5

I have updated OpenSSL to version 1.0.1 g on my Ubuntu 12.04.4 LTS:

user@server# dpkg -l |grep openssl
ii  openssl                              1.0.1-4ubuntu5.12                   Secure Socket Layer (SSL) binary and related cryptographic tools
ii  python-openssl                       0.12-1ubuntu2.1                     Python wrapper around the OpenSSL library

Question: Do I need to update Apache2 mod_ssl too ? If yes, how ?

user@server# strings /usr/lib/apache2/modules/mod_ssl.so | grep -i "openssl"
OPENSSL_add_all_algorithms_noconf
OPENSSL_load_builtin_modules
OPENSSL_1.0.1
OPENSSL_1.0.0
SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
OpenSSL 1.0.1 14 Mar 2012
OpenSSL
AH01894: Unable to initialize TLS servername extension callback (incompatible OpenSSL version?)
AH01913: Unable to initialize TLS session ticket key callback (incompatible OpenSSL version?)
OpenSSL 1.0.1 14 Mar 2012

Apache2 version

user@server# dpkg -l |grep apache2
ii  apache2                              2.4.2-2~ppa1                        Apache HTTP Server
ii  apache2-bin                          2.4.2-2~ppa1                        Apache HTTP Server (binary files and modules)
ii  apache2-data                         2.4.2-2~ppa1                        Apache HTTP Server (common files)
ii  apache2-mpm-worker                   2.4.2-2~ppa1                        transitional worker MPM package for apache2
ii  apache2-utils                        2.4.2-2~ppa1                        Apache HTTP Server (utility programs for web servers)
rc  apache2.2-common                     2.2.22-1ubuntu1.4                   Apache HTTP Server common files
Jorge Castro
  • 73,717
sebastian
  • 51

2 Answers2

1

No, ModSSL is an interface to OpenSSL, so it will not need any updates itself.

NGRhodes
  • 9,680
0

I'm using Kali (Backtrack) which is based on Debian, but still similar to ubuntu.

I first upgraded openssl (apt-get install openssl), but after stopping & starting my apache2 web server, the vulnerability was still there (testing with ssltest.py by Jared Stafford....readily available on the web).

Found instructions that it is also necessary to upgrade "libssl" as follows: apt-get install libssl1.0.0

After than, and restarting my web server, the vulnerability is gone.

In general, openssl 1.0.1g is the minimum patched/safe version. Note that for Debian distributions, the minimum patched/safe version of both openssl and libssl1.0.0 is 1.0.1e-2+deb7u6. I don't know what the corresponding Ubuntu version would be.

In any case, there seems to be more to it than just upgrading openssl.

user269332
  • 1