RHN ModSSL Backported Version question...

Hi,

I currently have mod_ssl-2.0.40-11.3 installed on my server which came with
my Red Hat Linux 8, kernel 2.4.18-27.8.0 distribution disks. I noticed that
the most current version listed on the modssl.org site for mod_ssl is
2.8.14-1.3.27 and have a few questions if anyone could assist with I would
appreciate it much.

I'm on the Red Hat Network and receive errata bug fix and security
advisories - reports for mods on my server. Currently I don't have any bug
fix or security advisories for Mod_SSL. Should I be worried that I have an
older version according to the mod_ssl site and upgrade my current version
of mod_ssl?

Because someone told me that the red hat version numbers do not always match
the most current mod version numbers from their originating sources and that
the mod_ssl package that I currently have from rh should be ok because red
hat
applies security fixes without changing the numbers or providing different
version numbers - backporting. Is this correct for modssl too? If so, how
would I find out if my version of RH mod_ssl is safe?

If I do upgrade mod_ssl to the most current version listed on the modssl.org
site, will it break anything or cause dependency issues on the server?
Because I have five live e-commerce sites using mod_ssl and Thawte
certificates, and I don't want to cause more trouble than I have. But of
course if having the old versions poses a security risk I guess I should
upgrade.

Any advice would be appreciated.

Thanks much.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: RHN ModSSL Backported Version question...

> -----Original Message-----
> From: Dan [mailto:mod-ssl@catalpaweb.com]
> Sent: 16 May 2003 17:25
> To: modssl-users@modssl.org
> Subject: RHN ModSSL Backported Version question...
>
>
> Hi,
>
> I currently have mod_ssl-2.0.40-11.3 installed on my server
> which came with
> my Red Hat Linux 8, kernel 2.4.18-27.8.0 distribution disks.
> I noticed that
> the most current version listed on the modssl.org site for mod_ssl is
> 2.8.14-1.3.27 and have a few questions if anyone could assist
> with I would
> appreciate it much.
>
> I'm on the Red Hat Network and receive errata bug fix and security
> advisories - reports for mods on my server. Currently I
> don't have any bug
> fix or security advisories for Mod_SSL. Should I be worried
> that I have an
> older version according to the mod_ssl site and upgrade my
> current version
> of mod_ssl?
>
> Because someone told me that the red hat version numbers do
> not always match
> the most current mod version numbers from their originating
> sources and that
> the mod_ssl package that I currently have from rh should be
> ok because red
> hat
> applies security fixes without changing the numbers or
> providing different
> version numbers - backporting. Is this correct for modssl
> too? If so, how
> would I find out if my version of RH mod_ssl is safe?
>
> If I do upgrade mod_ssl to the most current version listed on
> the modssl.org
> site, will it break anything or cause dependency issues on the server?
> Because I have five live e-commerce sites using mod_ssl and Thawte
> certificates, and I don't want to cause more trouble than I
> have. But of
> course if having the old versions poses a security risk I
> guess I should
> upgrade.
>
> Any advice would be appreciated.
>
> Thanks much.
>
I think I've answered your question via the openssl-users list. Let me know
if I haven't.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Appeasement is the policy of being nice to a crocodile in the hope that he
will eat you last. (Winston Churchill)


-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: RHN ModSSL Backported Version question...

On Fri, May 16, 2003 at 12:24:37PM -0400, Dan wrote:
> I currently have mod_ssl-2.0.40-11.3 installed on my server which came with
> my Red Hat Linux 8, kernel 2.4.18-27.8.0 distribution disks. I noticed that
> the most current version listed on the modssl.org site for mod_ssl is
> 2.8.14-1.3.27 and have a few questions if anyone could assist with I would
> appreciate it much.
>
This is really becomming the most frequently asked question. The mod_ssl on
www.modssl.org is only for apache 1.3 - 2.8.14-1.3.27 works only with
apache-1.3.27. Your apache is from the 2.0 series and comes with mod_ssl
built in - so by having the most recent version of apache 2.0, you'll
also have the most recent mod_ssl for that apache. I don't know the specifics
of redhats numbering scheme, but the most recent Apache/mod_ssl is 2.0.45

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: RHN ModSSL Backported Version question...

moving from redhat's packages to roll-your-own can be a nightmare, a
search of the list archives will turn up alot of posts by John Airey to
this list on this very issue. mod-ssl is tied to openssl, which is tied
to openssh, soo, breaking one tie can unbind your whole setup. It's not a
pretty mess, and if you are patcient, and willing to jump hoops, you can
accomplish it, but, have plenty of soap and water handy...

Thanks,

Ron DuFresne


On Fri, 16 May 2003, Dan wrote:

> Hi,
>
> I currently have mod_ssl-2.0.40-11.3 installed on my server which came with
> my Red Hat Linux 8, kernel 2.4.18-27.8.0 distribution disks. I noticed that
> the most current version listed on the modssl.org site for mod_ssl is
> 2.8.14-1.3.27 and have a few questions if anyone could assist with I would
> appreciate it much.
>
> I'm on the Red Hat Network and receive errata bug fix and security
> advisories - reports for mods on my server. Currently I don't have any bug
> fix or security advisories for Mod_SSL. Should I be worried that I have an
> older version according to the mod_ssl site and upgrade my current version
> of mod_ssl?
>
> Because someone told me that the red hat version numbers do not always match
> the most current mod version numbers from their originating sources and that
> the mod_ssl package that I currently have from rh should be ok because red
> hat
> applies security fixes without changing the numbers or providing different
> version numbers - backporting. Is this correct for modssl too? If so, how
> would I find out if my version of RH mod_ssl is safe?
>
> If I do upgrade mod_ssl to the most current version listed on the modssl.org
> site, will it break anything or cause dependency issues on the server?
> Because I have five live e-commerce sites using mod_ssl and Thawte
> certificates, and I don't want to cause more trouble than I have. But of
> course if having the old versions poses a security risk I guess I should
> upgrade.
>
> Any advice would be appreciated.
>
> Thanks much.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org