through ports and you are responsible for making sure you are running
the latest version or they have "locked down" versions with security
updates available. From that standpoint, I can't offer any first hand
experience (it seems like you've already done the basic checks like
verifying apache is linked to the correct OpenSSL module).
Good luck.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
