So what are the next steps...is this being highlighted as a risk anywhere?

I am surprised that this doesn't get onto the main security page if it
is a risk...how else would anyone find out about it and take
preventative measures?

Regards,


Per

Phil Ehrens wrote:
> Interesting. Must be an Apache 2.2.X thing. The symbol
> definitely does not appear in 2.0.55.
>
> Per Olausson wrote:
>
>> Phil,
>>
>> Is it the way I am building Apache or is Linux or Solaris hiding this
>> symbol? I've checked this on a gentoo build, but on my machine the
>> module has no symbols.
>>
>> Details as below:
>>
>> Apache/2.2.3
>> OpenSSL 0.9.8c
>> AIX 5200-09
>> *
>> nm mod_ssl.so | grep SSL_get_shared_ciphers
>> .SSL_get_shared_ciphers T 269028692
>> .SSL_get_shared_ciphers_139_116 t 269031772*
>>
>> nm(1):
>>
>> T Global text symbol.
>> t Local text symbol.
>>
>> Regards,
>>
>>
>> Per
>>
>> Phil Ehrens wrote:
>>
>>> Per Olausson wrote:
>>>
>>>
>>>>> Phil Ehrens:
>>>>> I just checked a couple different versions and did not see that
>>>>> function.
>>>>>
>>>>>
>>>> I posted a question about this to the apache security mailbox, but
>>>> nobody responded. I guess that is inline with the policy for that
>>>> mailbox even if I find it somewhat unhelpful, considering that SSL isn't
>>>> completely a rarity when using Apache.
>>>>
>>>> The reason I am concerned is because mod_ssl indirectly references
>>>> SSL_get_shared_ciphers. It is in use. You can see this if you use
>>>> something like nm and grep for this function.
>>>>
>>>> So is mod_ssl vulnerable? Is the functionality insulated and not
>>>> possible to trigger from the mod_ssl user scenario, or is it?
>>>>
>>>> If anyone have any ideas please let me know!
>>>>
>>>>
>>> The symbol is not defined in mod_ssl on any of my Linux or Solaris
>>> systems, all of which are running Apache-2.0.55. What version are
>>> you looking at?
>>> __________________________________________________ ____________________
>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>> User Support Mailing List modssl-users@modssl.org
>>> Automated List Manager majordomo@modssl.org
>>>
>>>

>> __________________________________________________ ____________________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>

>
>


__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org