Getting rid of the Apache SLAPPER

Getting rid of the Apache SLAPPER

Post by Ted Smi » Sat, 04 Jan 2003 03:21:42



I'm pretty new to this, so go easy :) I've detected the apache slapper
in my /tmp dir. I removed all those processes owned by apache. I
upgraded to OpenSSL 0.9.6h

#/usr/bin/openssl version
OpenSSL 0.9.6h  5 Dec 2002

I downloaded Apache 2.0.43, compiled, and installed.

But it is still showing this:

Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b on Linux

Why is that 0.9.6b still on there? What step did I miss?

Thanks a lot!!

 
 
 

Getting rid of the Apache SLAPPER

Post by Jeff Umbac » Sun, 05 Jan 2003 13:54:15


I've noticed this one my boxes as well.  I have a version of Apache 2.0 on
RedHat 8.0 that is not vulnerable but I compiled and installed OpenSSL9.6h
anyway and openssl version still tells me that the OpenSSL9.6b engine is
installed.

--
Jeff Umbach

Quote:> I'm pretty new to this, so go easy :) I've detected the apache slapper
> in my /tmp dir. I removed all those processes owned by apache. I
> upgraded to OpenSSL 0.9.6h

> #/usr/bin/openssl version
> OpenSSL 0.9.6h  5 Dec 2002

> I downloaded Apache 2.0.43, compiled, and installed.

> But it is still showing this:

> Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b on Linux

> Why is that 0.9.6b still on there? What step did I miss?

> Thanks a lot!!


 
 
 

Getting rid of the Apache SLAPPER

Post by Ted Smi » Sun, 05 Jan 2003 23:17:41


Could it be because OpenSSL was originally installed w/ an RPM but
when upgraded it was with source? I couldn't get an RPM upgrade to
work so I did a source recompile....

> I've noticed this one my boxes as well.  I have a version of Apache 2.0 on
> RedHat 8.0 that is not vulnerable but I compiled and installed OpenSSL9.6h
> anyway and openssl version still tells me that the OpenSSL9.6b engine is
> installed.

> --
> Jeff Umbach


> > I'm pretty new to this, so go easy :) I've detected the apache slapper
> > in my /tmp dir. I removed all those processes owned by apache. I
> > upgraded to OpenSSL 0.9.6h

> > #/usr/bin/openssl version
> > OpenSSL 0.9.6h  5 Dec 2002

> > I downloaded Apache 2.0.43, compiled, and installed.

> > But it is still showing this:

> > Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b on Linux

> > Why is that 0.9.6b still on there? What step did I miss?

> > Thanks a lot!!

 
 
 

Getting rid of the Apache SLAPPER

Post by John Thompso » Mon, 06 Jan 2003 02:34:17



> I've noticed this one my boxes as well.  I have a version of Apache 2.0 on
> RedHat 8.0 that is not vulnerable but I compiled and installed OpenSSL9.6h
> anyway and openssl version still tells me that the OpenSSL9.6b engine is
> installed.

Did you compile OpenSSL from a tarball or RPM?  If from tarball, did you
use the "--prefix=/usr" option or just go with the default (/usr/local)?  
Did you uninstall the old openssl-0.9.6b rpm package?

I suspect you have two versions of OpenSSL installed: RedHat's
openssl-0.9.6b in /usr and your new OpenSSL-0.9.6h in /usr/local.  If your
path is set up in a typical manner, apache will find the old installation
in /usr and not bother looking further for the new version in /usr/local.

Try running "locate bin/openssl" and see what shows up.  If it finds
openssl in two different locations, that's probably the problem.

I'd just recompile openssl as an rpm and use that to update your system.

--


 
 
 

Getting rid of the Apache SLAPPER

Post by Ted Smi » Mon, 06 Jan 2003 08:44:41


I actually did install it with the prefix=/usr. I only have one
openssl binary, but I think I have a lot of the old libraries on the
server. I couldn't do RPM erase or update because of all these
conflicts (and I'm new to this).  Do you know if it is possible to
point apache2 to a specific openssl library, or something like that?
I see files like this:
/lib/libssl.so.0.9.6b  /lib/libssl.so.2  /lib/libss.so.2
/lib/libss.so.2.0

So those are the old openssl. Not sure how to clean that out and make
it use the new openssl?


> Could it be because OpenSSL was originally installed w/ an RPM but
> when upgraded it was with source? I couldn't get an RPM upgrade to
> work so I did a source recompile....


> > I've noticed this one my boxes as well.  I have a version of Apache 2.0 on
> > RedHat 8.0 that is not vulnerable but I compiled and installed OpenSSL9.6h
> > anyway and openssl version still tells me that the OpenSSL9.6b engine is
> > installed.

> > --
> > Jeff Umbach


> > > I'm pretty new to this, so go easy :) I've detected the apache slapper
> > > in my /tmp dir. I removed all those processes owned by apache. I
> > > upgraded to OpenSSL 0.9.6h

> > > #/usr/bin/openssl version
> > > OpenSSL 0.9.6h  5 Dec 2002

> > > I downloaded Apache 2.0.43, compiled, and installed.

> > > But it is still showing this:

> > > Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b on Linux

> > > Why is that 0.9.6b still on there? What step did I miss?

> > > Thanks a lot!!

 
 
 

Getting rid of the Apache SLAPPER

Post by John Thompso » Mon, 06 Jan 2003 12:54:30



> I actually did install it with the prefix=/usr. I only have one
> openssl binary, but I think I have a lot of the old libraries on the
> server. I couldn't do RPM erase or update because of all these
> conflicts (and I'm new to this).

Download the latest openssl tarball (openssl-0.9.7.tar.gz just came out a
week or so ago) and use the openssl.spec file included in the tarball to
build yourself the new openssl rpms.  To do this, extract openssl.spec
from the tarball and put it in /usr/src/redhat/SPECS, then copy the
tarball into /usr/src/redhat/SOURCES.  As "root" run "rpmbuild -bb
/usr/src/redhat/SPECS/opensll.spec" and three rpms will be generated:

/usr/src/redhat/RPMS/i386/openssl-0.9.7-1.i386.rpm        
/usr/src/redhat/RPMS/i386/openssl-doc-0.9.7-1.i386.rpm
/usr/src/redhat/RPMS/i386/openssl-devel-0.9.7-1.i386.rpm

Use these to update your present openssl installation.  Once again, as
"root" run "rpm -Uvh /usr/src/redhat/RPMS/i386/openssl-*0.9.7-1.i386.rpm"
and all three rpms will be installed, your dependacy conflicts resolved by
rpm and all should be good in the world.

--


 
 
 

Getting rid of the Apache SLAPPER

Post by Ted Smi » Tue, 07 Jan 2003 09:12:42


Awesome! Thanks for the detailed reply, John. I'm doing this now.

Best Wishes,

Teddy



> > I actually did install it with the prefix=/usr. I only have one
> > openssl binary, but I think I have a lot of the old libraries on the
> > server. I couldn't do RPM erase or update because of all these
> > conflicts (and I'm new to this).

> Download the latest openssl tarball (openssl-0.9.7.tar.gz just came out a
> week or so ago) and use the openssl.spec file included in the tarball to
> build yourself the new openssl rpms.  To do this, extract openssl.spec
> from the tarball and put it in /usr/src/redhat/SPECS, then copy the
> tarball into /usr/src/redhat/SOURCES.  As "root" run "rpmbuild -bb
> /usr/src/redhat/SPECS/opensll.spec" and three rpms will be generated:

> /usr/src/redhat/RPMS/i386/openssl-0.9.7-1.i386.rpm        
> /usr/src/redhat/RPMS/i386/openssl-doc-0.9.7-1.i386.rpm
> /usr/src/redhat/RPMS/i386/openssl-devel-0.9.7-1.i386.rpm

> Use these to update your present openssl installation.  Once again, as
> "root" run "rpm -Uvh /usr/src/redhat/RPMS/i386/openssl-*0.9.7-1.i386.rpm"
> and all three rpms will be installed, your dependacy conflicts resolved by
> rpm and all should be good in the world.

 
 
 

Getting rid of the Apache SLAPPER

Post by Jeff Umbac » Sun, 12 Jan 2003 07:50:49


Yeah, I found that the tar was defaulting to /usr/local/ssl when the
original RedHat included SSL packages were in /usr/bin and /usr/share/ssl.
When you run ./config you need to use the prefix and openssldir flags, so
the command goes ./config --prefix=/usr --openssldir=/usr/share/ssl

Then you just run make, make test, and make install and you're done.

--
Jeff Umbach



> > I've noticed this one my boxes as well.  I have a version of Apache 2.0
on
> > RedHat 8.0 that is not vulnerable but I compiled and installed
OpenSSL9.6h
> > anyway and openssl version still tells me that the OpenSSL9.6b engine is
> > installed.

> Did you compile OpenSSL from a tarball or RPM?  If from tarball, did you
> use the "--prefix=/usr" option or just go with the default (/usr/local)?
> Did you uninstall the old openssl-0.9.6b rpm package?

> I suspect you have two versions of OpenSSL installed: RedHat's
> openssl-0.9.6b in /usr and your new OpenSSL-0.9.6h in /usr/local.  If your
> path is set up in a typical manner, apache will find the old installation
> in /usr and not bother looking further for the new version in /usr/local.

> Try running "locate bin/openssl" and see what shows up.  If it finds
> openssl in two different locations, that's probably the problem.

> I'd just recompile openssl as an rpm and use that to update your system.

> --