Sven Hartge: > Jochen Spieker <m...@well-adjusted.de> wrote: > >> I have the most recent version and it still reports my system to be >> vulnerable. > > Are you sure you restarted the right system? (Just asking, had the same > problem today, was looking at a totally different system than the one I > thought I was looking at.)
Yes, I am sure. :) > Maybe apache is using a different libssl than the one from the system. > What does "ldd /usr/lib/apache2/modules/mod_ssl.so" say? Ah, thanks. I tried ldd on the apache binary already but that is not linked against libssl. $ ldd /usr/lib/apache2/modules/mod_ssl.so linux-vdso.so.1 => (0x00007ffffdd22000) libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fe3c8139000) libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fe3c7d42000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe3c7b25000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe3c779a000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe3c7596000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fe3c737e000) /lib64/ld-linux-x86-64.so.2 (0x00007fe3c85d3000) Thinking about this … what I actually use is mod_spdy which is not linked against libssl. It probably has the same bug … Yes, here it is: https://code.google.com/p/mod-spdy/issues/detail?id=85 | Note that just disabling the spdy module in Apache won't work, because | the SSL library itself is replaced. Easiest fix on Debian is to remove | the mod-spdy package from the system (for now). Thanks for helping me to find this. After removing mod-spdy-beta and stopping and starting Apache, the test tools deem my system safe. J. -- I no longer believe in father christmas but have no trouble comprehending a nuclear apocalypse. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: Digital signature