Bug 1027592
Summary: | Apache ServerToken has fake old(vulnerable) version number of openssl, which can confuse vulnerability scanning service. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | hkoba <buribullet> |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | jkaluza, jorton, pahan, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-11-08 09:00:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
hkoba
2013-11-07 07:35:11 UTC
I think that's OpenSSL bug. During my testing I've found out it returns proper version with openssl-1.0.1e-4.fc19.x86_64: Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips But after updating my system to latest openssl-1.0.1e-30.fc19.x86_64, it started returning: Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips Reassigning to openssl. Just checked some openssl patches added between those two versions and this one looks like the root of this problem: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1e-version.patch#n21 Rebuilding with proper version in this patch shows proper version also in httpd. Just rebuilding apache with the openssl-1.0.1e-30.fc19 should help. There is no need to change the patch. The patch was added so the software compiled against the old openssl versions was not confused. (In reply to Tomas Mraz from comment #4) > Just rebuilding apache with the openssl-1.0.1e-30.fc19 should help. There is > no need to change the patch. The patch was added so the software compiled > against the old openssl versions was not confused. Does this mean/imply, fedora build servers are using old openssl versions? (In reply to Tomas Mraz from comment #4) > Just rebuilding apache with the openssl-1.0.1e-30.fc19 should help. There is > no need to change the patch. The patch was added so the software compiled > against the old openssl versions was not confused. Rebuilding httpd fixes this issue, but I still think the patch is not right, because packages compiled against old versions apparently *are* confused - showing bad version info at least. If the rebuild is needed, maintainers should be informed. They must show the bad version because they expect it. There are applications which compare the version string they were built against with the string that is returned by the library. If there is difference bigger than patchlevel (the letter after minor version), they bail out. This was the reason the patch was added. As in Red Hat Enterprise Linux we are often backporting security fixes and not rebasing, having vulnerability scanning software to detect vulnerability by looking at version string is broken anyway. |