Apacher/mod_ssl vunerability

[haswalt]

Hi Not sure where to post this but this came through on the mailing list the other day. Might be worth taking note for all cpanel users and possibly rolling out as a forced update?

CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation

Summary:

The Apache httpd webserver relies on OpenSSL for the implementation of
the SSL/TLS protocol.

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared
to deploy OpenSSL 0.9.8m as it becomes available[3].

Note that these are for short term and mid-term mitigation only; the
long term solution may well require a modification of the SSL and/or
TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for
those who need detailed logging - we recommend that you roll out
this patch[5]:

Index of /dist/httpd/patches
apply_to_2.2.14 CVE-2009-3555-2.2.patch
sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

[cPanelDavidG]

Hi Not sure where to post this but this came through on the mailing list the other day. Might be worth taking note for all cpanel users and possibly rolling out as a forced update?

CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation

Summary:

OpenSSL is not distributed by cPanel/WHM, it is supplied by your OS vendor. I recommend inquiring with your OS vendor to see if they have propagated a patch for this specific issue.

On CentOS and RedHat Enterprise Linux, it is very likely that OpenSSL was not updated to the version you requested, but, instead a patch for this issue was backported to the version installed on the system. This means you still have an older version number, but the issue itself is resolved.

This is not a request that falls under the umbrella of cPanel/WHM so I will archive this request.