Very Computer

> --
> Jeff Umbach


> > I'm pretty new to this, so go easy :) I've detected the apache slapper
> > in my /tmp dir. I removed all those processes owned by apache. I
> > upgraded to OpenSSL 0.9.6h

> > #/usr/bin/openssl version
> > OpenSSL 0.9.6h  5 Dec 2002

> > I downloaded Apache 2.0.43, compiled, and installed.

> > But it is still showing this:

> > Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b on Linux

> > Why is that 0.9.6b still on there? What step did I miss?

> > Thanks a lot!!

> > I've noticed this one my boxes as well.  I have a version of Apache 2.0 on
> > RedHat 8.0 that is not vulnerable but I compiled and installed OpenSSL9.6h
> > anyway and openssl version still tells me that the OpenSSL9.6b engine is
> > installed.

> > --
> > Jeff Umbach


> > > I'm pretty new to this, so go easy :) I've detected the apache slapper
> > > in my /tmp dir. I removed all those processes owned by apache. I
> > > upgraded to OpenSSL 0.9.6h

> > > #/usr/bin/openssl version
> > > OpenSSL 0.9.6h  5 Dec 2002

> > > I downloaded Apache 2.0.43, compiled, and installed.

> > > But it is still showing this:

> > > Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b on Linux

> > > Why is that 0.9.6b still on there? What step did I miss?

> > > Thanks a lot!!

> > I actually did install it with the prefix=/usr. I only have one
> > openssl binary, but I think I have a lot of the old libraries on the
> > server. I couldn't do RPM erase or update because of all these
> > conflicts (and I'm new to this).

> Download the latest openssl tarball (openssl-0.9.7.tar.gz just came out a
> week or so ago) and use the openssl.spec file included in the tarball to
> build yourself the new openssl rpms.  To do this, extract openssl.spec
> from the tarball and put it in /usr/src/redhat/SPECS, then copy the
> tarball into /usr/src/redhat/SOURCES.  As "root" run "rpmbuild -bb
> /usr/src/redhat/SPECS/opensll.spec" and three rpms will be generated:

> /usr/src/redhat/RPMS/i386/openssl-0.9.7-1.i386.rpm        
> /usr/src/redhat/RPMS/i386/openssl-doc-0.9.7-1.i386.rpm
> /usr/src/redhat/RPMS/i386/openssl-devel-0.9.7-1.i386.rpm

> Use these to update your present openssl installation.  Once again, as
> "root" run "rpm -Uvh /usr/src/redhat/RPMS/i386/openssl-*0.9.7-1.i386.rpm"
> and all three rpms will be installed, your dependacy conflicts resolved by
> rpm and all should be good in the world.

> > I've noticed this one my boxes as well.  I have a version of Apache 2.0
on
> > RedHat 8.0 that is not vulnerable but I compiled and installed
OpenSSL9.6h
> > anyway and openssl version still tells me that the OpenSSL9.6b engine is
> > installed.

> Did you compile OpenSSL from a tarball or RPM?  If from tarball, did you
> use the "--prefix=/usr" option or just go with the default (/usr/local)?
> Did you uninstall the old openssl-0.9.6b rpm package?

> I suspect you have two versions of OpenSSL installed: RedHat's
> openssl-0.9.6b in /usr and your new OpenSSL-0.9.6h in /usr/local.  If your
> path is set up in a typical manner, apache will find the old installation
> in /usr and not bother looking further for the new version in /usr/local.

> Try running "locate bin/openssl" and see what shows up.  If it finds
> openssl in two different locations, that's probably the problem.

> I'd just recompile openssl as an rpm and use that to update your system.

> --