OpenSSL problem: is mod_ssl also vulnerable?

[full-disclosure () lists netsys com (Roman Drahtmueller)]

> The key to the openssl issue is the same here, get fixed openssl sources,
> and recompile with them as the reference bases just as with mod-ssl
> appache 1.3.x.
>
> Now for those with less then trust worthy local users <smile>, and relying
> upon apache 1.3.x/mod-ssl/libmm compiles, there is the additional question
> of whther there is a new mm package available.

There is: Ralf Engelschall has published a new version. See

    Homepage: http://www.ossp.org/pkg/lib/mm/
    Release:   ftp://www.ossp.org/pkg/lib/mm/mm-1.2.0.tar.gz
    Patch:     ftp://www.ossp.org/pkg/lib/mm/mm-1.1.3-sec.patch

Again, same procedure as with mod_ssl/openssl: As long as your apache
module (/usr/lib/apache/libssl.so) is linked dynamically against the
openssl libraries and as long as your apache daemon (/usr/sbin/httpd) is
linked dynamically against libmm, you can simply update the respective
package that contains the library and restart the webserver, it should run
fine.

If you upgrade the version of one or more of the packages, you will have
to recompile.

> Thanks,
> Ron DuFresne

Thanks,
Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> // "You don't need eyes to see, |
  SuSE Linux AG - Security       Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -