On Wednesday, 2002-09-18 at 16:26:27 +1000, Jeroen de Leeuw den Bouter wrote:
> > On my Woody machine, after I restarted httpd, I get > > 1.2.3.4 443 PATCHED: detects small overflow, but crashes (0.9.6e) > 1.2.3.4 443 VULNERABLE: does not detect small overflow > I don't get that number behind it btw... The OpenSSL version is what the program thinks it found - the behaviour is typical for 0.9.6e. This being a woody machine, the version is wrong. I just remembered that I compiled Apache myself on that particular machine, so I can't really speak for the Apache Debian package. Can you please do a "ldd /usr/sbin/apache-ssl"? You should see something like this (from a sarge machine): libm.so.6 => /lib/libm.so.6 (0x4001d000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4003e000) libdb.so.2 => /lib/libdb.so.2 (0x4006b000) libdb2.so.2 => /lib/libdb2.so.2 (0x40078000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0x400b9000) libdl.so.2 => /lib/libdl.so.2 (0x400da000) libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400dd000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4010a000) libc.so.6 => /lib/libc.so.6 (0x401c4000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Then, identify the packages the SSL libraries come from: dpkg -S /usr/lib/libssl.so.0.9.6 /usr/lib/libcrypto.so.0.9.6 libssl0.9.6: /usr/lib/libssl.so.0.9.6 libssl0.9.6: /usr/lib/libcrypto.so.0.9.6 And check the version of that package: dpkg -l libssl0.9.6 Sarge: ii libssl0.9.6 0.9.6e-1 SSL shared libraries Woody: ii libssl0.9.6 0.9.6c-2.woody.1 SSL shared libraries HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |