1 |
On 04/28/14 20:13, Tom Wijsman wrote: |
2 |
>On Mon, 28 Apr 2014 10:02:52 -0600 |
3 |
>Joseph <syscon780@×××××.com> wrote: |
4 |
> |
5 |
>> On 04/28/14 09:17, Joseph wrote: |
6 |
>> >Which program do I upgrade to fix Heartbleed bug? |
7 |
>> > |
8 |
>> >http://safeweb.norton.com/heartbleed/ |
9 |
>> >is showing me my server is vulnerable. |
10 |
>> >I'm using dev-libs/openssl-0.9.8y |
11 |
>> > |
12 |
>> >Why "safeweb.norton" is triggering my server vulnerable? |
13 |
>> |
14 |
>> I'm using apache-2.2.25 |
15 |
>> Which file contain setting for: SSLCompression |
16 |
>> I'm trying to turn it off. |
17 |
> |
18 |
>Unaffected according to: |
19 |
> |
20 |
> http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml |
21 |
> |
22 |
>Perhaps all you need to do is restart the Apache service? |
23 |
> |
24 |
>-- |
25 |
>With kind regards, |
26 |
> |
27 |
>Tom Wijsman (TomWij) |
28 |
>Gentoo Developer |
29 |
> |
30 |
>E-mail address : TomWij@g.o |
31 |
>GPG Public Key : 6D34E57D |
32 |
>GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D |
33 |
|
34 |
No, I was wrong. I had both version istalled: 0.9.8y and 1.0.1f |
35 |
and the one that was in use was buggy one: 1.0.1f |
36 |
I recompile 1.0.1f without tls-heartbeat and the problem is solved. |
37 |
|
38 |
dev-libs/openssl |
39 |
Available versions: |
40 |
(0.9.8) 0.9.8y |
41 |
(0) 1.0.0j 1.0.1f |
42 |
{bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib} |
43 |
Installed versions: 0.9.8y(0.9.8)(11:06:09 PM 10/18/2013)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1f(12:57:54 PM 03/21/2014)(sse2 tls-heartbeat zlib |
44 |
-bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla) |
45 |
|
46 |
But what puzzle me is when I downgraded it to 1.0.0j (uneffected version) I could not restart apache. I was getting an error: |
47 |
|
48 |
/etc/init.d/apache2 restart |
49 |
* apache2 has detected an error in your setup: |
50 |
apache2: Syntax error on line 125 of /etc/apache2/httpd.conf: Cannot load /usr/lib64/apache2/modules/mod_ssl.so into server: /usr/lib64/apache2/modules/mod_ssl.so: |
51 |
undefined symbol: TLSv1_1_client_method |
52 |
* ERROR: apache2 failed to stop |
53 |
|
54 |
|
55 |
|
56 |
-- |
57 |
Joseph |